diff --git a/pkgs/applications/misc/1password/default.nix b/pkgs/applications/misc/1password/default.nix index d5818614b9e08..2f37d8ceda67e 100644 --- a/pkgs/applications/misc/1password/default.nix +++ b/pkgs/applications/misc/1password/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchzip }: +{ stdenv, fetchzip, fetchpgpkey, verifySignatureHook }: stdenv.mkDerivation rec { name = "1password-${version}"; @@ -24,6 +24,19 @@ stdenv.mkDerivation rec { } else throw "Architecture not supported"; + nativeBuildInputs = [ verifySignatureHook ]; + + signaturePublicKey = fetchpgpkey { + url = https://keybase.io/1password/pgp_keys.asc; + fingerprint = "3FEF9748469ADBE15DA7CA80AC2D62742012EA22"; + sha256 = "1v9gic59a3qim3fcffq77jrswycww4m1rd885lk5xgwr0qnqr019"; + }; + + doCheck = true; + checkPhase = '' + verifySignature op.sig op + ''; + installPhase = '' install -D op $out/bin/op ''; diff --git a/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix b/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix index de6766709131a..f08dfa85f0fd0 100644 --- a/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix +++ b/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix @@ -1,5 +1,7 @@ { stdenv , fetchurl +, fetchpgpkey +, verifySignatureHook , makeDesktopItem # Common run-time dependencies @@ -119,6 +121,18 @@ let sha256 = "1s0k82ch7ypjyc5k5rb4skb9ylnp7b9ipvf8gb7pdhb8m4zjk461"; }; }; + + srcSignatures = { + "x86_64-linux" = fetchurl { + url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz.asc"; + sha256 = "008r1k3cpwjnvmyywwr3m3rl9bqmynasbzrrzm4kplaisqfg9wkn"; + }; + + "i686-linux" = fetchurl { + url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux32-${version}_${lang}.tar.xz.asc"; + sha256 = "000binc825nmapwi255g511yva9mrxlqygj4b1kfk36clmnim5zm"; + }; + }; in stdenv.mkDerivation rec { @@ -126,6 +140,15 @@ stdenv.mkDerivation rec { inherit version; src = srcs."${stdenv.system}" or (throw "unsupported system: ${stdenv.system}"); + srcSignature = srcSignatures."${stdenv.system}" or (throw "unsupported system: ${stdenv.system}"); + + signaturePublicKey = fetchpgpkey { + url = https://sks-keyservers.net/pks/lookup?op=get&search=0x4E2C6E8793298290; + sha256 = "0lnms0cixpqirphp3wkd6dqfxzm3yhs8d3xsaf1a9rmh839r4xi5"; + fingerprint = "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290"; + }; + + nativeBuildInputs = [ verifySignatureHook ]; preferLocalBuild = true; allowSubstitutes = false; @@ -146,6 +169,7 @@ stdenv.mkDerivation rec { interp=$(< $NIX_CC/nix-support/dynamic-linker) # Unpack & enter + verifySrcSignature mkdir -p "$TBB_IN_STORE" tar xf "${src}" -C "$TBB_IN_STORE" --strip-components=2 pushd "$TBB_IN_STORE" diff --git a/pkgs/build-support/fetchpgpkey/default.nix b/pkgs/build-support/fetchpgpkey/default.nix new file mode 100644 index 0000000000000..b0cbddc2612b5 --- /dev/null +++ b/pkgs/build-support/fetchpgpkey/default.nix @@ -0,0 +1,29 @@ +# This function downloads a PGP public key and verifies its fingerprint +# Because it is based on fetchurl, it will still require a sha256 +# in addition to the fingerprint + +{ lib, fetchurl, gnupg }: + +{ + fingerprint +, ... } @ args: + +lib.overrideDerivation (fetchurl ({ + + name = "pubkey-${fingerprint}"; + + postFetch = + '' + # extract fingerprint + fpr=$(cat "$downloadedFile" | gpg --homedir . --import --import-options show-only --with-colons 2>/dev/null | grep -m 1 '^fpr' | cut -d: -f 10) + # verify + if [ "$fpr" == "${fingerprint}" ]; then + echo "key fingerprint $fpr verified" + else + echo "key fingerprint mismatch: got $fpr, expected ${fingerprint}" + exit 1 + fi + ''; + +} // removeAttrs args [ "fingerprint" ] )) +(x: {nativeBuildInputs = x.nativeBuildInputs++ [gnupg];}) diff --git a/pkgs/build-support/setup-hooks/verify-signature.sh b/pkgs/build-support/setup-hooks/verify-signature.sh new file mode 100644 index 0000000000000..749bdf4089b47 --- /dev/null +++ b/pkgs/build-support/setup-hooks/verify-signature.sh @@ -0,0 +1,45 @@ +# Helper functions for verifying (detached) PGP signatures + +# importPublicKey +# Add PGP public key contained in ${publicKey} to the keyring. +# All imported keys will be trusted by verifySig +_importPublicKey() { + if [ -z "$signaturePublicKey" ]; then + echo "error: verifySignatureHook requires signaturePublicKey" >&2 + exit 1 + fi + gpg -q --import "$signaturePublicKey" +} + + +# verifySignature SIGFILE DATAFILE UNCOMPRESS +# verify the signature SIGFILE for the file DATAFILE +# if DATAFILE is omitted, it is derived from SIGFILE by dropping the .asc or .sig suffix +# if UNCOMPRESS is set, uncompress DATAFILE before verification +verifySignature() { + if [ -z "$3" ]; then + gpgv --keyring pubring.kbx "$1" "$2" || exit 1 + else + gunzip -c "$2" | gpgv --keyring pubring.kbx "$1" - || exit 1 + fi +} + + +# verifySrcSignature +# verify the signature $srcSignature for source file $src +verifySrcSignature() { + _importPublicKey + [ -z "$srcSignature" ] && return + verifySignature "$srcSignature" "$src" "$signatureUncompressed" +} + + +# setup + +# create temporary gpg homedir +export GNUPGHOME=$(readlink -f .gnupgtmp) +rm -rf $GNUPGHOME # make sure it's a fresh empty dir +mkdir -p -m 700 $GNUPGHOME + +# automatically check the signature before unpack if srcSignature is set +preUnpackHooks+=(verifySrcSignature) diff --git a/pkgs/servers/samba/4.x.nix b/pkgs/servers/samba/4.x.nix index 0ff7f88911f26..ddc950ebfde84 100644 --- a/pkgs/servers/samba/4.x.nix +++ b/pkgs/servers/samba/4.x.nix @@ -1,5 +1,7 @@ { lib, stdenv, fetchurl, python, pkgconfig, perl, libxslt, docbook_xsl , fetchpatch +, fetchpgpkey +, verifySignatureHook , docbook_xml_dtd_42, docbook_xml_dtd_45, readline, talloc , popt, iniparser, libbsd, libarchive, libiconv, gettext , krb5Full, zlib, openldap, cups, pam, avahi, acl, libaio, fam, libceph, glusterfs @@ -29,6 +31,20 @@ stdenv.mkDerivation rec { sha256 = "0vkxqp3wh7bpn1fd45lznmrpn2ma1fq75yq28vi08rggr07y7v8y"; }; + srcSignature = fetchurl { + url = "mirror://samba/pub/samba/stable/${name}.tar.asc"; + sha256 = "0wpcbwbs1bj1y0amhn0z29v55f2hhmzc5p8n7sbwg9kaf0hc5mz5"; + }; + signatureUncompressed = true; + + signaturePublicKey = fetchpgpkey { + url = https://download.samba.org/pub/samba/samba-pubkey.asc; + sha256 = "1fndhq0c34va34z137gvsl9gpwjv30b06makfx8cq5vrmgiax1x1"; + fingerprint = "52FBC0B86D954B0843324CDC6F33915B6568B7EA"; + }; + + nativeBuildInputs = [ verifySignatureHook ]; + outputs = [ "out" "dev" "man" ]; patches = @@ -41,6 +57,7 @@ stdenv.mkDerivation rec { }) ]; + buildInputs = [ python pkgconfig perl libxslt docbook_xsl docbook_xml_dtd_42 /* docbook_xml_dtd_45 */ readline talloc popt iniparser diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2e8285db1aab4..b5f9dc4d46597 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -86,6 +86,10 @@ with pkgs; { substitutions = { gnu_config = gnu-config;}; } ../build-support/setup-hooks/update-autotools-gnu-config-scripts.sh; + verifySignatureHook = makeSetupHook + { name = "verify-signature-hook"; deps = [ gnupg ]; } + ../build-support/setup-hooks/verify-signature.sh; + gogUnpackHook = makeSetupHook { name = "gog-unpack-hook"; deps = [ innoextract file-rename ]; } @@ -172,6 +176,8 @@ with pkgs; fetchpatch = callPackage ../build-support/fetchpatch { }; + fetchpgpkey = callPackage ../build-support/fetchpgpkey { }; + fetchs3 = callPackage ../build-support/fetchs3 { }; fetchsvn = callPackage ../build-support/fetchsvn {