From 5d0c2e388edf77baf692ceea311ffd5d04c6c657 Mon Sep 17 00:00:00 2001 From: Uli Baum Date: Mon, 25 Jun 2018 19:48:48 +0200 Subject: [PATCH 1/5] 1password: check binary code signature during build --- .../misc/1password/AC2D62742012EA22.asc | 80 +++++++++++++++++++ pkgs/applications/misc/1password/default.nix | 15 +++- 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 pkgs/applications/misc/1password/AC2D62742012EA22.asc diff --git a/pkgs/applications/misc/1password/AC2D62742012EA22.asc b/pkgs/applications/misc/1password/AC2D62742012EA22.asc new file mode 100644 index 0000000000000..1ec5cf10964ed --- /dev/null +++ b/pkgs/applications/misc/1password/AC2D62742012EA22.asc @@ -0,0 +1,80 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: GPGTools - https://gpgtools.org + +mQINBFkeAh4BEACy6fUHiFi/YvXZ2E5Gs7qFL8TSKQGLt0g8w/NtBotMNveW2Nzg +aXcmJ2E0aXY7nBRtpIgRRrb7XuskDZwGmVx4PQshaZuIozS0T1kdMitobi4k3g2M +551yf1bPWl1neVJ5MmbpknnaIG6VjMHxcRKE0xXDYhpBtt7QQQw1HT8vOjUOXBUf +VIj2o7I/+cRGNgDdkbuGRccC8hSGyiWXy4FY8xPvxMSCXoL5w531ewaGl/M+mAOC +3c6T7S05CcNN50Z6wulCiDZGvuJ2547E5iU9KClAEchJH9yQ2PkLHy3OQi0lBt+4 +PmGeBOIxvFVXGbtGGtx6oFZxVaYDzF+BHHHRRdUs75pWzRm5y/3j0j+O4UKLWvMx +3SN7gRRu6gP5nvOw6wdyYerci2NHx1JJKlM6d6zxEj+cJ4GoBeJQhJi3UVpDy0Hh +TX3iid9Zz1ansQrSujXU2t82695WTGau5sarheDya4niKfVOh4IDMBbA17fnqJbS +ttYiL5i4+eqXbkAItdq+skhqqUElrROC0RKiXhX00nHu+ASHYupr/1Ac9/jdk0wG +TNb1ue76aBGJHZA0U67onp/MkVEOCv04nHRZbHArM0w52v40VIaUax5ZYfLSOIkq +IkPHoywmhR7W6QVlBbjP6zWVrTAWEnPx2VDQVk1CX29n/kM/J1kE60poZQARAQAB +tDNDb2RlIHNpZ25pbmcgZm9yIDFQYXNzd29yZCA8Y29kZXNpZ25AMXBhc3N3b3Jk +LmNvbT6JAlQEEwEIAD4WIQQ/75dIRprb4V2nyoCsLWJ0IBLqIgUCWR4CHgIbAwUJ +DwmcAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCsLWJ0IBLqIvg7D/9kizku +ExCTdQsMqeWUgh59pSPoJn2xNQ6q1hOEgdSSyGAd4hXXmSsCiOF4G9hu9+rnAIxN +oObpIUW78iOob7x8FYjjtZlPAaygnWNPYk5q35hD32f9KvlD7/WY/HoiMEC0qu9b +2tf6dq3YS60OVsjLaM/BMugLmepXw5K5biNsPlVNPMa7EznBbP12Qs9+5qJv58CN +ixM+XqNIEQuGGfks3Rp26bmmsWDjBOz7H72qtPa5zqyTDkJQ3g54SbXZwU3o/LD4 +uikdOKKQF6sIjiv+25j5NTHCJpKglJY7TgfVGTBfobgqU/1SdRR2IVLALrye5y12 +gHDqXq0CrhTGIrSSaFvoHcVdfn2U0NZUlThYS8jIzpAofn6DDXG+7g0twq9n8RQL +/0WyEB0FdW/gkZirks0wJe5nWOrghvWuS7Mm31rTOkcpeljLEr+wfjf1GyiFNSx6 +kJDqJw3U3/oBYbOMKZn68P5ZxdxeSBchkZm1x+kfoBUM/npCU810TLztbV6wRPSj +8DGhAu04YyLJJ1a2W2JVEYiYK0jKA/lhrw3Z1Nz9ikGJGgcQwaSqN4L9pzPUrx1m +xNpn+QIHsjbwScavj3seMJwpxfabRy9zhteP9e6TMJnEZhdq4GTm0lL68kpC6z6e +h/Z0KAZvf1jK/4A5wM4VnUTXMU+SGtU9VH5lzIkCMwQQAQgAHRYhBPAnWT97ensh +T+2Lyy37ftAFej6jBQJZH38iAAoJEC37ftAFej6jNj8QAM5NpjCS0FYP3eLUoGYE +CUHKAkCPim37Wuz0E1L8zwg02XQbzwQ/99hpCbsgqm8s/cCIprfJ0ioGnMa25IJN +0keLLgocJQHeq+7Dw+tGrqVFU3Dnpyg2F7FBSTL5fvGYtPJe8Om7FFS9bm6nDytk +vQ7fnyZxC3l+WyxlcQeYahgW4YIMZ4qOBY+ZE4m+Y2SXTAm3qKIbJJ/oixSVXCJS +g964G7A7PN7RMqfKsbwL2ec4CsnOfYl6xe38muPXChvwZtoW1VtNZiBYkKfEOg4U +57cJqclNp8GQRXcSfHY3G9hRIaJic6KFrjBlgwVHpRpSxhj1ydp/RghbjUBzuY22 +hgpHeVdw2wFDVef9st+3XHu6JiEHrGpWjc7VTpCiiYaHAPIFWMu8B9gnQrxc9ZXw +0OzS4vu82mAiyitvw+dY3V4U5uo0q56iyswmDs2S2Kn8/510n2vdCqEtaKMV5cV+ +cnF1aU1PdRct/ZMfqOC+VcfTiS/Svx5/BCie0nIATJGcYtuX9fFd4Z0V3T0N6aM7 +QENgOny7X/zJgp5dWbgkv3Qyz83rz32cfcv9gSf8yUjV3/NsxrzCeKxFWFn+oPh3 ++PTforlP1OsyZORh9IgtoQ5Jqk6YYnSsYkJfseZVQigVpaD2nWwSmmQHMnHmwDvP +CXKaBqnE2TXnoqXw4o8nSRvYiEwEExECAAwFAlkfc30FgweGH4AACgkQbFEGZwmQ +vW7oCQCff4GoP5fcYTq/i4QMwYJmSFLs3GcAoMs+tMkCVeVA/up7QOzgB0/rNypY +iQEcBBABCAAGBQJZH3WeAAoJEL1Y5xxC89TUrRoH/iGhamPA0Z/ldEtBhSYGj/30 +7UvFywP2tlXTeJqma1XwEBzXvx6j9Xn8pLIlvFh3/ouLmP36bY+Ftj8Im3EWGnmV +m5joe5S2hDLQI7FDbWGUwJePDNaMxC/SsvVzkXJzjAvajVAReB3Pu93SfsraNV/n +NMGO4ALW+1Z1p/tzgwW7G4YpiXmRZ1EcL688MQKB/B8IrKajadMk5avGsoPc53MF +EDOboZ3lA7F9WnuS6OSX3zBqyiPYxWskAiVf2TVKlBU54ptBq8ruhKAQqn54VJ9A +3jX31XAcEv1YBw44bPvZzMPxc51ufODSWN80Y5Tui5hpxQVKjCfhjtBaYrwtTnuJ +ASIEEwEIAAwFAlkfctMFgweGH4AACgkQEVQrwN6HnyPERAf/eiihrkuD/5iu3dlI +mwCGRC6hs6Fj7W7Vtfq4zy5KHimfipO8YhZESkDrCz7uQWqzbn3+1fvEFPOGqRUt +g1ju3UZXuvHXTJ/X0wz7ZwxCNUVK3o5IFJcwPr12yy70NQJ8fl0poOrX83zfN9m/ +ltbi5r3vrngO7ERjnDs3HMmoJrsn7q+1eStpBpMJ4OpiqSBUKMVnn6SZsz474Mhe +n7wpyxwAYE/rVAymzdvFaGFzALMcdk14xoqMbcQAPA3W/O9pRofT8GRkBY18jgY/ +1ufIhCPKSZrbUcOUwGf+H3XgI2o2zi1Sgl0P0zhLdZeQf2QM0o/eP8Y6KflEgHCQ +U3G5sYkCIgQTAQoADAUCWST/ywWDB4YfgAAKCRBNoYBTjrg3cHntD/9T43JhILlh +Yt26t6Rwt97fWGMyX7iCsnf7RC9ZmQmqFYI6Aq7BPMp2CQ62zE6XJfgg7owyzB8S +PF2psjki0GJJSEca+hFzS72AkejtZzIaeuV8aMIL7c2p8su58TbCC8ftgOSEeyoO +BcNF4Lla1KO/DLgnfvNGzic/WPBasgB1VilVU7We3IRKcS/12BlTfz2+nPWd6hqZ +iKqbOzSxr2X+L7mK3ubU1CE75PRsSy42GRNVs3TD5XftpjISzrhef9NWuo3edOki +Ir/N8G/Dn3G+Qohx5vxGDYBnFmXQ/HCQgWJ76rTF+AMCOsjB4AhKo81UbzoIEf7M +jRsQoV57YGdbr1vR/aoQ+FwVWLmuTf33XqEzg3wGM1w+Id/goVX4JvPUBnif1qv7 +b9ccv9OIDjPxK9qYl9jgWIrUbqKcRJSGnVL+S8wiOVQswFrdsubCtHL50BuOCT25 +mxI9PPrcOdVoDp1R59N1w8hwLsqv+Z337blfVAzqNXG4peaHAWcTrRGvWX6vstbg +RDXqdV6uwR7Z2ywFLpETgiRZ92uEBVS6rjYVyV3YGT1LNH/NP6Dn8ZZhS5px48l/ +5whlw011M+V5HqCzyDdSH0vf0qDQD8Rd/ttljlhMMlqCgcd7lmEzT189jBDczQPw +nqxkqW1iYJWRFPkx+smsXTzgLxA3wZkqqYkCIgQTAQgADAUCWSbr+QWDB4YfgAAK +CRAzN10Mq6ZWYOj+EACCvARxEGCIzrzpeaI8cG8TNScC0nFYv7OLfkhl05alZETt +9xNHSvTNyecWkm4tU37MWGFy6hGeR83XB/X/dC4/EGvLOn0Ia7MGHboGv2eNZmTO +3YbFTJ3UJ2vJovwE/x+ljTItajw1BeflJZ3FCmuu7iDWsBU9uKMdYi2CBSA2QZ3Q +bZTTe4j/VvQpPwDusUd8VYSF+tZBgyaWhrnwhlvm8Ni5/z6CXGbpOgg/CvdkJstf +qrD34L0AvM7BjkIzOWwPNCCJ7NGTdTonCen7/NrZj63NXVyqvevXUidnpm9ejgex +6SHVtMOq1NCQ4n5430rM2AISHxdVj8lNcEjugZWYLecWr3FLr0u8i0CkcOwT3OJj +0ypVx8lxYtID0uLUZ4QmSb2yJyDcdzndNQNQIOo+esR5vx69osZv7Cm36nnAh4vk +cIAfhJqmuZ2oUB7kPdNrSkR/jI+UfvJJQrX2Wxgvv+w+8oUBxsX9h7MHtAZ/GpMY +HXnJdF/CB3CtAlsV8hs4cK2E+dHDs5YQ5IAESZSzE8toIXkR79obV/l6WE3iqeWW +1exns8+CsE7XLEiLvT9L0WrAL4uGZh+y4AV528BDQixxf7G0RfghFA8aoM5KhqJO +G3fEARjHJTHY0X4EyIgu9S/U+viXy3/HNadDRf1q8aIDjXz/QDRCv/J/+P+lG4hd +BBARAgAdFiEEIjHf8Iae46WIWufU94d6K8nEDDEFAlmwRiAACgkQ94d6K8nEDDGj +qgCfV0WNhk3MvIiFl4pp4iJnAaar/0QAnj59GD0/gjuMfB7QE3eI0AbWcpsa +=62eX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/pkgs/applications/misc/1password/default.nix b/pkgs/applications/misc/1password/default.nix index d5818614b9e08..e837e46b84fc8 100644 --- a/pkgs/applications/misc/1password/default.nix +++ b/pkgs/applications/misc/1password/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchzip }: +{ stdenv, fetchzip, gnupg }: stdenv.mkDerivation rec { name = "1password-${version}"; @@ -24,6 +24,19 @@ stdenv.mkDerivation rec { } else throw "Architecture not supported"; + nativeBuildInputs = [ gnupg ]; + + doCheck = true; + checkPhase = '' + export GNUPGHOME=.gnupgtmp + rm -rf $GNUPGHOME # make sure it's a fresh empty dir + mkdir -p -m 700 $GNUPGHOME + # import upstream public key + cat ${./AC2D62742012EA22.asc} | gpg --import -q + # check binary signature with upstream signing key + gpgv --keyring pubring.kbx op.sig op + ''; + installPhase = '' install -D op $out/bin/op ''; From 29f723b1599f956941244ba8d75888fc3c2e63fe Mon Sep 17 00:00:00 2001 From: Uli Baum Date: Sun, 8 Jul 2018 00:59:13 +0200 Subject: [PATCH 2/5] build-support: add fetchpgpkey downloads a pgp public key and verifies its fingerprint --- pkgs/build-support/fetchpgpkey/default.nix | 29 ++++++++++++++++++++++ pkgs/top-level/all-packages.nix | 2 ++ 2 files changed, 31 insertions(+) create mode 100644 pkgs/build-support/fetchpgpkey/default.nix diff --git a/pkgs/build-support/fetchpgpkey/default.nix b/pkgs/build-support/fetchpgpkey/default.nix new file mode 100644 index 0000000000000..44c53bda07027 --- /dev/null +++ b/pkgs/build-support/fetchpgpkey/default.nix @@ -0,0 +1,29 @@ +# This function downloads a PGP public key and verifies its fingerprint +# Because it is based on fetchurl, it will still require a sha256 +# in addition to the fingerprint + +{ lib, fetchurl, gnupg }: + +{ + fingerprint +, ... } @ args: + +lib.overrideDerivation (fetchurl ({ + + name = "pubkey-${fingerprint}"; + + postFetch = + '' + # extract fingerprint + fpr=$(cat "$downloadedFile" | gpg --homedir . --import --import-options show-only --with-colons 2>/dev/null | grep '^fpr' | cut -d: -f 10) + # verify + if [ "$fpr" == "${fingerprint}" ]; then + echo "key fingerprint $fpr verified" + else + echo "key fingerprint mismatch: got $fpr, expected ${fingerprint}" + exit 1 + fi + ''; + +} // removeAttrs args [ "fingerprint" ] )) +(x: {nativeBuildInputs = x.nativeBuildInputs++ [gnupg];}) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4ddb9f72cc99c..3c7f7f47f3387 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -188,6 +188,8 @@ with pkgs; fetchpatch = callPackage ../build-support/fetchpatch { }; + fetchpgpkey = callPackage ../build-support/fetchpgpkey { }; + fetchs3 = callPackage ../build-support/fetchs3 { }; fetchsvn = callPackage ../build-support/fetchsvn { From aefefec375a1b770da26289b6481f67a362aeb4c Mon Sep 17 00:00:00 2001 From: Uli Baum Date: Sun, 8 Jul 2018 01:06:51 +0200 Subject: [PATCH 3/5] 1password: use fetchpgpkey --- .../misc/1password/AC2D62742012EA22.asc | 80 ------------------- pkgs/applications/misc/1password/default.nix | 10 ++- 2 files changed, 8 insertions(+), 82 deletions(-) delete mode 100644 pkgs/applications/misc/1password/AC2D62742012EA22.asc diff --git a/pkgs/applications/misc/1password/AC2D62742012EA22.asc b/pkgs/applications/misc/1password/AC2D62742012EA22.asc deleted file mode 100644 index 1ec5cf10964ed..0000000000000 --- a/pkgs/applications/misc/1password/AC2D62742012EA22.asc +++ /dev/null @@ -1,80 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Comment: GPGTools - https://gpgtools.org - -mQINBFkeAh4BEACy6fUHiFi/YvXZ2E5Gs7qFL8TSKQGLt0g8w/NtBotMNveW2Nzg -aXcmJ2E0aXY7nBRtpIgRRrb7XuskDZwGmVx4PQshaZuIozS0T1kdMitobi4k3g2M -551yf1bPWl1neVJ5MmbpknnaIG6VjMHxcRKE0xXDYhpBtt7QQQw1HT8vOjUOXBUf -VIj2o7I/+cRGNgDdkbuGRccC8hSGyiWXy4FY8xPvxMSCXoL5w531ewaGl/M+mAOC -3c6T7S05CcNN50Z6wulCiDZGvuJ2547E5iU9KClAEchJH9yQ2PkLHy3OQi0lBt+4 -PmGeBOIxvFVXGbtGGtx6oFZxVaYDzF+BHHHRRdUs75pWzRm5y/3j0j+O4UKLWvMx -3SN7gRRu6gP5nvOw6wdyYerci2NHx1JJKlM6d6zxEj+cJ4GoBeJQhJi3UVpDy0Hh -TX3iid9Zz1ansQrSujXU2t82695WTGau5sarheDya4niKfVOh4IDMBbA17fnqJbS -ttYiL5i4+eqXbkAItdq+skhqqUElrROC0RKiXhX00nHu+ASHYupr/1Ac9/jdk0wG -TNb1ue76aBGJHZA0U67onp/MkVEOCv04nHRZbHArM0w52v40VIaUax5ZYfLSOIkq -IkPHoywmhR7W6QVlBbjP6zWVrTAWEnPx2VDQVk1CX29n/kM/J1kE60poZQARAQAB -tDNDb2RlIHNpZ25pbmcgZm9yIDFQYXNzd29yZCA8Y29kZXNpZ25AMXBhc3N3b3Jk -LmNvbT6JAlQEEwEIAD4WIQQ/75dIRprb4V2nyoCsLWJ0IBLqIgUCWR4CHgIbAwUJ -DwmcAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCsLWJ0IBLqIvg7D/9kizku -ExCTdQsMqeWUgh59pSPoJn2xNQ6q1hOEgdSSyGAd4hXXmSsCiOF4G9hu9+rnAIxN -oObpIUW78iOob7x8FYjjtZlPAaygnWNPYk5q35hD32f9KvlD7/WY/HoiMEC0qu9b -2tf6dq3YS60OVsjLaM/BMugLmepXw5K5biNsPlVNPMa7EznBbP12Qs9+5qJv58CN -ixM+XqNIEQuGGfks3Rp26bmmsWDjBOz7H72qtPa5zqyTDkJQ3g54SbXZwU3o/LD4 -uikdOKKQF6sIjiv+25j5NTHCJpKglJY7TgfVGTBfobgqU/1SdRR2IVLALrye5y12 -gHDqXq0CrhTGIrSSaFvoHcVdfn2U0NZUlThYS8jIzpAofn6DDXG+7g0twq9n8RQL -/0WyEB0FdW/gkZirks0wJe5nWOrghvWuS7Mm31rTOkcpeljLEr+wfjf1GyiFNSx6 -kJDqJw3U3/oBYbOMKZn68P5ZxdxeSBchkZm1x+kfoBUM/npCU810TLztbV6wRPSj -8DGhAu04YyLJJ1a2W2JVEYiYK0jKA/lhrw3Z1Nz9ikGJGgcQwaSqN4L9pzPUrx1m -xNpn+QIHsjbwScavj3seMJwpxfabRy9zhteP9e6TMJnEZhdq4GTm0lL68kpC6z6e -h/Z0KAZvf1jK/4A5wM4VnUTXMU+SGtU9VH5lzIkCMwQQAQgAHRYhBPAnWT97ensh -T+2Lyy37ftAFej6jBQJZH38iAAoJEC37ftAFej6jNj8QAM5NpjCS0FYP3eLUoGYE -CUHKAkCPim37Wuz0E1L8zwg02XQbzwQ/99hpCbsgqm8s/cCIprfJ0ioGnMa25IJN -0keLLgocJQHeq+7Dw+tGrqVFU3Dnpyg2F7FBSTL5fvGYtPJe8Om7FFS9bm6nDytk -vQ7fnyZxC3l+WyxlcQeYahgW4YIMZ4qOBY+ZE4m+Y2SXTAm3qKIbJJ/oixSVXCJS -g964G7A7PN7RMqfKsbwL2ec4CsnOfYl6xe38muPXChvwZtoW1VtNZiBYkKfEOg4U -57cJqclNp8GQRXcSfHY3G9hRIaJic6KFrjBlgwVHpRpSxhj1ydp/RghbjUBzuY22 -hgpHeVdw2wFDVef9st+3XHu6JiEHrGpWjc7VTpCiiYaHAPIFWMu8B9gnQrxc9ZXw -0OzS4vu82mAiyitvw+dY3V4U5uo0q56iyswmDs2S2Kn8/510n2vdCqEtaKMV5cV+ -cnF1aU1PdRct/ZMfqOC+VcfTiS/Svx5/BCie0nIATJGcYtuX9fFd4Z0V3T0N6aM7 -QENgOny7X/zJgp5dWbgkv3Qyz83rz32cfcv9gSf8yUjV3/NsxrzCeKxFWFn+oPh3 -+PTforlP1OsyZORh9IgtoQ5Jqk6YYnSsYkJfseZVQigVpaD2nWwSmmQHMnHmwDvP -CXKaBqnE2TXnoqXw4o8nSRvYiEwEExECAAwFAlkfc30FgweGH4AACgkQbFEGZwmQ -vW7oCQCff4GoP5fcYTq/i4QMwYJmSFLs3GcAoMs+tMkCVeVA/up7QOzgB0/rNypY -iQEcBBABCAAGBQJZH3WeAAoJEL1Y5xxC89TUrRoH/iGhamPA0Z/ldEtBhSYGj/30 -7UvFywP2tlXTeJqma1XwEBzXvx6j9Xn8pLIlvFh3/ouLmP36bY+Ftj8Im3EWGnmV -m5joe5S2hDLQI7FDbWGUwJePDNaMxC/SsvVzkXJzjAvajVAReB3Pu93SfsraNV/n -NMGO4ALW+1Z1p/tzgwW7G4YpiXmRZ1EcL688MQKB/B8IrKajadMk5avGsoPc53MF -EDOboZ3lA7F9WnuS6OSX3zBqyiPYxWskAiVf2TVKlBU54ptBq8ruhKAQqn54VJ9A -3jX31XAcEv1YBw44bPvZzMPxc51ufODSWN80Y5Tui5hpxQVKjCfhjtBaYrwtTnuJ -ASIEEwEIAAwFAlkfctMFgweGH4AACgkQEVQrwN6HnyPERAf/eiihrkuD/5iu3dlI -mwCGRC6hs6Fj7W7Vtfq4zy5KHimfipO8YhZESkDrCz7uQWqzbn3+1fvEFPOGqRUt -g1ju3UZXuvHXTJ/X0wz7ZwxCNUVK3o5IFJcwPr12yy70NQJ8fl0poOrX83zfN9m/ -ltbi5r3vrngO7ERjnDs3HMmoJrsn7q+1eStpBpMJ4OpiqSBUKMVnn6SZsz474Mhe -n7wpyxwAYE/rVAymzdvFaGFzALMcdk14xoqMbcQAPA3W/O9pRofT8GRkBY18jgY/ -1ufIhCPKSZrbUcOUwGf+H3XgI2o2zi1Sgl0P0zhLdZeQf2QM0o/eP8Y6KflEgHCQ -U3G5sYkCIgQTAQoADAUCWST/ywWDB4YfgAAKCRBNoYBTjrg3cHntD/9T43JhILlh -Yt26t6Rwt97fWGMyX7iCsnf7RC9ZmQmqFYI6Aq7BPMp2CQ62zE6XJfgg7owyzB8S -PF2psjki0GJJSEca+hFzS72AkejtZzIaeuV8aMIL7c2p8su58TbCC8ftgOSEeyoO -BcNF4Lla1KO/DLgnfvNGzic/WPBasgB1VilVU7We3IRKcS/12BlTfz2+nPWd6hqZ -iKqbOzSxr2X+L7mK3ubU1CE75PRsSy42GRNVs3TD5XftpjISzrhef9NWuo3edOki -Ir/N8G/Dn3G+Qohx5vxGDYBnFmXQ/HCQgWJ76rTF+AMCOsjB4AhKo81UbzoIEf7M -jRsQoV57YGdbr1vR/aoQ+FwVWLmuTf33XqEzg3wGM1w+Id/goVX4JvPUBnif1qv7 -b9ccv9OIDjPxK9qYl9jgWIrUbqKcRJSGnVL+S8wiOVQswFrdsubCtHL50BuOCT25 -mxI9PPrcOdVoDp1R59N1w8hwLsqv+Z337blfVAzqNXG4peaHAWcTrRGvWX6vstbg -RDXqdV6uwR7Z2ywFLpETgiRZ92uEBVS6rjYVyV3YGT1LNH/NP6Dn8ZZhS5px48l/ -5whlw011M+V5HqCzyDdSH0vf0qDQD8Rd/ttljlhMMlqCgcd7lmEzT189jBDczQPw -nqxkqW1iYJWRFPkx+smsXTzgLxA3wZkqqYkCIgQTAQgADAUCWSbr+QWDB4YfgAAK -CRAzN10Mq6ZWYOj+EACCvARxEGCIzrzpeaI8cG8TNScC0nFYv7OLfkhl05alZETt -9xNHSvTNyecWkm4tU37MWGFy6hGeR83XB/X/dC4/EGvLOn0Ia7MGHboGv2eNZmTO -3YbFTJ3UJ2vJovwE/x+ljTItajw1BeflJZ3FCmuu7iDWsBU9uKMdYi2CBSA2QZ3Q -bZTTe4j/VvQpPwDusUd8VYSF+tZBgyaWhrnwhlvm8Ni5/z6CXGbpOgg/CvdkJstf -qrD34L0AvM7BjkIzOWwPNCCJ7NGTdTonCen7/NrZj63NXVyqvevXUidnpm9ejgex -6SHVtMOq1NCQ4n5430rM2AISHxdVj8lNcEjugZWYLecWr3FLr0u8i0CkcOwT3OJj -0ypVx8lxYtID0uLUZ4QmSb2yJyDcdzndNQNQIOo+esR5vx69osZv7Cm36nnAh4vk -cIAfhJqmuZ2oUB7kPdNrSkR/jI+UfvJJQrX2Wxgvv+w+8oUBxsX9h7MHtAZ/GpMY -HXnJdF/CB3CtAlsV8hs4cK2E+dHDs5YQ5IAESZSzE8toIXkR79obV/l6WE3iqeWW -1exns8+CsE7XLEiLvT9L0WrAL4uGZh+y4AV528BDQixxf7G0RfghFA8aoM5KhqJO -G3fEARjHJTHY0X4EyIgu9S/U+viXy3/HNadDRf1q8aIDjXz/QDRCv/J/+P+lG4hd -BBARAgAdFiEEIjHf8Iae46WIWufU94d6K8nEDDEFAlmwRiAACgkQ94d6K8nEDDGj -qgCfV0WNhk3MvIiFl4pp4iJnAaar/0QAnj59GD0/gjuMfB7QE3eI0AbWcpsa -=62eX ------END PGP PUBLIC KEY BLOCK----- diff --git a/pkgs/applications/misc/1password/default.nix b/pkgs/applications/misc/1password/default.nix index e837e46b84fc8..290097da1e59a 100644 --- a/pkgs/applications/misc/1password/default.nix +++ b/pkgs/applications/misc/1password/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchzip, gnupg }: +{ stdenv, fetchzip, gnupg, fetchpgpkey }: stdenv.mkDerivation rec { name = "1password-${version}"; @@ -26,13 +26,19 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ gnupg ]; + key = fetchpgpkey { + url = https://keybase.io/1password/pgp_keys.asc; + fingerprint = "3FEF9748469ADBE15DA7CA80AC2D62742012EA22"; + sha256 = "1v9gic59a3qim3fcffq77jrswycww4m1rd885lk5xgwr0qnqr019"; + }; + doCheck = true; checkPhase = '' export GNUPGHOME=.gnupgtmp rm -rf $GNUPGHOME # make sure it's a fresh empty dir mkdir -p -m 700 $GNUPGHOME # import upstream public key - cat ${./AC2D62742012EA22.asc} | gpg --import -q + cat ${key} | gpg --import -q # check binary signature with upstream signing key gpgv --keyring pubring.kbx op.sig op ''; From a534826e2aff259edc36e88bd117b2c4acec28c6 Mon Sep 17 00:00:00 2001 From: Uli Baum Date: Sun, 8 Jul 2018 14:27:25 +0200 Subject: [PATCH 4/5] build-support/setup-hooks: add verifySignatureHook --- .../setup-hooks/verify-signature.sh | 27 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 4 +++ 2 files changed, 31 insertions(+) create mode 100644 pkgs/build-support/setup-hooks/verify-signature.sh diff --git a/pkgs/build-support/setup-hooks/verify-signature.sh b/pkgs/build-support/setup-hooks/verify-signature.sh new file mode 100644 index 0000000000000..3d0f7b37c91e9 --- /dev/null +++ b/pkgs/build-support/setup-hooks/verify-signature.sh @@ -0,0 +1,27 @@ +# Helper functions for verifying php signatures + +# importPublicKey +# Add PGP public key contained in ${publicKey} to the keyring. +# All imported keys will be trusted by verifySig +_importPublicKey() { + if [ -z "${publicKey}" ]; then + echo "error: publicKey must be defined when using verifySignatureHook" >&2 + exit 1 + fi + gpg -q --import "${publicKey}" +} + + +# verifySignature SIGFILE DATAFILE +# verify the signature SIGFILE for the file DATAFILE +# if DATAFILE is omitted, it is derived from SIGFILE by dropping the .asc or .sig suffix +verifySignature() { + gpgv --keyring pubring.kbx "$1" "$2" || exit 1 +} + +# create temporary gpg homedir +export GNUPGHOME=$(readlink -f .gnupgtmp) +rm -rf $GNUPGHOME # make sure it's a fresh empty dir +mkdir -p -m 700 $GNUPGHOME + +preUnpackHooks+=(_importPublicKey) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 3c7f7f47f3387..56bc0d9065238 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -102,6 +102,10 @@ with pkgs; { substitutions = { gnu_config = gnu-config;}; } ../build-support/setup-hooks/update-autotools-gnu-config-scripts.sh; + verifySignatureHook = makeSetupHook + { name = "verify-signature-hook"; deps = [ gnupg ]; } + ../build-support/setup-hooks/verify-signature.sh; + gogUnpackHook = makeSetupHook { name = "gog-unpack-hook"; deps = [ innoextract file-rename ]; } From aa4bfd212764c5152a032d84390b4a40a43b5768 Mon Sep 17 00:00:00 2001 From: Uli Baum Date: Sun, 8 Jul 2018 14:29:22 +0200 Subject: [PATCH 5/5] 1password: use verifySignatureHook --- pkgs/applications/misc/1password/default.nix | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/pkgs/applications/misc/1password/default.nix b/pkgs/applications/misc/1password/default.nix index 290097da1e59a..90bd59037f28b 100644 --- a/pkgs/applications/misc/1password/default.nix +++ b/pkgs/applications/misc/1password/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchzip, gnupg, fetchpgpkey }: +{ stdenv, fetchzip, fetchpgpkey, verifySignatureHook }: stdenv.mkDerivation rec { name = "1password-${version}"; @@ -24,9 +24,9 @@ stdenv.mkDerivation rec { } else throw "Architecture not supported"; - nativeBuildInputs = [ gnupg ]; + nativeBuildInputs = [ verifySignatureHook ]; - key = fetchpgpkey { + publicKey = fetchpgpkey { url = https://keybase.io/1password/pgp_keys.asc; fingerprint = "3FEF9748469ADBE15DA7CA80AC2D62742012EA22"; sha256 = "1v9gic59a3qim3fcffq77jrswycww4m1rd885lk5xgwr0qnqr019"; @@ -34,13 +34,7 @@ stdenv.mkDerivation rec { doCheck = true; checkPhase = '' - export GNUPGHOME=.gnupgtmp - rm -rf $GNUPGHOME # make sure it's a fresh empty dir - mkdir -p -m 700 $GNUPGHOME - # import upstream public key - cat ${key} | gpg --import -q - # check binary signature with upstream signing key - gpgv --keyring pubring.kbx op.sig op + verifySignature op.sig op ''; installPhase = ''