From 85c7500ae069a4c606373c851ad86240c8ba756e Mon Sep 17 00:00:00 2001 From: Levi Brown Date: Thu, 26 Aug 2021 13:09:24 -0600 Subject: [PATCH 1/2] Perform GPG Signature Validation on the archive --- .gitignore | 1 + build-libssl.sh | 30 +++++++++++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index ed43e38..903db58 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ lib frameworks include/openssl *.gz +*.gz.asc *.framework *.o *.pbxuser diff --git a/build-libssl.sh b/build-libssl.sh index 6d0a420..ff26025 100755 --- a/build-libssl.sh +++ b/build-libssl.sh @@ -218,6 +218,20 @@ finish_build_loop() fi } +gpg_validate() +{ + local TARGET=$1 + local SIG=${2:-${TARGET}.asc} + + GPG_B=$(which gpg) + if [ ! -x "${GPG_B}" ]; then + echo "WARN: No gpg executable found in PATH. Please consider installing gpg so archive signature validation can proceed." + return 1 + fi + + $GPG_B --keyserver pool.sks-keyservers.net --keyserver-options auto-key-retrieve,include-subkeys --verify-options show-photos --verify "${SIG}" "${TARGET}" +} + # Init optional command line vars ARCHS="" BRANCH="" @@ -449,9 +463,12 @@ echo # Download OpenSSL when not present OPENSSL_ARCHIVE_BASE_NAME="openssl-${VERSION}" OPENSSL_ARCHIVE_FILE_NAME="${OPENSSL_ARCHIVE_BASE_NAME}.tar.gz" +OPENSSL_ARCHIVE_SIGNATURE_FILE_NAME="${OPENSSL_ARCHIVE_FILE_NAME}.asc" if [ ! -e ${OPENSSL_ARCHIVE_FILE_NAME} ]; then echo "Downloading ${OPENSSL_ARCHIVE_FILE_NAME}..." - OPENSSL_ARCHIVE_URL="https://www.openssl.org/source/${OPENSSL_ARCHIVE_FILE_NAME}" + OPENSSL_ARCHIVE_BASE_URL="https://www.openssl.org/source" + OPENSSL_ARCHIVE_URL="${OPENSSL_ARCHIVE_BASE_URL}/${OPENSSL_ARCHIVE_FILE_NAME}" + OPENSSL_ARCHIVE_SIGNATURE_URL="${OPENSSL_ARCHIVE_BASE_URL}/${OPENSSL_ARCHIVE_SIGNATURE_FILE_NAME}" # Check whether file exists here (this is the location of the latest version for each branch) # -s be silent, -f return non-zero exit status on failure, -I get header (do not download) @@ -475,11 +492,22 @@ if [ ! -e ${OPENSSL_ARCHIVE_FILE_NAME} ]; then # Archive was found, so proceed with download. # -O Use server-specified filename for download curl ${CURL_OPTIONS} -O "${OPENSSL_ARCHIVE_URL}" + curl ${CURL_OPTIONS} -O "${OPENSSL_ARCHIVE_SIGNATURE_URL}" else echo "Using ${OPENSSL_ARCHIVE_FILE_NAME}" fi +# Validate archive signature +if [ -e ${OPENSSL_ARCHIVE_SIGNATURE_FILE_NAME} ]; then + gpg_validate "${OPENSSL_ARCHIVE_FILE_NAME}" "${OPENSSL_ARCHIVE_SIGNATURE_FILE_NAME}" + if [ $? -ne 0 ]; then + echo "WARN: GPG signature validation was unsuccessful." + fi +else + echo "WARN: No GPG signature validation performed. (missing ${OPENSSL_ARCHIVE_SIGNATURE_FILE_NAME})" +fi + # Set reference to custom configuration (OpenSSL 1.1.1) # See: https://github.com/openssl/openssl/commit/afce395cba521e395e6eecdaf9589105f61e4411 export OPENSSL_LOCAL_CONFIG_DIR="${SCRIPTDIR}/config" From e6e4b76e60d3b63a0656bea9be8193fba608bcdb Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Wed, 15 Sep 2021 10:57:51 +0200 Subject: [PATCH 2/2] Use public OpenGPG key server --- build-libssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-libssl.sh b/build-libssl.sh index ff26025..b0c7c64 100755 --- a/build-libssl.sh +++ b/build-libssl.sh @@ -229,7 +229,7 @@ gpg_validate() return 1 fi - $GPG_B --keyserver pool.sks-keyservers.net --keyserver-options auto-key-retrieve,include-subkeys --verify-options show-photos --verify "${SIG}" "${TARGET}" + $GPG_B --keyserver keys.openpgp.org --keyserver-options auto-key-retrieve,include-subkeys --verify-options show-photos --verify "${SIG}" "${TARGET}" } # Init optional command line vars