From 96e9fcd3260a4d2da1c9a0262ff6c3dc52e8582e Mon Sep 17 00:00:00 2001
From: Stephan Mueller <smueller@chronox.de>
Date: Sun, 26 May 2013 09:18:49 +0200
Subject: [PATCH] ports: Verify signatures of 3rd-party code

This patch adds integrity checks for the packages of the ports
repository.

Issue #748
---
 ports/ports/bash.mk      | 12 +++++++++---
 ports/ports/binutils.mk  | 12 +++++++++---
 ports/ports/coreutils.mk | 12 +++++++++---
 ports/ports/findutils.mk | 12 +++++++++---
 ports/ports/gcc.mk       | 13 ++++++++-----
 ports/ports/gdb.mk       | 12 ++++++++----
 ports/ports/lighttpd.mk  | 10 ++++++++--
 ports/ports/lynx.mk      | 18 +++++++++++++++---
 ports/ports/make.mk      | 12 +++++++++---
 ports/ports/openssh.mk   | 12 +++++++++---
 ports/ports/vim.mk       |  4 +++-
 ports/ports/which.mk     | 12 +++++++++---
 12 files changed, 105 insertions(+), 36 deletions(-)

diff --git a/ports/ports/bash.mk b/ports/ports/bash.mk
index 9118ed6e7..87b53a7bb 100644
--- a/ports/ports/bash.mk
+++ b/ports/ports/bash.mk
@@ -1,6 +1,10 @@
-BASH     = bash-4.1
-BASH_TGZ = $(BASH).tar.gz
-BASH_URL = http://ftp.gnu.org/gnu/bash/$(BASH_TGZ)
+BASH          = bash-4.1
+BASH_TGZ      = $(BASH).tar.gz
+BASH_SIG      = $(BASH_TGZ).sig
+BASH_BASE_URL = http://ftp.gnu.org/gnu/bash
+BASH_URL      = $(BASH_BASE_URL)/$(BASH_TGZ)
+BASH_URL_SIG  = $(BASH_BASE_URL)/$(BASH_SIG)
+BASH_KEY      = GNU
 
 #
 # Interface to top-level prepare Makefile
@@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(BASH)
 #
 $(DOWNLOAD_DIR)/$(BASH_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(BASH_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(BASH_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(BASH_TGZ) $(DOWNLOAD_DIR)/$(BASH_SIG) $(BASH_KEY)
 
 $(CONTRIB_DIR)/$(BASH): $(DOWNLOAD_DIR)/$(BASH_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
diff --git a/ports/ports/binutils.mk b/ports/ports/binutils.mk
index 7cfbac315..1fe69a2c8 100644
--- a/ports/ports/binutils.mk
+++ b/ports/ports/binutils.mk
@@ -1,6 +1,10 @@
-BINUTILS      = binutils-2.22
-BINUTILS_TBZ2 = $(BINUTILS).tar.bz2
-BINUTILS_URL  = ftp://ftp.fu-berlin.de/gnu/binutils/$(BINUTILS_TBZ2)
+BINUTILS          = binutils-2.22
+BINUTILS_TBZ2     = $(BINUTILS).tar.bz2
+BINUTILS_SIG      = $(BINUTILS_TBZ2).sig
+BINUTILS_BASE_URL = ftp://ftp.fu-berlin.de/gnu/binutils
+BINUTILS_URL      = $(BINUTILS_BASE_URL)/$(BINUTILS_TBZ2)
+BINUTILS_URL_SIG  = $(BINUTILS_BASE_URL)/$(BINUTILS_SIG)
+BINUTILS_KEY      = GNU
 
 #
 # Interface to top-level prepare Makefile
@@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(BINUTILS)
 #
 $(DOWNLOAD_DIR)/$(BINUTILS_TBZ2):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(BINUTILS_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(BINUTILS_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(BINUTILS_TBZ2) $(DOWNLOAD_DIR)/$(BINUTILS_SIG) $(BINUTILS_KEY)
 
 $(CONTRIB_DIR)/$(BINUTILS): $(DOWNLOAD_DIR)/$(BINUTILS_TBZ2)
 	$(VERBOSE)tar xfj $< -C $(CONTRIB_DIR) && touch $@
diff --git a/ports/ports/coreutils.mk b/ports/ports/coreutils.mk
index 522024062..68d35ef7e 100644
--- a/ports/ports/coreutils.mk
+++ b/ports/ports/coreutils.mk
@@ -1,6 +1,10 @@
-COREUTILS     = coreutils-8.9
-COREUTILS_TGZ = $(COREUTILS).tar.gz
-COREUTILS_URL = http://ftp.gnu.org/gnu/coreutils/$(COREUTILS_TGZ)
+COREUTILS          = coreutils-8.9
+COREUTILS_TGZ      = $(COREUTILS).tar.gz
+COREUTILS_SIG      = $(COREUTILS_TGZ).sig
+COREUTILS_BASE_URL = http://ftp.gnu.org/gnu/coreutils
+COREUTILS_URL      = $(COREUTILS_BASE_URL)/$(COREUTILS_TGZ)
+COREUTILS_URL_SIG  = $(COREUTILS_BASE_URL)/$(COREUTILS_SIG)
+COREUTILS_KEY      = GNU
 
 #
 # Interface to top-level prepare Makefile
@@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(COREUTILS)
 #
 $(DOWNLOAD_DIR)/$(COREUTILS_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(COREUTILS_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(COREUTILS_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(COREUTILS_TGZ) $(DOWNLOAD_DIR)/$(COREUTILS_SIG) $(COREUTILS_KEY)
 
 $(CONTRIB_DIR)/$(COREUTILS): $(DOWNLOAD_DIR)/$(COREUTILS_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
diff --git a/ports/ports/findutils.mk b/ports/ports/findutils.mk
index b09d52a0f..97d9775d7 100644
--- a/ports/ports/findutils.mk
+++ b/ports/ports/findutils.mk
@@ -1,6 +1,10 @@
-FINDUTILS     = findutils-4.4.2
-FINDUTILS_TGZ = $(FINDUTILS).tar.gz
-FINDUTILS_URL = http://ftp.gnu.org/pub/gnu/findutils/$(FINDUTILS_TGZ)
+FINDUTILS          = findutils-4.4.2
+FINDUTILS_TGZ      = $(FINDUTILS).tar.gz
+FINDUTILS_SIG      = $(FINDUTILS_TGZ).sig
+FINDUTILS_BASE_URL = http://ftp.gnu.org/pub/gnu/findutils
+FINDUTILS_URL      = $(FINDUTILS_BASE_URL)/$(FINDUTILS_TGZ)
+FINDUTILS_URL_SIG  = $(FINDUTILS_BASE_URL)/$(FINDUTILS_SIG)
+FINDUTILS_KEY      = GNU
 
 #
 # Interface to top-level prepare Makefile
@@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(FINDUTILS)
 #
 $(DOWNLOAD_DIR)/$(FINDUTILS_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(FINDUTILS_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(FINDUTILS_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(FINDUTILS_TGZ) $(DOWNLOAD_DIR)/$(FINDUTILS_SIG) $(FINDUTILS_KEY)
 
 $(CONTRIB_DIR)/$(FINDUTILS): $(DOWNLOAD_DIR)/$(FINDUTILS_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
diff --git a/ports/ports/gcc.mk b/ports/ports/gcc.mk
index 80ce38ac1..8e0d8d8fd 100644
--- a/ports/ports/gcc.mk
+++ b/ports/ports/gcc.mk
@@ -1,8 +1,9 @@
-GCC_VERSION  = 4.7.2
-GCC          = gcc-$(GCC_VERSION)
-GCC_URL      = ftp://ftp.fu-berlin.de/gnu/gcc
-
-GCC_TGZ = gcc-$(GCC_VERSION).tar.gz
+GCC_VERSION = 4.7.2
+GCC         = gcc-$(GCC_VERSION)
+GCC_URL     = ftp://ftp.fu-berlin.de/gnu/gcc
+GCC_TGZ     = gcc-$(GCC_VERSION).tar.gz
+GCC_SIG     = $(GCC_TGZ).sig
+GCC_KEY     = GNU
 
 #
 # Interface to top-level prepare Makefile
@@ -17,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(GCC)/configure
 
 $(DOWNLOAD_DIR)/$(GCC_TGZ):
 	$(VERBOSE)wget -P $(DOWNLOAD_DIR) $(GCC_URL)/$(GCC)/$(GCC_TGZ) && touch $@
+	$(VERBOSE)wget -P $(DOWNLOAD_DIR) $(GCC_URL)/$(GCC)/$(GCC_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(GCC_TGZ) $(DOWNLOAD_DIR)/$(GCC_SIG) $(GCC_KEY)
 
 #
 # Utilities
diff --git a/ports/ports/gdb.mk b/ports/ports/gdb.mk
index 97f1b934f..9baa91c9c 100644
--- a/ports/ports/gdb.mk
+++ b/ports/ports/gdb.mk
@@ -1,7 +1,9 @@
-GDB_VERSION  = 7.3.1
-GDB          = gdb-$(GDB_VERSION)
-GDB_URL      = ftp://ftp.fu-berlin.de/gnu/gdb
-GDB_TBZ2     = gdb-$(GDB_VERSION).tar.bz2
+GDB_VERSION = 7.3.1
+GDB         = gdb-$(GDB_VERSION)
+GDB_URL     = ftp://ftp.fu-berlin.de/gnu/gdb
+GDB_TBZ2    = gdb-$(GDB_VERSION).tar.bz2
+GDB_SIG     = $(GDB_TBZ2).sig
+GDB_KEY     = GNU
 
 # these files are only needed to generate other files in the preparation process
 GDB_CONTENT := gdb/regformats/regdat.sh \
@@ -51,6 +53,8 @@ prepare:: $(CONTRIB_DIR)/$(GDB)/configure generated_files
 
 $(DOWNLOAD_DIR)/$(GDB_TBZ2):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(GDB_URL)/$(GDB_TBZ2) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(GDB_URL)/$(GDB_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(GDB_TBZ2) $(DOWNLOAD_DIR)/$(GDB_SIG) $(GDB_KEY)
 
 $(CONTRIB_DIR)/$(GDB): $(DOWNLOAD_DIR)/$(GDB_TBZ2)
 	$(VERBOSE)tar xfj $< -C $(CONTRIB_DIR)
diff --git a/ports/ports/lighttpd.mk b/ports/ports/lighttpd.mk
index 09bd4a1f6..c9b3c850e 100644
--- a/ports/ports/lighttpd.mk
+++ b/ports/ports/lighttpd.mk
@@ -1,7 +1,11 @@
 include ports/lighttpd.inc
 
-LIGHTTPD_TGZ = $(LIGHTTPD).tar.gz
-LIGHTTPD_URL = http://download.lighttpd.net/lighttpd/releases-1.4.x/$(LIGHTTPD_TGZ)
+LIGHTTPD_TGZ      = $(LIGHTTPD).tar.gz
+LIGHTTPD_SIG      = $(LIGHTTPD_TGZ).asc
+LIGHTTPD_BASE_URL = http://download.lighttpd.net/lighttpd/releases-1.4.x
+LIGHTTPD_URL      = $(LIGHTTPD_BASE_URL)/$(LIGHTTPD_TGZ)
+LIGHTTPD_URL_SIG  = $(LIGHTTPD_BASE_URL)/$(LIGHTTPD_SIG)
+LIGHTTPD_KEY      = stbuehler@lighttpd.net
 
 #
 # Interface to top-level prepare Makefile
@@ -15,6 +19,8 @@ prepare:: $(CONTRIB_DIR)/$(LIGHTTPD)
 #
 $(DOWNLOAD_DIR)/$(LIGHTTPD_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(LIGHTTPD_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(LIGHTTPD_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(LIGHTTPD_TGZ) $(DOWNLOAD_DIR)/$(LIGHTTPD_SIG) $(LIGHTTPD_KEY)
 
 $(CONTRIB_DIR)/$(LIGHTTPD): $(DOWNLOAD_DIR)/$(LIGHTTPD_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
diff --git a/ports/ports/lynx.mk b/ports/ports/lynx.mk
index 8b3cb06e6..b3a3f3c07 100644
--- a/ports/ports/lynx.mk
+++ b/ports/ports/lynx.mk
@@ -1,6 +1,10 @@
-LYNX = lynx-2.8.8.dev12
-LYNX_TGZ = $(LYNX).tar.gz
-LYNX_URL = http://lynx.isc.org/gnumatic/$(LYNX_TGZ)
+LYNX         = lynx-2.8.8.dev12
+LYNX_TGZ     = $(LYNX).tar.gz
+LYNX_SIG     = $(LYNX_TGZ).asc
+LYNX_URL     = http://lynx.isc.org/gnumatic/$(LYNX_TGZ)
+LYNX_URL_SIG = UNKOWN/$(LYNX_SIG)
+LYNX_KEY     = dickey@sf1.isc.org
+
 #
 # Interface to top-level prepare Makefile
 #
@@ -13,6 +17,14 @@ prepare:: $(CONTRIB_DIR)/$(LYNX)
 #
 $(DOWNLOAD_DIR)/$(LYNX_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) -O $@ $(LYNX_URL) && touch $@
+	#$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(LYNX_URL_SIG) && touch $@
+	#
+	# XXX The current source of the lynx tarball does not contain the signature
+	#     file. The official location contains the signature. Thus, upon
+	#     switching to the official location, the signature check can be
+	#     enabled.
+	#
+	#$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(LYNX_TGZ) $(DOWNLOAD_DIR)/$(LYNX_SIG) $(LYNX_KEY)
 
 $(CONTRIB_DIR)/$(LYNX): $(DOWNLOAD_DIR)/$(LYNX_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
diff --git a/ports/ports/make.mk b/ports/ports/make.mk
index c71fb97ad..5df5a5aef 100644
--- a/ports/ports/make.mk
+++ b/ports/ports/make.mk
@@ -1,6 +1,10 @@
-GNUMAKE     = make-3.82
-GNUMAKE_TGZ = $(GNUMAKE).tar.gz
-GNUMAKE_URL = http://ftp.gnu.org/pub/gnu/make/$(GNUMAKE_TGZ)
+GNUMAKE          = make-3.82
+GNUMAKE_TGZ      = $(GNUMAKE).tar.gz
+GNUMAKE_SIG      = $(GNUMAKE_TGZ).sig
+GNUMAKE_BASE_URL = http://ftp.gnu.org/pub/gnu/make
+GNUMAKE_URL      = $(GNUMAKE_BASE_URL)/$(GNUMAKE_TGZ)
+GNUMAKE_URL_SIG  = $(GNUMAKE_BASE_URL)/$(GNUMAKE_SIG)
+GNUMAKE_KEY      = GNU
 
 #
 # Interface to top-level prepare Makefile
@@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(GNUMAKE)
 #
 $(DOWNLOAD_DIR)/$(GNUMAKE_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(GNUMAKE_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(GNUMAKE_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(GNUMAKE_TGZ) $(DOWNLOAD_DIR)/$(GNUMAKE_SIG) $(GNUMAKE_KEY)
 
 $(CONTRIB_DIR)/$(GNUMAKE): $(DOWNLOAD_DIR)/$(GNUMAKE_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
diff --git a/ports/ports/openssh.mk b/ports/ports/openssh.mk
index 3f15a32a5..e0b3d782e 100644
--- a/ports/ports/openssh.mk
+++ b/ports/ports/openssh.mk
@@ -1,6 +1,10 @@
-OPENSSH     = openssh-6.1p1
-OPENSSH_TGZ = $(OPENSSH).tar.gz
-OPENSSH_URL = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$(OPENSSH).tar.gz
+OPENSSH          = openssh-6.1p1
+OPENSSH_TGZ      = $(OPENSSH).tar.gz
+OPENSSH_SIG      = $(OPENSSH_TGZ).asc
+OPENSSH_BASE_URL = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
+OPENSSH_URL      = $(OPENSSH_BASE_URL)/$(OPENSSH_TGZ)
+OPENSSH_URL_SIG  = $(OPENSSH_BASE_URL)/$(OPENSSH_SIG)
+OPENSSH_KEY      = 3981992A1523ABA079DBFC66CE8ECB0386FF9C48
 
 #
 # Interface to top-level prepare Makefile
@@ -14,6 +18,8 @@ prepare:: $(CONTRIB_DIR)/$(OPENSSH)
 #
 $(DOWNLOAD_DIR)/$(OPENSSH_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(OPENSSH_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(OPENSSH_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $(DOWNLOAD_DIR)/$(OPENSSH_TGZ) $(DOWNLOAD_DIR)/$(OPENSSH_SIG) $(OPENSSH_KEY)
 
 $(CONTRIB_DIR)/$(OPENSSH): $(DOWNLOAD_DIR)/$(OPENSSH_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@
diff --git a/ports/ports/vim.mk b/ports/ports/vim.mk
index b5e8c8875..d878f4a96 100644
--- a/ports/ports/vim.mk
+++ b/ports/ports/vim.mk
@@ -1,7 +1,8 @@
 VIM      = vim-7.3
 VIM_TBZ2 = $(VIM).tar.bz2
 VIM_URL  = ftp://ftp.vim.org/pub/vim/unix/$(VIM_TBZ2)
-
+# from ftp://ftp.vim.org/pub/vim/unix/MD5SUMS
+VIM_MD5  = 5b9510a17074e2b37d8bb38ae09edbf2
 #
 # Interface to top-level prepare Makefile
 #
@@ -19,6 +20,7 @@ prepare:: $(CONTRIB_DIR)/$(VIM)
 #
 $(DOWNLOAD_DIR)/$(VIM_TBZ2):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(VIM_URL) && touch $@
+	$(VERBOSE)$(HASHVERIFIER) $(DOWNLOAD_DIR)/$(VIM_TBZ2) $(VIM_MD5) md5
 
 $(CONTRIB_DIR)/$(VIM): $(DOWNLOAD_DIR)/$(VIM_TBZ2)
 	$(VERBOSE)tar xfj $< -C $(CONTRIB_DIR)
diff --git a/ports/ports/which.mk b/ports/ports/which.mk
index 802d51c95..834bd7f64 100644
--- a/ports/ports/which.mk
+++ b/ports/ports/which.mk
@@ -1,6 +1,10 @@
-WHICH = which-2.20
-WHICH_TGZ = $(WHICH).tar.gz
-WHICH_URL = http://ftp.gnu.org/gnu/which/$(WHICH_TGZ)
+WHICH          = which-2.20
+WHICH_TGZ      = $(WHICH).tar.gz
+WHICH_SIG      = $(WHICH_TGZ).sig
+WHICH_BASE_URL = http://ftp.gnu.org/gnu/which
+WHICH_URL      = $(WHICH_BASE_URL)/$(WHICH_TGZ)
+WHICH_URL_SIG  = $(WHICH_BASE_URL)/$(WHICH_SIG)
+WHICH_KEY      = GNU
 #
 # Interface to top-level prepare Makefile
 #
@@ -13,6 +17,8 @@ prepare:: $(CONTRIB_DIR)/$(WHICH)
 #
 $(DOWNLOAD_DIR)/$(WHICH_TGZ):
 	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) -O $@ $(WHICH_URL) && touch $@
+	$(VERBOSE)wget -c -P $(DOWNLOAD_DIR) $(WHICH_URL_SIG) && touch $@
+	$(VERBOSE)$(SIGVERIFIER) $@ $(DOWNLOAD_DIR)/$(WHICH_SIG) $(WHICH_KEY)
 
 $(CONTRIB_DIR)/$(WHICH): $(DOWNLOAD_DIR)/$(WHICH_TGZ)
 	$(VERBOSE)tar xfz $< -C $(CONTRIB_DIR) && touch $@