mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
GPG verification for all platform repositories
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad
parent
7854c05aa4
commit
3618774d9f
BIN
Misc/pubring.kbx
BIN
Misc/pubring.kbx
Binary file not shown.
@ -21,6 +21,17 @@ startPatcher() {
|
||||
}
|
||||
export -f startPatcher;
|
||||
|
||||
resetWorkspace() {
|
||||
umask 0022;
|
||||
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
|
||||
}
|
||||
export -f resetWorkspace;
|
||||
|
||||
verifyAllTags() {
|
||||
repo forall -c 'source $DOS_WORKSPACE_ROOT/Scripts/Common/Tag_Verifier.sh && verifyTagIfPossible $REPO_PROJECT $REPO_PATH';
|
||||
}
|
||||
export -f verifyAllTags;
|
||||
|
||||
enter() {
|
||||
echo "================================================================================================"
|
||||
local dir="$1";
|
||||
|
||||
46
Scripts/Common/Tag_Verifier.sh
Normal file
46
Scripts/Common/Tag_Verifier.sh
Normal file
@ -0,0 +1,46 @@
|
||||
#!/bin/bash
|
||||
#DivestOS: A privacy focused mobile distribution
|
||||
#Copyright (c) 2022 Divested Computing Group
|
||||
#
|
||||
#This program is free software: you can redistribute it and/or modify
|
||||
#it under the terms of the GNU General Public License as published by
|
||||
#the Free Software Foundation, either version 3 of the License, or
|
||||
#(at your option) any later version.
|
||||
#
|
||||
#This program is distributed in the hope that it will be useful,
|
||||
#but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
#GNU General Public License for more details.
|
||||
#
|
||||
#You should have received a copy of the GNU General Public License
|
||||
#along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
umask 0022;
|
||||
set -uo pipefail;
|
||||
source "$DOS_SCRIPTS_COMMON/Shell.sh";
|
||||
|
||||
gpgVerifyGitTag() {
|
||||
if [ -r "$DOS_TMP_GNUPG/pubring.kbx" ]; then
|
||||
if git -C "$1" verify-tag "$2" &>/dev/null; then
|
||||
echo -e "\e[0;32mGPG Verified Git Tag Successfully: $1\e[0m";
|
||||
else
|
||||
echo -e "\e[0;31mWARNING: GPG Verification of Git Tag Failed: $1\e[0m";
|
||||
#sleep 60;
|
||||
fi;
|
||||
#git -C $1 log --show-signature -1;
|
||||
else
|
||||
echo -e "\e[0;33mWARNING: keyring is unavailable, GPG verification of $1 will not be performed!\e[0m";
|
||||
fi;
|
||||
}
|
||||
export -f gpgVerifyGitHead;
|
||||
|
||||
verifyTagIfPossible() {
|
||||
if [[ "$1" == "platform/"* ]]; then
|
||||
tagMatch=$(git -C "$DOS_BUILD_BASE$2" describe --exact-match HEAD);
|
||||
if [ ! -z "$tagMatch" ]; then
|
||||
gpgVerifyGitTag "$DOS_BUILD_BASE$2" "$tagMatch";
|
||||
else
|
||||
echo -e "\e[0;33mWARNING: No tag match for $2 \e[0m";
|
||||
fi;
|
||||
fi;
|
||||
}
|
||||
export -f verifyTagIfPossible;
|
||||
@ -23,12 +23,6 @@ patchAllKernels() {
|
||||
}
|
||||
export -f patchAllKernels;
|
||||
|
||||
resetWorkspace() {
|
||||
umask 0022;
|
||||
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
|
||||
}
|
||||
export -f resetWorkspace;
|
||||
|
||||
scanWorkspaceForMalware() {
|
||||
local scanQueue="$DOS_BUILD_BASE/abi $DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/ndk $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
|
||||
scanQueue=$scanQueue" $DOS_BUILD_BASE/vendor/cm $DOS_BUILD_BASE/vendor/cmsdk";
|
||||
@ -106,6 +100,9 @@ patchWorkspace() {
|
||||
cd "$DOS_BUILD_BASE$1";
|
||||
touch DOS_PATCHED_FLAG;
|
||||
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi;
|
||||
verifyAllTags;
|
||||
gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
|
||||
|
||||
source build/envsetup.sh;
|
||||
#repopick -it bt-sbc-hd-dualchannel-nougat;
|
||||
repopick -i 315718; #CVE-2021-1957
|
||||
|
||||
@ -23,12 +23,6 @@ patchAllKernels() {
|
||||
}
|
||||
export -f patchAllKernels;
|
||||
|
||||
resetWorkspace() {
|
||||
umask 0022;
|
||||
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
|
||||
}
|
||||
export -f resetWorkspace;
|
||||
|
||||
scanWorkspaceForMalware() {
|
||||
local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/compatibility $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
|
||||
scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
|
||||
@ -85,6 +79,8 @@ patchWorkspace() {
|
||||
cd "$DOS_BUILD_BASE$1";
|
||||
touch DOS_PATCHED_FLAG;
|
||||
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
|
||||
verifyAllTags;
|
||||
gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
|
||||
|
||||
#source build/envsetup.sh;
|
||||
|
||||
|
||||
@ -23,12 +23,6 @@ patchAllKernels() {
|
||||
}
|
||||
export -f patchAllKernels;
|
||||
|
||||
resetWorkspace() {
|
||||
umask 0022;
|
||||
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
|
||||
}
|
||||
export -f resetWorkspace;
|
||||
|
||||
scanWorkspaceForMalware() {
|
||||
local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/compatibility $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
|
||||
scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
|
||||
@ -77,6 +71,8 @@ patchWorkspace() {
|
||||
cd "$DOS_BUILD_BASE$1";
|
||||
touch DOS_PATCHED_FLAG;
|
||||
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
|
||||
verifyAllTags;
|
||||
gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
|
||||
|
||||
source build/envsetup.sh;
|
||||
#repopick -it pie-firewall;
|
||||
|
||||
@ -23,12 +23,6 @@ patchAllKernels() {
|
||||
}
|
||||
export -f patchAllKernels;
|
||||
|
||||
resetWorkspace() {
|
||||
umask 0022;
|
||||
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
|
||||
}
|
||||
export -f resetWorkspace;
|
||||
|
||||
scanWorkspaceForMalware() {
|
||||
local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
|
||||
scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
|
||||
@ -83,6 +77,8 @@ patchWorkspace() {
|
||||
cd "$DOS_BUILD_BASE$1";
|
||||
touch DOS_PATCHED_FLAG;
|
||||
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
|
||||
verifyAllTags;
|
||||
gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
|
||||
|
||||
#source build/envsetup.sh;
|
||||
#repopick -it ten-firewall;
|
||||
|
||||
@ -23,12 +23,6 @@ patchAllKernels() {
|
||||
}
|
||||
export -f patchAllKernels;
|
||||
|
||||
resetWorkspace() {
|
||||
umask 0022;
|
||||
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
|
||||
}
|
||||
export -f resetWorkspace;
|
||||
|
||||
scanWorkspaceForMalware() {
|
||||
local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
|
||||
scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
|
||||
@ -124,6 +118,8 @@ patchWorkspace() {
|
||||
cd "$DOS_BUILD_BASE$1";
|
||||
touch DOS_PATCHED_FLAG;
|
||||
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
|
||||
verifyAllTags;
|
||||
gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
|
||||
|
||||
#source build/envsetup.sh;
|
||||
#repopick -it eleven-firewall;
|
||||
|
||||
@ -23,12 +23,6 @@ patchAllKernels() {
|
||||
}
|
||||
export -f patchAllKernels;
|
||||
|
||||
resetWorkspace() {
|
||||
umask 0022;
|
||||
repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
|
||||
}
|
||||
export -f resetWorkspace;
|
||||
|
||||
scanWorkspaceForMalware() {
|
||||
local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
|
||||
scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
|
||||
@ -115,6 +109,8 @@ patchWorkspace() {
|
||||
cd "$DOS_BUILD_BASE$1";
|
||||
touch DOS_PATCHED_FLAG;
|
||||
if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
|
||||
verifyAllTags;
|
||||
gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
|
||||
|
||||
#source build/envsetup.sh;
|
||||
|
||||
|
||||
@ -120,7 +120,7 @@ gpgVerifyGitHead() {
|
||||
fi;
|
||||
#git -C $1 log --show-signature -1;
|
||||
else
|
||||
echo -e "\e[0;33mWARNING: ~/.gnupg is unavailable, GPG verification of $1 will not be performed!\e[0m";
|
||||
echo -e "\e[0;33mWARNING: keyring is unavailable, GPG verification of $1 will not be performed!\e[0m";
|
||||
fi;
|
||||
}
|
||||
export -f gpgVerifyGitHead;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user