diff --git a/pkgs/applications/misc/1password/default.nix b/pkgs/applications/misc/1password/default.nix index d5818614b9e08..90bd59037f28b 100644 --- a/pkgs/applications/misc/1password/default.nix +++ b/pkgs/applications/misc/1password/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchzip }: +{ stdenv, fetchzip, fetchpgpkey, verifySignatureHook }: stdenv.mkDerivation rec { name = "1password-${version}"; @@ -24,6 +24,19 @@ stdenv.mkDerivation rec { } else throw "Architecture not supported"; + nativeBuildInputs = [ verifySignatureHook ]; + + publicKey = fetchpgpkey { + url = https://keybase.io/1password/pgp_keys.asc; + fingerprint = "3FEF9748469ADBE15DA7CA80AC2D62742012EA22"; + sha256 = "1v9gic59a3qim3fcffq77jrswycww4m1rd885lk5xgwr0qnqr019"; + }; + + doCheck = true; + checkPhase = '' + verifySignature op.sig op + ''; + installPhase = '' install -D op $out/bin/op ''; diff --git a/pkgs/build-support/fetchpgpkey/default.nix b/pkgs/build-support/fetchpgpkey/default.nix new file mode 100644 index 0000000000000..44c53bda07027 --- /dev/null +++ b/pkgs/build-support/fetchpgpkey/default.nix @@ -0,0 +1,29 @@ +# This function downloads a PGP public key and verifies its fingerprint +# Because it is based on fetchurl, it will still require a sha256 +# in addition to the fingerprint + +{ lib, fetchurl, gnupg }: + +{ + fingerprint +, ... } @ args: + +lib.overrideDerivation (fetchurl ({ + + name = "pubkey-${fingerprint}"; + + postFetch = + '' + # extract fingerprint + fpr=$(cat "$downloadedFile" | gpg --homedir . --import --import-options show-only --with-colons 2>/dev/null | grep '^fpr' | cut -d: -f 10) + # verify + if [ "$fpr" == "${fingerprint}" ]; then + echo "key fingerprint $fpr verified" + else + echo "key fingerprint mismatch: got $fpr, expected ${fingerprint}" + exit 1 + fi + ''; + +} // removeAttrs args [ "fingerprint" ] )) +(x: {nativeBuildInputs = x.nativeBuildInputs++ [gnupg];}) diff --git a/pkgs/build-support/setup-hooks/verify-signature.sh b/pkgs/build-support/setup-hooks/verify-signature.sh new file mode 100644 index 0000000000000..3d0f7b37c91e9 --- /dev/null +++ b/pkgs/build-support/setup-hooks/verify-signature.sh @@ -0,0 +1,27 @@ +# Helper functions for verifying php signatures + +# importPublicKey +# Add PGP public key contained in ${publicKey} to the keyring. +# All imported keys will be trusted by verifySig +_importPublicKey() { + if [ -z "${publicKey}" ]; then + echo "error: publicKey must be defined when using verifySignatureHook" >&2 + exit 1 + fi + gpg -q --import "${publicKey}" +} + + +# verifySignature SIGFILE DATAFILE +# verify the signature SIGFILE for the file DATAFILE +# if DATAFILE is omitted, it is derived from SIGFILE by dropping the .asc or .sig suffix +verifySignature() { + gpgv --keyring pubring.kbx "$1" "$2" || exit 1 +} + +# create temporary gpg homedir +export GNUPGHOME=$(readlink -f .gnupgtmp) +rm -rf $GNUPGHOME # make sure it's a fresh empty dir +mkdir -p -m 700 $GNUPGHOME + +preUnpackHooks+=(_importPublicKey) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4ddb9f72cc99c..56bc0d9065238 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -102,6 +102,10 @@ with pkgs; { substitutions = { gnu_config = gnu-config;}; } ../build-support/setup-hooks/update-autotools-gnu-config-scripts.sh; + verifySignatureHook = makeSetupHook + { name = "verify-signature-hook"; deps = [ gnupg ]; } + ../build-support/setup-hooks/verify-signature.sh; + gogUnpackHook = makeSetupHook { name = "gog-unpack-hook"; deps = [ innoextract file-rename ]; } @@ -188,6 +192,8 @@ with pkgs; fetchpatch = callPackage ../build-support/fetchpatch { }; + fetchpgpkey = callPackage ../build-support/fetchpgpkey { }; + fetchs3 = callPackage ../build-support/fetchs3 { }; fetchsvn = callPackage ../build-support/fetchsvn {