NixOS · xeji · Jun 25, 2018 · Jul 7, 2018 · Jul 7, 2018 · Jul 8, 2018
diff --git a/pkgs/applications/misc/1password/default.nix b/pkgs/applications/misc/1password/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ stdenv, fetchzip, fetchpgpkey, verifySignatureHook }:
 
 stdenv.mkDerivation rec {
   name = "1password-${version}";
@@ -24,6 +24,19 @@ stdenv.mkDerivation rec {
       }
     else throw "Architecture not supported";
 
+  nativeBuildInputs = [ verifySignatureHook ];
+
+  publicKey = fetchpgpkey {
+    url = https://keybase.io/1password/pgp_keys.asc;
+    fingerprint = "3FEF9748469ADBE15DA7CA80AC2D62742012EA22";
+    sha256 = "1v9gic59a3qim3fcffq77jrswycww4m1rd885lk5xgwr0qnqr019";
+  };
+
+  doCheck = true;
+  checkPhase = ''
+    verifySignature op.sig op
+  '';
+
   installPhase = ''
     install -D op $out/bin/op
   '';

diff --git a/pkgs/build-support/fetchpgpkey/default.nix b/pkgs/build-support/fetchpgpkey/default.nix
@@ -0,0 +1,29 @@
+# This function downloads a PGP public key and verifies its fingerprint
+# Because it is based on fetchurl, it will still require a sha256
+# in addition to the fingerprint
+
+{ lib, fetchurl, gnupg }:
+
+{
+  fingerprint
+, ... } @ args:
+
+lib.overrideDerivation (fetchurl ({
+
+  name = "pubkey-${fingerprint}";
+
+  postFetch =
+    ''
+      # extract fingerprint
+      fpr=$(cat "$downloadedFile" | gpg --homedir . --import --import-options show-only --with-colons 2>/dev/null | grep '^fpr' | cut -d: -f 10)
+      # verify
+      if [ "$fpr" == "${fingerprint}" ]; then
+        echo "key fingerprint $fpr verified"
+      else
+        echo "key fingerprint mismatch: got $fpr, expected ${fingerprint}"
+        exit 1
+      fi
+    '';
+
+} // removeAttrs args [ "fingerprint" ] ))
+(x: {nativeBuildInputs = x.nativeBuildInputs++ [gnupg];})
diff --git a/pkgs/build-support/setup-hooks/verify-signature.sh b/pkgs/build-support/setup-hooks/verify-signature.sh
@@ -0,0 +1,27 @@
+# Helper functions for verifying php signatures
+
+# importPublicKey
+# Add PGP public key contained in ${publicKey} to the keyring.
+# All imported keys will be trusted by verifySig
+_importPublicKey() {
+  if [ -z "${publicKey}" ]; then
+    echo "error: publicKey must be defined when using verifySignatureHook" >&2
+    exit 1
+  fi
+  gpg -q --import "${publicKey}"
+}
+
+
+# verifySignature SIGFILE DATAFILE
+# verify the signature SIGFILE for the file DATAFILE
+# if DATAFILE is omitted, it is derived from SIGFILE by dropping the .asc or .sig suffix
+verifySignature() {
+  gpgv --keyring pubring.kbx "$1" "$2" || exit 1
+}
+
+# create temporary gpg homedir
+export GNUPGHOME=$(readlink -f .gnupgtmp)
+rm -rf $GNUPGHOME # make sure it's a fresh empty dir
+mkdir -p -m 700 $GNUPGHOME
+
+preUnpackHooks+=(_importPublicKey)
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -102,6 +102,10 @@ with pkgs;
     { substitutions = { gnu_config = gnu-config;}; }
     ../build-support/setup-hooks/update-autotools-gnu-config-scripts.sh;
 
+  verifySignatureHook = makeSetupHook
+    { name = "verify-signature-hook"; deps = [ gnupg ]; }
+    ../build-support/setup-hooks/verify-signature.sh;
+
   gogUnpackHook = makeSetupHook {
     name = "gog-unpack-hook";
     deps = [ innoextract file-rename ]; }
@@ -188,6 +192,8 @@ with pkgs;
 
   fetchpatch = callPackage ../build-support/fetchpatch { };
 
+  fetchpgpkey = callPackage ../build-support/fetchpgpkey { };
+
   fetchs3 = callPackage ../build-support/fetchs3 { };
 
   fetchsvn = callPackage ../build-support/fetchsvn {