Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/tests/verify-sig.sh | 18 ++++++++++++++
eclass/verify-sig.eclass | 51 +++++++++++++++++++++++++-------------
2 files changed, 52 insertions(+), 17 deletions(-)

diff --git a/eclass/tests/verify-sig.sh b/eclass/tests/verify-sig.sh
index fcd2ee7480a2..fb7f2cdb2a5d 100755
--- a/eclass/tests/verify-sig.sh
+++ b/eclass/tests/verify-sig.sh
@@ -62,4 +62,22 @@ EOF
test_verify_unsigned_checksums sha256
eoutdent

+einfo "Testing openssl-dgst format."
+eindent
+

"annoying ( filename )= yes ).txt" || die

+
+cat > checksums.txt <<-EOF || die
+ junk text that ought to be ignored
+
+ SHA256(empty)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ SHA256(text)= b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+ SHA256(fail)=b47cc0f104b62d4c7c30bcd68fd8e67613e287dc4ad8c310ef10cbadea9c4380
+
+ SHA256(annoying ( filename )= yes )= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+EOF
+
+test_verify_unsigned_checksums openssl-dgst

On Mon, 04 Sep 2023, Michał Górny wrote:

--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -214,12 +214,15 @@ verify-sig_verify_message() {
}

# @FUNCTION: verify-sig_verify_unsigned_checksums
-# @USAGE: <checksum-file> <algo> <files>
+# @USAGE: <checksum-file> <format> <files>

Below, verify-sig_verify_signed_checksums() still says "algo", change
that too for consistency?

# @DESCRIPTION:
# Verify the checksums for all files listed in the space-separated list
-# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
-# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
-# for stdin.
+# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
+# the checksum file format. <checksum-file> can be "-" for stdin.
+#
+# The following formats are supported:
+# - sha256 -- sha256sum (<hash> <filename>)
+# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)

This won't be rendered as a list in the man page, but will be rewrapped
as a paragraph. (Putting a space before the "-" will help.)

The existing variable documentation of VERIFY_SIG_METHOD suffers from
the same problem, BTW.

#
# The function dies if one of the files does not match checksums or
# is missing from the checksum file.
@@ -234,32 +237,46 @@ verify-sig_verify_unsigned_checksums() {
local algo=${2}

Maybe rename the variable to "format", when the documentation now says
that the second parameter specifies the format?

local files=()
read -r -d '' -a files <<<"${3}"
- local chksum_prog chksum_len
+ local chksum_prog chksum_len format=coreutils

And rename this one too. (I don't find it intuitive for a checksum
format to be named "coreutils", when coreutils provides cksum, md5sum,
b2sum, etc.)

case ${algo} in
sha256)
- chksum_prog=sha256sum
chksum_len=64
;;
+ openssl-dgst)
+ format=${algo}
+ ;;
*)
- die "${FUNCNAME}: unknown checksum algo ${algo}"
+ die "${FUNCNAME}: unknown checksum format ${algo}"
;;
esac

[[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
- local checksum filename junk ret=0 count=0
- while read -r checksum filename junk; do
- if [[ ${checksum} == "-----BEGIN" ]]; then
+ local line checksum filename junk ret=0 count=0
+ while read -r line; do
+ if [[ ${line} == "-----BEGIN"* ]]; then
die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
fi

- [[ ${#checksum} -eq ${chksum_len} ]] || continue
- [[ -z ${checksum//[0-9a-f]} ]] || continue
- has "${filename}" "${files[@]}" || continue
- [[ -z ${junk} ]] || continue
-
- "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
- if [[ ${?} -eq 0 ]]; then
+ case ${format} in
+ coreutils)
+ read -r checksum filename junk <<<"${line}"
+ [[ ${#checksum} -ne ${chksum_len} ]] && continue
+ [[ -n ${checksum//[0-9a-f]} ]] && continue
+ [[ -n ${junk} ]] && continue
+ ;;
+ openssl-dgst)
+ [[ ${line} != *"("*")="* ]] && continue
+ checksum=${line##*)=}
+ algo=${line%%(*}
+ filename=${line#*(}
+ filename=${filename%)=*}
+ ;;
+ esac
+
+ ! has "${filename}" "${files[@]}" && continue

This might be clearer if it was written as:

has "${filename}" "${files[@]}" || continue

+
+ if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
(( count++ ))
else
ret=1

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmT1fEIPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uaysIAJyq7wka58gaiKup2NSbp3QhVzDL1jq+tqkK PkNTftRzRdg2P2yULITRorZxmFOyksrFVWcE1s/H5qpGE0mUvskmi5dNWS7fceic kGr05gsa44wiBeVlWGJG9qKEq7xDHexSnmCLpeGxbhhzNpVrJ8ddRIq7y+/6kNCt u71+bTRmA8z60F0z6K1sIjHXXGXgsLUD668R68Y05L/HlfoOtOWOPevXOQReWLi4 CkX3q6BE6Sgh1+PGW1uUOAPm6AE/LB6FkmdnpTB1CedkOMlXPGFCekJRYc0VaiGY WgAFamKm2gcOjIDFnj9JA1Wh8IOJtEw5p4D6aNQv7/RM8FXdGEo=jAK9
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2023-09-08 at 12:03 +0200, Michał Górny wrote:

On Mon, 2023-09-04 at 08:42 +0200, Ulrich Mueller wrote:

On Mon, 04 Sep 2023, Michał Górny wrote:

--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -214,12 +214,15 @@ verify-sig_verify_message() {
 }

 

 # @FUNCTION: verify-sig_verify_unsigned_checksums
-# @USAGE: <checksum-file> <algo> <files>
+# @USAGE: <checksum-file> <format> <files>

Below, verify-sig_verify_signed_checksums() still says "algo", change
that too for consistency?

If I must.

 # @DESCRIPTION:
 # Verify the checksums for all files listed in the space-separated list -# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
-# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
-# for stdin.
+# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
+# the checksum file format. <checksum-file> can be "-" for stdin.
+#
+# The following formats are supported:
+# - sha256 -- sha256sum (<hash> <filename>)
+# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)

This won't be rendered as a list in the man page, but will be rewrapped
as a paragraph. (Putting a space before the "-" will help.)

The existing variable documentation of VERIFY_SIG_METHOD suffers from
the same problem, BTW.

Hmm, I can't get it to work with the space either. Whatever I do, eclass-to-manpage.awk seems to copy it verbatim.

Nevermind, now I see that it's meaningful to groff. For some reason, I
thought eclass-to-manpage will use some magical sequences.

--
Best regards,
Michał Górny

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2023-09-04 at 08:42 +0200, Ulrich Mueller wrote:

On Mon, 04 Sep 2023, Michał Górny wrote:

--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -214,12 +214,15 @@ verify-sig_verify_message() {
 }

 

 # @FUNCTION: verify-sig_verify_unsigned_checksums
-# @USAGE: <checksum-file> <algo> <files>
+# @USAGE: <checksum-file> <format> <files>

Below, verify-sig_verify_signed_checksums() still says "algo", change
that too for consistency?

If I must.

 # @DESCRIPTION:
 # Verify the checksums for all files listed in the space-separated list -# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
-# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
-# for stdin.
+# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
+# the checksum file format. <checksum-file> can be "-" for stdin.
+#
+# The following formats are supported:
+# - sha256 -- sha256sum (<hash> <filename>)
+# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)

This won't be rendered as a list in the man page, but will be rewrapped
as a paragraph. (Putting a space before the "-" will help.)

The existing variable documentation of VERIFY_SIG_METHOD suffers from
the same problem, BTW.

Hmm, I can't get it to work with the space either. Whatever I do, eclass-to-manpage.awk seems to copy it verbatim.

 #
 # The function dies if one of the files does not match checksums or
 # is missing from the checksum file.
@@ -234,32 +237,46 @@ verify-sig_verify_unsigned_checksums() {
  local algo=${2}

Maybe rename the variable to "format", when the documentation now says
that the second parameter specifies the format?

  local files=()
  read -r -d '' -a files <<<"${3}"
- local chksum_prog chksum_len
+ local chksum_prog chksum_len format=coreutils

And rename this one too. (I don't find it intuitive for a checksum
format to be named "coreutils", when coreutils provides cksum, md5sum,
b2sum, etc.)

  case ${algo} in
  sha256)
- chksum_prog=sha256sum
  chksum_len=64
  ;;
+ openssl-dgst)
+ format=${algo}
+ ;;
  *)
- die "${FUNCNAME}: unknown checksum algo ${algo}"
+ die "${FUNCNAME}: unknown checksum format ${algo}"
  ;;
  esac

  [[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
- local checksum filename junk ret=0 count=0
- while read -r checksum filename junk; do
- if [[ ${checksum} == "-----BEGIN" ]]; then
+ local line checksum filename junk ret=0 count=0
+ while read -r line; do
+ if [[ ${line} == "-----BEGIN"* ]]; then
  die "${FUNCNAME}: PGP armor found, use verify-sig_verify_signed_checksums instead"
  fi

- [[ ${#checksum} -eq ${chksum_len} ]] || continue
- [[ -z ${checksum//[0-9a-f]} ]] || continue
- has "${filename}" "${files[@]}" || continue
- [[ -z ${junk} ]] || continue
-
- "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
- if [[ ${?} -eq 0 ]]; then
+ case ${format} in
+ coreutils)
+ read -r checksum filename junk <<<"${line}"
+ [[ ${#checksum} -ne ${chksum_len} ]] && continue
+ [[ -n ${checksum//[0-9a-f]} ]] && continue
+ [[ -n ${junk} ]] && continue
+ ;;
+ openssl-dgst)
+ [[ ${line} != *"("*")="* ]] && continue
+ checksum=${line##*)=}
+ algo=${line%%(*}
+ filename=${line#*(}
+ filename=${filename%)=*}
+ ;;
+ esac
+
+ ! has "${filename}" "${files[@]}" && continue

This might be clearer if it was written as:

has "${filename}" "${files[@]}" || continue

Negative logic is never clearer.

+
+ if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}"; then
  (( count++ ))
  else
  ret=1

--
Best regards,
Michał Górny

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 08 Sep 2023, Michał Górny wrote:

+ ! has "${filename}" "${files[@]}" && continue

This might be clearer if it was written as:

has "${filename}" "${files[@]}" || continue

Negative logic is never clearer.

Exactly. That's why we generally do "command || die" rather than
"! command && die".

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmT7HD4PHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uqCwIAMKwTPP/pAKuYqRiqbF2LAYJJVmb+Ca7NyQk QWsrVS9W8tzW5b8vC50elMOlrlXQSfyYjPZjUmxWJ+m9DzKrL+nMCpL3ynfc9VMD EqHVZNT0UaEglJv5lnXU3HRDuEs87SQXI+fGbatn2+ojKuYQHRjI4JeqPDbSSrRu anadas605fnwlEffsJHc9qPSwM0KMKXdqrNlZxWn5XmBL7fN54tCGDvEB2bSF+c3 pTOTMSXcd0wYL7/gueemzjlIdhG6dgUw9O6Gk2aAygF88u4nt8OIDIDzwKLBSSMy xLt0D9Gbav+zzdGiOQ6ElF87YACS7r/k5n47yxW53dqGAfTdL3sýmW
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)