mirror of
https://github.com/ben-grande/qusal.git
synced 2024-12-17 20:04:26 -05:00
fc22726ee8
Passing files to Dom0 is always dangerous: - Passing a git repository is dangerous as it can have ignored modified files and signature verification will pass. - Passing an archive is troublesome for updates. - Passing an RPM package depends on the RPM verification to be correct, some times it is not. - Passing a RPM repository definition is less troublesome for the user, as it is a small file to verify the contents and update mechanism is via the package manager. Trust in RPM verification is still required. Many improvements were made to the build scripts: - requires-program: Single function to check if program is installed; - spec-get: Sort project names for the usage message; - spec-get: Only running commands that are necessary; - spec-get: Fix empty summary when readme has copyright header; - spec-gen: Fix grep warning of escaped symbol; - spec-build: Sign RPM and verify signature; - spec-build: Only lint the first SPEC for faster runtime; - yumrepo-gen: Generate a local yum repository with signed metadata; - qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects; - release: Build, sign and push all RPMs to repository. Goal is to be able to build with qubes-builderv2 Qubes Executor. For: https://github.com/ben-grande/qusal/issues/37
52 lines
1.1 KiB
Bash
Executable File
52 lines
1.1 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
|
##
|
|
## SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
set -eu
|
|
|
|
now="$(date +%s)"
|
|
fail="0"
|
|
if test -z "${1-}"; then
|
|
echo "No file provided" >&2
|
|
exit 1
|
|
fi
|
|
for key in "${@}"; do
|
|
data="$(gpg --no-keyring --no-auto-check-trustdb --no-autostart \
|
|
--with-colons --show-keys "${key}")"
|
|
nr="$(echo "${data}" | awk '/^(p|s)ub:/' | wc -l | cut -d " " -f1)"
|
|
echo "${data}" | awk -v fail="0" -v key="${key}" -v nr="${nr}" \
|
|
-v now="${now}" -F ':' '/^(p|s)ub:/ {
|
|
nlines++;
|
|
|
|
if ($7=="") {
|
|
if (nlines==nr) { if (fail==1) { exit 1; }; }
|
|
next
|
|
}
|
|
|
|
if ($7<now) {
|
|
print key ": expired:", $5 >"/dev/stderr";
|
|
fail=1
|
|
if (nlines==nr) { if (fail==1) { exit 1; }; }
|
|
next
|
|
}
|
|
|
|
# 60 days
|
|
else if (($7-now)<(60*60*24*60)) {
|
|
print key ": expires soon:", $5 >"/dev/stderr";
|
|
fail=1
|
|
if (nlines==nr) { if (fail==1) { exit 1; }; }
|
|
next
|
|
}
|
|
|
|
if (fail==1) {
|
|
exit 1
|
|
}
|
|
}' || fail="1"
|
|
done
|
|
|
|
if test "${fail}" = "1"; then
|
|
exit 1
|
|
fi
|