From 3618774d9f49b5fb1a4e503154d87eafb806875c Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Fri, 26 Aug 2022 22:00:59 -0400
Subject: [PATCH] GPG verification for all platform repositories

Signed-off-by: Tad <tad@spotco.us>
---
 Misc/pubring.kbx                    | Bin 37582 -> 38962 bytes
 Scripts/Common/Functions.sh         |  11 +++++++
 Scripts/Common/Tag_Verifier.sh      |  46 ++++++++++++++++++++++++++++
 Scripts/LineageOS-14.1/Functions.sh |   9 ++----
 Scripts/LineageOS-15.1/Functions.sh |   8 ++---
 Scripts/LineageOS-16.0/Functions.sh |   8 ++---
 Scripts/LineageOS-17.1/Functions.sh |   8 ++---
 Scripts/LineageOS-18.1/Functions.sh |   8 ++---
 Scripts/LineageOS-19.1/Functions.sh |   8 ++---
 Scripts/init.sh                     |   2 +-
 10 files changed, 71 insertions(+), 37 deletions(-)
 create mode 100644 Scripts/Common/Tag_Verifier.sh

diff --git a/Misc/pubring.kbx b/Misc/pubring.kbx
index ed97c2d314e2c8723ced5aba49f2bf7974ab32f4..611fddee7199155719aaeba5ebd1bb31e471fcb4 100644
GIT binary patch
delta 1382
zcmYk4dpOez7{`D6?YG)ejwLmrmfUOXP@<;hk`A8avU(<EE^`^RF_Wbj$I101p<If&
zlQUU3Nv`ck)J$$YCYK^1*Op5U;!K^M=e&Qt@B4i(&-=U|Q2|)a2l=8TR{%gzK^U-M
zVE_Pi0wADlPV6}BKbztb8G)jXm!62ocqGe~>e!7UZhpP#p|G@-x8i-%HW*TD{D_5y
zG)>shqy_`F0sv?r^~}D<VDdY=og5ET$nlLZ9hM7OjggO|A)s{WE4!iJ`@ZXV%|*$;
zThWWM=@Di-;ZGOM7pV)bVRPj(79Z}UkZCHsgQU%fyFN9XCj(aKu%jzZdfhpMA{!21
zg%|IbEbH>}7<{IyG22#jrT>_uJ1F4F!cxUOi8+_3(zv8;crj~Fd=$rQP?vwUFB+#z
zM2PzZGj2u{YYLE^EDx`V><QO858Ur^&9qP&#XvV8Af0=)<ZWj@@ko_L&eFWX=oGpD
zm^j1YTPq~BDK_?go4^vFhK%k{ko~C%eN1#qO`_FGK%5}JcJE`;)<D^>k*)cYiExjg
zsAEOmI;(*y#tE-D8uoo9Js-UlMiTms?b{NSo?|}qh8>yEB5TA3NM)zbyj)flQ8@ca
z)i-S&;Opla<1W3&)(&eH>|;lftxG=XHk8{U7fZ<@UMIytXLYW|bi1e`U!B%zV&kb9
zZva9?Od?%yll)bCs;zI#!Hjg^Y3jOxZQ}82(~Kfn9GRoT&O1d@ook0I>llkS*0q#R
zwdQ=p><GIZs(NQ2DUf$5yUalBU^Ras#zJyC)kwgXKGECX`v(?4r5VY`6KhJRG8r@~
z_Kd$L9qY&lVtROD?U)Q-PY)KBK%>)GG`CAQ4+fpZq`3#NXbd{h?MH{M2ZwR__<tk8
z?^FOWu8=$$1h5Ej0|!tEzDWj!+zbaH1rP~`c7kvixCaLA3J12J<bD#^w+3VxQglnv
z^vQnSq^4pAr8W0f|LS8PQ(+zx6GF~HA^QeQ&_i{b=-4!K{w4q}Jprf&w?Q1~5(_yb
zP;jn0bt}TJXPxM?;1kipJ*RmOj~`fGn^PwaYB*siLWBHoyAKA{Df8hCse+15Fp)4O
zqW7mINC;|;RS$jY55{-epSa#tpdEEUe>*L@p@0x!x!%NV@eOKzfh3EJ_B=uKY<ab|
zefbycmELy^FKgEVmcwJQ9K#PXUJJGh)cIwJ$ju0n$mxB#9HHWaqcv1hL)#P(m5NOx
z7tiD2!6p8iA$dh%-Y%T0CHb^L=Dc5~u;pWxNxYY$8d5@WTy!>0@_%T8q8JA2kIy=4
z@?5yLMpgc<4?7CIo6^Cr{L?`*Mxp8C-Xz6B7U?fyS`#YTEsXO`P7u9K?LB85fFqDV
z@*DnMVSZVhe*4s5eUV0WFYd^Imy(w$yRa}^sIe`u*?rai3rR;!abi*n=4bwUM(K3I
zlr~r0hefoEoxa9lM`=0<Mc#~JyZYpjDvtsaCH)5%{NJ~~EXTtuW#XKN1|(_DN1D4@
zhJC(dl|;tLa^&@+7RGMOM5Uh&XAb#0>e(KWJcBjwSIw=zH}_P`LsE;48tYDW2pB^<
zinaMuye8d8@maw#awKGEaavD^cB#!Fp@B8`H@y@4<$Mbr#IOp2mJ+EplnuRpS{3kG
zxa!U}4O}nE9d7IhU096#^>FYCHQdNgQaQS;qkl&joR{=SV)w@Y{H_2m*&Q2rGR6wR
zNby5`$Ik*(+WLRa)MWv#Z@P*)`ubqrE|r|3&kxqJy&RlUfb83D*95pU++~s9_^cR8
gzFW)Is`$y7#x0&U^>AH$?sNC4sd-|dC*C>bUxB=3!vFvP

delta 9
RcmdnAf$7{*rVZyN0RR{*1nK|)

diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh
index 9a8da30c..c7dacb1f 100644
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@@ -21,6 +21,17 @@ startPatcher() {
 }
 export -f startPatcher;
 
+resetWorkspace() {
+	umask 0022;
+	repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
+}
+export -f resetWorkspace;
+
+verifyAllTags() {
+	repo forall -c 'source $DOS_WORKSPACE_ROOT/Scripts/Common/Tag_Verifier.sh && verifyTagIfPossible $REPO_PROJECT $REPO_PATH';
+}
+export -f verifyAllTags;
+
 enter() {
 	echo "================================================================================================"
 	local dir="$1";
diff --git a/Scripts/Common/Tag_Verifier.sh b/Scripts/Common/Tag_Verifier.sh
new file mode 100644
index 00000000..82cd0fa9
--- /dev/null
+++ b/Scripts/Common/Tag_Verifier.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+#DivestOS: A privacy focused mobile distribution
+#Copyright (c) 2022 Divested Computing Group
+#
+#This program is free software: you can redistribute it and/or modify
+#it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+#
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#GNU General Public License for more details.
+#
+#You should have received a copy of the GNU General Public License
+#along with this program.  If not, see <https://www.gnu.org/licenses/>.
+umask 0022;
+set -uo pipefail;
+source "$DOS_SCRIPTS_COMMON/Shell.sh";
+
+gpgVerifyGitTag() {
+	if [ -r "$DOS_TMP_GNUPG/pubring.kbx" ]; then
+		if git -C "$1" verify-tag "$2" &>/dev/null; then
+			echo -e "\e[0;32mGPG Verified Git Tag Successfully: $1\e[0m";
+		else
+			echo -e "\e[0;31mWARNING: GPG Verification of Git Tag Failed: $1\e[0m";
+			#sleep 60;
+		fi;
+		#git -C $1 log --show-signature -1;
+	else
+		echo -e "\e[0;33mWARNING: keyring is unavailable, GPG verification of $1 will not be performed!\e[0m";
+	fi;
+}
+export -f gpgVerifyGitHead;
+
+verifyTagIfPossible() {
+	if [[ "$1" == "platform/"* ]]; then
+		tagMatch=$(git -C "$DOS_BUILD_BASE$2" describe --exact-match HEAD);
+		if [ ! -z "$tagMatch" ]; then
+			gpgVerifyGitTag "$DOS_BUILD_BASE$2" "$tagMatch";
+		else
+			echo -e "\e[0;33mWARNING: No tag match for $2 \e[0m";
+		fi;
+	fi;
+}
+export -f verifyTagIfPossible;
diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh
index 1a1df02c..68562173 100644
--- a/Scripts/LineageOS-14.1/Functions.sh
+++ b/Scripts/LineageOS-14.1/Functions.sh
@@ -23,12 +23,6 @@ patchAllKernels() {
 }
 export -f patchAllKernels;
 
-resetWorkspace() {
-	umask 0022;
-	repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
-}
-export -f resetWorkspace;
-
 scanWorkspaceForMalware() {
 	local scanQueue="$DOS_BUILD_BASE/abi $DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/ndk $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
 	scanQueue=$scanQueue" $DOS_BUILD_BASE/vendor/cm $DOS_BUILD_BASE/vendor/cmsdk";
@@ -106,6 +100,9 @@ patchWorkspace() {
 	cd "$DOS_BUILD_BASE$1";
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi;
+	verifyAllTags;
+	gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
+
 	source build/envsetup.sh;
 	#repopick -it bt-sbc-hd-dualchannel-nougat;
 	repopick -i 315718; #CVE-2021-1957
diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh
index fe210211..4ff67646 100644
--- a/Scripts/LineageOS-15.1/Functions.sh
+++ b/Scripts/LineageOS-15.1/Functions.sh
@@ -23,12 +23,6 @@ patchAllKernels() {
 }
 export -f patchAllKernels;
 
-resetWorkspace() {
-	umask 0022;
-	repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
-}
-export -f resetWorkspace;
-
 scanWorkspaceForMalware() {
 	local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/compatibility $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
 	scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
@@ -85,6 +79,8 @@ patchWorkspace() {
 	cd "$DOS_BUILD_BASE$1";
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
+	verifyAllTags;
+	gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
 
 	#source build/envsetup.sh;
 
diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh
index 67e46db0..ada51300 100644
--- a/Scripts/LineageOS-16.0/Functions.sh
+++ b/Scripts/LineageOS-16.0/Functions.sh
@@ -23,12 +23,6 @@ patchAllKernels() {
 }
 export -f patchAllKernels;
 
-resetWorkspace() {
-	umask 0022;
-	repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
-}
-export -f resetWorkspace;
-
 scanWorkspaceForMalware() {
 	local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/compatibility $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
 	scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
@@ -77,6 +71,8 @@ patchWorkspace() {
 	cd "$DOS_BUILD_BASE$1";
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
+	verifyAllTags;
+	gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
 
 	source build/envsetup.sh;
 	#repopick -it pie-firewall;
diff --git a/Scripts/LineageOS-17.1/Functions.sh b/Scripts/LineageOS-17.1/Functions.sh
index f6827d3c..e394a8e7 100644
--- a/Scripts/LineageOS-17.1/Functions.sh
+++ b/Scripts/LineageOS-17.1/Functions.sh
@@ -23,12 +23,6 @@ patchAllKernels() {
 }
 export -f patchAllKernels;
 
-resetWorkspace() {
-	umask 0022;
-	repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
-}
-export -f resetWorkspace;
-
 scanWorkspaceForMalware() {
 	local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
 	scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
@@ -83,6 +77,8 @@ patchWorkspace() {
 	cd "$DOS_BUILD_BASE$1";
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
+	verifyAllTags;
+	gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
 
 	#source build/envsetup.sh;
 	#repopick -it ten-firewall;
diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh
index f57e59a2..7d1f4645 100644
--- a/Scripts/LineageOS-18.1/Functions.sh
+++ b/Scripts/LineageOS-18.1/Functions.sh
@@ -23,12 +23,6 @@ patchAllKernels() {
 }
 export -f patchAllKernels;
 
-resetWorkspace() {
-	umask 0022;
-	repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
-}
-export -f resetWorkspace;
-
 scanWorkspaceForMalware() {
 	local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
 	scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
@@ -124,6 +118,8 @@ patchWorkspace() {
 	cd "$DOS_BUILD_BASE$1";
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
+	verifyAllTags;
+	gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
 
 	#source build/envsetup.sh;
 	#repopick -it eleven-firewall;
diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh
index f05a4dfe..2086c10c 100644
--- a/Scripts/LineageOS-19.1/Functions.sh
+++ b/Scripts/LineageOS-19.1/Functions.sh
@@ -23,12 +23,6 @@ patchAllKernels() {
 }
 export -f patchAllKernels;
 
-resetWorkspace() {
-	umask 0022;
-	repo forall -c 'git add -A && git reset --hard' && rm -rf out DOS_PATCHED_FLAG && repo sync -j8 --force-sync --detach;
-}
-export -f resetWorkspace;
-
 scanWorkspaceForMalware() {
 	local scanQueue="$DOS_BUILD_BASE/android $DOS_BUILD_BASE/art $DOS_BUILD_BASE/bionic $DOS_BUILD_BASE/bootable $DOS_BUILD_BASE/build $DOS_BUILD_BASE/dalvik $DOS_BUILD_BASE/device $DOS_BUILD_BASE/hardware $DOS_BUILD_BASE/libcore $DOS_BUILD_BASE/libnativehelper $DOS_BUILD_BASE/packages $DOS_BUILD_BASE/pdk $DOS_BUILD_BASE/platform_testing $DOS_BUILD_BASE/sdk $DOS_BUILD_BASE/system";
 	scanQueue=$scanQueue" $DOS_BUILD_BASE/lineage-sdk $DOS_BUILD_BASE/vendor/lineage";
@@ -115,6 +109,8 @@ patchWorkspace() {
 	cd "$DOS_BUILD_BASE$1";
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
+	verifyAllTags;
+	gpgVerifyGitHead $DOS_BUILD_BASE"external/chromium-webview";
 
 	#source build/envsetup.sh;
 
diff --git a/Scripts/init.sh b/Scripts/init.sh
index 947696c1..bb7d20fd 100644
--- a/Scripts/init.sh
+++ b/Scripts/init.sh
@@ -120,7 +120,7 @@ gpgVerifyGitHead() {
 		fi;
 		#git -C $1 log --show-signature -1;
 	else
-		echo -e "\e[0;33mWARNING: ~/.gnupg is unavailable, GPG verification of $1 will not be performed!\e[0m";
+		echo -e "\e[0;33mWARNING: keyring is unavailable, GPG verification of $1 will not be performed!\e[0m";
 	fi;
 }
 export -f gpgVerifyGitHead;