Skip to content

/ qubes-vmm-xen

Permalink
Browse files

Fix source verification 

'verify-sources' target was broken - even when gpgv exited with failure,
besides printing error message, it continued and didn't interrupted the
buld (because "exit 1" inside subshell created by '(' interrupt only
that subshell).

Fix that by carefully verifying all the files just after downloading
them and remove if verification have failed. The side effect of this
change is not needed 'verify-sources' target at all - whenever sources
are downloaded, are verified, no way to forget about that.

Thanks obotobo@openmailbox.org for the report and the idea how to fix
this!
  • Loading branch information
@marmarek
marmarek committed May 18, 2016
Verified
This commit was signed with a verified signature.
marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
1 parent e323546 commit b48118b8ca59f1bd4208560adf044d35c10fa50b
Unified Split
Showing with 11 additions and 8 deletions.
  1. +11 −8 Makefile
19 Makefile
View file
@@ -93,21 +93,24 @@ endif
get-sources: $(ALL_FILES)
git submodule update --init --recursive

$(ALL_FILES):
@wget -qN $(ALL_URLS)

import-keys:
@if [ -n "$$GNUPGHOME" ]; then rm -f "$$GNUPGHOME/vmm-xen-trustedkeys.gpg"; fi
@gpg --no-auto-check-trustdb --no-default-keyring --keyring vmm-xen-trustedkeys.gpg -q --import *-key.asc

verify-sources: import-keys verify-sources-sig verify-sources-sum
verify-sources:
@true

$(SIGN_FILE) $(GRUB_FILE)$(GRUB_SIGN_SUFF) $(LWIP_FILE)$(LWIP_SIGN_SUFF) $(GMP_FILE)$(GMP_SIGN_SUFF): %:
@wget -qN $(filter %$@,$(ALL_URLS))

verify-sources-sig: $(SRC_FILE) $(GRUB_FILE) $(LWIP_FILE) $(GMP_FILE)
@for f in $^; do gpgv --keyring vmm-xen-trustedkeys.gpg $$f.sig $$f 2>/dev/null || (echo "Wrong signature on $$f!"; exit 1); done
$(SRC_FILE) $(GRUB_FILE) $(LWIP_FILE) $(GMP_FILE): %: %.sig import-keys
@wget -qN $(filter %$@,$(ALL_URLS))
@gpgv --keyring vmm-xen-trustedkeys.gpg $< $@ 2>/dev/null || { rm -f $@; echo "Wrong signature on $*!"; exit 1; }

verify-sources-sum: $(NEWLIB_FILE) $(ZLIB_FILE) $(OCAML_FILE) $(GC_FILE) $(VTPM_FILE) $(TBOOT_FILE) $(PCIUTILS_FILE) $(POLARSSL_FILE)
@for f in $^; do sha1sum --quiet -c $$f.sha1sum || exit 1; done

$(NEWLIB_FILE) $(ZLIB_FILE) $(OCAML_FILE) $(GC_FILE) $(VTPM_FILE) $(TBOOT_FILE) $(PCIUTILS_FILE) $(POLARSSL_FILE): %: %.sha1sum
@wget -qN $(filter %$@,$(ALL_URLS))
@sha1sum --quiet -c $< || { rm -f $@; exit 1; }

.PHONY: clean-sources
clean-sources:

0 comments on commit b48118b

Please sign in to comment.