1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
#!/usr/bin/perl
# Terribly ugly hack of a script to verify the signatures on the release
# tarballs and produce the list of who signed them in the format we use for
# the announcements.
#
# To use just run it in the directory with the signatures and tarballs and
# pass the version of subversion you want to check. It assumes gpg is on
# you path, if it isn't you should fix that. :D
#
# Script will die if any gpg process returns an error.
my $version = $ARGV[0];
my @extensions = qw(tar.bz2 tar.gz zip);
my %good_sigs;
foreach my $extension (@extensions) {
$filename = "subversion-$version.$extension.asc";
my $gpg_output = `gpg --logger-fd 1 --verify $filename`;
if ($? >> 8 ) {
# gpg exited with a non zero exit value, die with an error
print $gpg_output;
die "BAD SIGNATURE in $filename";
}
foreach my $line (split /\n/, $gpg_output) {
# Extract the keyid from the GPG output.
my ($keyid) = $line =~ /^gpg: Signature made .*? using \w+ key ID (\w+)/;
if (defined($keyid)) {
# Put the resulting key in a hash to remove duplicates.
$good_sigs{$keyid}++;
}
}
}
foreach my $keyid (keys %good_sigs) {
my $gpg_output = `gpg --fingerprint $keyid`;
if ($? >> 8 ) {
# gpg exited with a non zero exit value, die with an error
print $gpg_output;
die "UNABLE TO GET FINGERPRINT FOR $keyid";
}
my ($long_keyid, $fingerprint, $null, $name) = $gpg_output =~ /^pub\s+(\w+\/\w+)[^\n]*\n\s+Key\sfingerprint\s=((\s+[0-9A-F]{4}){10})\nuid\s+([^<\(]+)\s/;
unless (defined($long_keyid) && defined($name) && defined($fingerprint)) {
# Hmm some value didn't get filled in, error out.
die "Empty value, possible error in gpg output parsing.";
}
print <<"EOL";
$name [$long_keyid] with fingerprint:
$fingerprint
EOL
}
|
