check signatures for download and git fetchers

[korli]

download: add SOURCE_SIG_URI for the signature file URI
git: add ?signed on the SOURCE_URI to have signed tags and commits checked

this uses gpg to verify. the public key has to exist in the ring.

[korli]

we might add a setting to allow unverified downloads.

[korli]

Examples with bash downloads:

diff --git a/app-shells/bash/bash-5.2.032.recipe b/app-shells/bash/bash-5.2.032.recipe
index 0d27c2bab..4a2686fa3 100644
--- a/app-shells/bash/bash-5.2.032.recipe
+++ b/app-shells/bash/bash-5.2.032.recipe
@@ -7,8 +7,10 @@ COPYRIGHT="1987-2024 Free Software Foundation, Inc."
 LICENSE="GNU GPL v3"
 REVISION="1"
 SOURCE_URI="https://ftpmirror.gnu.org/bash/bash-5.2.tar.gz"
+SOURCE_SIG_URI="${SOURCE_URI}.sig"
 for i in {001..032}; do
 	eval "SOURCE_URI_$i=\"https://ftpmirror.gnu.org/bash/bash-5.2-patches/bash52-$i#noarchive\""
+	eval "SOURCE_SIG_URI_$i=\"https://ftpmirror.gnu.org/bash/bash-5.2-patches/bash52-$i.sig\""
 done
 CHECKSUM_SHA256="a139c166df7ff4471c5e0733051642ee5556c1cc8a4a78f145583c5c81ab32fb"
 CHECKSUM_SHA256_001="f42f2fee923bc2209f406a1892772121c467f44533bedfe00a176139da5d310a"
@@ -43,6 +45,7 @@ CHECKSUM_SHA256_029="125cacb37e625471924b3ee06c54cb1bf21b3b7fe0e569d24a681b0ec4a
 CHECKSUM_SHA256_030="c3ff73230e123acdb5ac216921a386df8f74340459533d776d02811a1f76698f"
 CHECKSUM_SHA256_031="c2d1b7be2df771126105020af7fafa00fffd4deff4a4e45d60fc6a235bcba795"
 CHECKSUM_SHA256_032="7b9c77daeca93ff711781d7537234166e83ed9835ce1ee7dcd5742319c372a16"
+PGPKEYS=(7C0135FB088AAF6C66C650B9BB5869F064EA74AB)
 
 SOURCE_DIR="bash-5.2"
 PATCHES="

Example with expat git tag

diff --git a/dev-libs/expat/expat-2.6.2.recipe b/dev-libs/expat/expat-2.6.2.recipe
index 0057be0aa..3075887e8 100644
--- a/dev-libs/expat/expat-2.6.2.recipe
+++ b/dev-libs/expat/expat-2.6.2.recipe
@@ -7,9 +7,10 @@ COPYRIGHT="1998-2000 Thai Open Source Software Center Ltd and Clark Cooper
 	2001-2023 Expat maintainers."
 LICENSE="MIT"
 REVISION="1"
-SOURCE_URI="https://downloads.sourceforge.net/expat/expat-$portVersion.tar.bz2"
-CHECKSUM_SHA256="9c7c1b5dcbc3c237c500a8fb1493e14d9582146dd9b42aa8d3ffb856a3b927e0"
+SOURCE_URI="git+https://github.com/libexpat/libexpat?signed#tag=R_${portVersion//./_}"
+CHECKSUM_SHA256="20d949d216e5bca4cc35eb63737bb91812ba040576b211b325f92a67330c3ddc"
 PATCHES="expat-$portVersion.patchset"
+PGPKEYS="3176EF7DB2367F1FCA4F306B1F9B0E909AF37285"
 
 ARCHITECTURES="all !x86_gcc2"
 SECONDARY_ARCHITECTURES="x86"

[waddlesplash]

What's the value of checking PGP signature when we already check SHA256?

[korli]

What's the value of checking PGP signature when we already check SHA256?

Actually it's mostly useful for people doing the version bump, hence they check the origin of the new version.

[Begasus]

Updated the examples, shows the diff better.

[Begasus]

Need to fiddle with this for a while before I get the hang of it. :) Maybe others could do some checking here too?

[Begasus]

@korli if I wanted to apply this to: haikuports/haikuports#11599 how would I change this in the recipe then? Fiddled a bit but only got garbage so far. :)

[korli]

@Begasus add something like for 10.44 (10.45 is done by a new maintainer)

SOURCE_SIG_URI="https://github.com/PhilipHazel/pcre2/releases/download/pcre2-$portVersion/pcre2-$portVersion.tar.bz2.sig"
PGPKEYS=(45F68D54BBE23FB3039B46E59766E084FB0F43D8)

[Begasus]

@korli getting this now: Error: 'gpg' is not available, please install it (missing gnupg)
How do I find out the public key?

[korli]

@korli getting this now: Error: 'gpg' is not available, please install it (missing gnupg) How do I find out the public key?

Using :
gpg --keyserver-options auto-key-retrieve --verify yourfile.sig

[Begasus]

OK, that worked out, need to get some feeling for it though :)

waiting for build package libpcre2-10.45-1 to be deactivated
waiting for build package libpcre2_devel-10.45-1 to be deactivated
cleaning chroot folder
grabbing libpcre2-10.45-1-x86_64.hpkg and moving it to /Opslag/haikuports/packages/libpcre2-10.45-1-x86_64.hpkg
grabbing libpcre2_devel-10.45-1-x86_64.hpkg and moving it to /Opslag/haikuports/packages/libpcre2_devel-10.45-1-x86_64.hpkg

[Begasus]

waiting for build package libpcre2-10.45-1 to be deactivated
waiting for build package libpcre2_devel-10.45-1 to be deactivated
cleaning chroot folder
grabbing libpcre2-10.45-1-x86_64.hpkg and moving it to /Opslag/haikuports/packages/libpcre2-10.45-1-x86_64.hpkg
grabbing libpcre2_devel-10.45-1-x86_64.hpkg and moving it to /Opslag/haikuports/packages/libpcre2_devel-10.45-1-x86_64.hpkg
waiting for build package libpcre2-10.45-1 to be deactivated
waiting for build package libpcre2_devel-10.45-1 to be deactivated
cleaning chroot folder

[korli]

Keep in mind 'auto-key-retrieve' isn't recommended because one should check whether the key is 'known', before installing it as 'safe'

[Begasus]

So we aren't any closer then?

/Opslag/haikuports/dev-libs/libpcre2/download> gpg --keyserver-options auto-key-retrieve --verify  pcre2-10.45.tar.bz2.sig 
gpg: assuming signed data in 'pcre2-10.45.tar.bz2'
gpg: Signature made Feb  4, 2025, 
gpg:                using RSA key BACF71F10404D5761C09D392021DE40BFB63B406
gpg: Good signature from "Nicholas Wilson <[email protected]>" [unknown]
gpg:                 aka "Nicholas Wilson <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A955 3620 4A3B B489 7152  3128 2A98 E77E B6F2 4CA8
     Subkey fingerprint: BACF 71F1 0404 D576 1C09  D392 021D E40B FB63 B406

[korli]

So we aren't any closer then?

/Opslag/haikuports/dev-libs/libpcre2/download> gpg --keyserver-options auto-key-retrieve --verify  pcre2-10.45.tar.bz2.sig 
gpg: assuming signed data in 'pcre2-10.45.tar.bz2'
gpg: Signature made Feb  4, 2025, 
gpg:                using RSA key BACF71F10404D5761C09D392021DE40BFB63B406
gpg: Good signature from "Nicholas Wilson <[email protected]>" [unknown]
gpg:                 aka "Nicholas Wilson <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A955 3620 4A3B B489 7152  3128 2A98 E77E B6F2 4CA8
     Subkey fingerprint: BACF 71F1 0404 D576 1C09  D392 021D E40B FB63 B406

This matches what you see on https://keyserver.ubuntu.com/pks/lookup?search=A955+3620+4A3B+B489+7152++3128+2A98+E77E+B6F2+4CA8&fingerprint=on&op=index

And
PCRE2Project/pcre2#426

[Begasus]

OK, leaves some manual checking for the sig file then, I'm guessing this can't be automated.

EDIT: Will link the lookup site here (in case I want to check again and can't find it) :)

https://keyserver.ubuntu.com/

[korli]

OK, leaves some manual checking for the sig file then, I'm guessing this can't be automated.

This manual checking only happens when a new maintainer takes over. For people doing version bump it's a win, because you're sure the tarball is authentic.

[Begasus]

Now I get it! 👍

[Begasus]

OK, created a PR for the new prce2 at: haikuports/haikuports#11822
Looking at local builds haikuporter doesn't trip over it so far without this one merged, at least it's a try on how to do it.

[korli]

I think it should only be enabled for local builds, not for the builder. ATM adding a setting would the idea.

[Begasus]

OK, having it in shouldn't be bad for now then, I can just comment it out, those wondering will see the PR here and checkup.