verify-sig.eclass: Add verify-sig_uncompress_verify_unpack

Add a function that carries out the surprisingly common pattern of uncompress-verify-unpack found in kernel.org distfiles, where the signature is created against the uncompressed archive rather than the actual distfile. Just like the code currently copied across ebuilds, the function uses a pipeline to simultaneously decompress, unpack and verify the signature, except with correct error handling this time. Note that the code technically implies that the archive will be unpacked even if the signature does not match -- the ebuild will abort afterwards. Thanks to Ulrich Müller for the suggestion! Signed-off-by: Michał Górny <mgorny@gentoo.org>
2026-01-05 14:07:27 -08:00 · 2024-12-23 15:28:36 +01:00 · 2024-12-23 15:28:36 +01:00 · c80dc591e4
commit c80dc591e4
parent b235c6e388
1 changed files with 33 additions and 1 deletions
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@ -1,4 +1,4 @@
-# Copyright 2020-2024 Gentoo Authors
+# Copyright 2020-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

 # @ECLASS: verify-sig.eclass
@ -48,6 +48,8 @@ esac
 if [[ -z ${_VERIFY_SIG_ECLASS} ]]; then
 _VERIFY_SIG_ECLASS=1

+inherit eapi9-pipestatus
+
 IUSE="verify-sig"

 # @ECLASS_VARIABLE: VERIFY_SIG_METHOD
@ -423,6 +425,36 @@ verify-sig_verify_signed_checksums() {
 	esac
 }

+# @FUNCTION: verify-sig_uncompress_verify_unpack
+# @USAGE: <compressed-tar> <sig-file> [<key-file>]
+# @DESCRIPTION:
+# Uncompress the <compressed-tar> tarball, verify the uncompressed
+# archive against the signature in <sig-file> and unpack it.  This is
+# useful for kernel.org packages that sign the uncompressed tarball
+# instead of the compressed archive.  <key-file> can either be passed
+# directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.  The function
+# dies if verification or any of the unpacking steps fail.
+verify-sig_uncompress_verify_unpack() {
+	local file=${1}
+	local unpacker
+
+	# TODO: integrate with unpacker.eclass somehow?
+	case ${file} in
+		*.tar.xz)
+			unpacker=( xz -cd )
+			;;
+		*)
+			die "${FUNCNAME}: only .tar.xz archives are supported at the moment"
+			;;
+	esac
+
+	einfo "Unpacking ${file} ..."
+	verify-sig_verify_detached - "${@:2}" < <(
+		"${unpacker[@]}" "${file}" | tee >(tar -xf - || die)
+		pipestatus || die
+	)
+}
+
 # @FUNCTION: verify-sig_src_unpack
 # @DESCRIPTION:
 # Default src_unpack override that verifies signatures for all