buildSupport: add helpers for verifying code signatures

pkgs/applications/misc/1password/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ stdenv, fetchzip, fetchpgpkey, verifySignatureHook }:
 
 stdenv.mkDerivation rec {
   name = "1password-${version}";
@@ -24,6 +24,19 @@ stdenv.mkDerivation rec {
       }
     else throw "Architecture not supported";
 
+  nativeBuildInputs = [ verifySignatureHook ];
+
+  signaturePublicKey = fetchpgpkey {
+    url = https://keybase.io/1password/pgp_keys.asc;
+    fingerprint = "3FEF9748469ADBE15DA7CA80AC2D62742012EA22";
+    sha256 = "1v9gic59a3qim3fcffq77jrswycww4m1rd885lk5xgwr0qnqr019";
+  };
+
+  doCheck = true;
+  checkPhase = ''
+    verifySignature op.sig op
+  '';
+
   installPhase = ''
     install -D op $out/bin/op
   '';

pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix

@@ -1,5 +1,7 @@
 { stdenv
 , fetchurl
+, fetchpgpkey
+, verifySignatureHook
 , makeDesktopItem
 
 # Common run-time dependencies
@@ -119,13 +121,34 @@ let
       sha256 = "1s0k82ch7ypjyc5k5rb4skb9ylnp7b9ipvf8gb7pdhb8m4zjk461";
     };
   };
+
+  srcSignatures = {
+    "x86_64-linux" = fetchurl {
+      url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz.asc";
+      sha256 = "008r1k3cpwjnvmyywwr3m3rl9bqmynasbzrrzm4kplaisqfg9wkn";
+    };
+
+    "i686-linux" = fetchurl {
+      url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux32-${version}_${lang}.tar.xz.asc";
+      sha256 = "000binc825nmapwi255g511yva9mrxlqygj4b1kfk36clmnim5zm";
+    };
+  };
 in
 
 stdenv.mkDerivation rec {
   name = "tor-browser-bundle-bin-${version}";
   inherit version;
 
   src = srcs."${stdenv.system}" or (throw "unsupported system: ${stdenv.system}");
+  srcSignature = srcSignatures."${stdenv.system}" or (throw "unsupported system: ${stdenv.system}");
+
+  signaturePublicKey = fetchpgpkey {
+    url = https://sks-keyservers.net/pks/lookup?op=get&search=0x4E2C6E8793298290;
+    sha256 = "0lnms0cixpqirphp3wkd6dqfxzm3yhs8d3xsaf1a9rmh839r4xi5";
+    fingerprint = "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290";
+  };
+
+  nativeBuildInputs = [ verifySignatureHook ];
 
   preferLocalBuild = true;
   allowSubstitutes = false;
@@ -146,6 +169,7 @@ stdenv.mkDerivation rec {
     interp=$(< $NIX_CC/nix-support/dynamic-linker)
 
     # Unpack & enter
+    verifySrcSignature
     mkdir -p "$TBB_IN_STORE"
     tar xf "${src}" -C "$TBB_IN_STORE" --strip-components=2
     pushd "$TBB_IN_STORE"

pkgs/build-support/fetchpgpkey/default.nix

@@ -0,0 +1,29 @@
+# This function downloads a PGP public key and verifies its fingerprint
+# Because it is based on fetchurl, it will still require a sha256
+# in addition to the fingerprint
+
+{ lib, fetchurl, gnupg }:
+
+{
+  fingerprint
+, ... } @ args:
+
+lib.overrideDerivation (fetchurl ({
+
+  name = "pubkey-${fingerprint}";
+
+  postFetch =
+    ''
+      # extract fingerprint
+      fpr=$(cat "$downloadedFile" | gpg --homedir . --import --import-options show-only --with-colons 2>/dev/null | grep -m 1 '^fpr' | cut -d: -f 10)
+      # verify
+      if [ "$fpr" == "${fingerprint}" ]; then
+        echo "key fingerprint $fpr verified"
+      else
+        echo "key fingerprint mismatch: got $fpr, expected ${fingerprint}"
+        exit 1
+      fi
+    '';
+
+} // removeAttrs args [ "fingerprint" ] ))
+(x: {nativeBuildInputs = x.nativeBuildInputs++ [gnupg];})

pkgs/build-support/setup-hooks/verify-signature.sh

@@ -0,0 +1,45 @@
+# Helper functions for verifying (detached) PGP signatures
+
+# importPublicKey
+# Add PGP public key contained in ${publicKey} to the keyring.
+# All imported keys will be trusted by verifySig
+_importPublicKey() {
+  if [ -z "$signaturePublicKey" ]; then
+    echo "error: verifySignatureHook requires signaturePublicKey" >&2
+    exit 1
+  fi
+  gpg -q --import "$signaturePublicKey"
+}
+
+
+# verifySignature SIGFILE DATAFILE UNCOMPRESS
+# verify the signature SIGFILE for the file DATAFILE
+# if DATAFILE is omitted, it is derived from SIGFILE by dropping the .asc or .sig suffix
+# if UNCOMPRESS is set, uncompress DATAFILE before verification
+verifySignature() {
+  if [ -z "$3" ]; then
+    gpgv --keyring pubring.kbx "$1" "$2" || exit 1
+  else
+    gunzip -c "$2" | gpgv --keyring pubring.kbx "$1" - || exit 1
+  fi
+}
+
+
+# verifySrcSignature 
+# verify the signature $srcSignature for source file $src
+verifySrcSignature() {
+  _importPublicKey
+  [ -z "$srcSignature" ] && return
+  verifySignature "$srcSignature" "$src" "$signatureUncompressed"
+}
+
+
+# setup
+
+# create temporary gpg homedir
+export GNUPGHOME=$(readlink -f .gnupgtmp)
+rm -rf $GNUPGHOME # make sure it's a fresh empty dir
+mkdir -p -m 700 $GNUPGHOME
+
+# automatically check the signature before unpack if srcSignature is set
+preUnpackHooks+=(verifySrcSignature)

pkgs/servers/samba/4.x.nix

@@ -1,5 +1,7 @@
 { lib, stdenv, fetchurl, python, pkgconfig, perl, libxslt, docbook_xsl
 , fetchpatch
+, fetchpgpkey
+, verifySignatureHook
 , docbook_xml_dtd_42, docbook_xml_dtd_45, readline, talloc
 , popt, iniparser, libbsd, libarchive, libiconv, gettext
 , krb5Full, zlib, openldap, cups, pam, avahi, acl, libaio, fam, libceph, glusterfs
@@ -29,6 +31,20 @@ stdenv.mkDerivation rec {
     sha256 = "0vkxqp3wh7bpn1fd45lznmrpn2ma1fq75yq28vi08rggr07y7v8y";
   };
 
+  srcSignature = fetchurl {
+    url = "mirror://samba/pub/samba/stable/${name}.tar.asc";
+    sha256 = "0wpcbwbs1bj1y0amhn0z29v55f2hhmzc5p8n7sbwg9kaf0hc5mz5";
+  };
+  signatureUncompressed = true;
+
+  signaturePublicKey = fetchpgpkey {
+    url = https://download.samba.org/pub/samba/samba-pubkey.asc;
+    sha256 = "1fndhq0c34va34z137gvsl9gpwjv30b06makfx8cq5vrmgiax1x1";
+    fingerprint = "52FBC0B86D954B0843324CDC6F33915B6568B7EA";
+  };
+
+  nativeBuildInputs = [ verifySignatureHook ];
+
   outputs = [ "out" "dev" "man" ];
 
   patches =
@@ -41,6 +57,7 @@ stdenv.mkDerivation rec {
       })
     ];
 
+
   buildInputs =
     [ python pkgconfig perl libxslt docbook_xsl docbook_xml_dtd_42 /*
       docbook_xml_dtd_45 */ readline talloc popt iniparser

pkgs/top-level/all-packages.nix

@@ -86,6 +86,10 @@ with pkgs;
     { substitutions = { gnu_config = gnu-config;}; }
     ../build-support/setup-hooks/update-autotools-gnu-config-scripts.sh;
 
+  verifySignatureHook = makeSetupHook
+    { name = "verify-signature-hook"; deps = [ gnupg ]; }
+    ../build-support/setup-hooks/verify-signature.sh;
+
   gogUnpackHook = makeSetupHook {
     name = "gog-unpack-hook";
     deps = [ innoextract file-rename ]; }
@@ -172,6 +176,8 @@ with pkgs;
 
   fetchpatch = callPackage ../build-support/fetchpatch { };
 
+  fetchpgpkey = callPackage ../build-support/fetchpgpkey { };
+
   fetchs3 = callPackage ../build-support/fetchs3 { };
 
   fetchsvn = callPackage ../build-support/fetchsvn {