Miroirs/slackpkgplus
1
0
Fork 0
mirror of https://github.com/zuno/slackpkgplus synced 2024-12-26 09:58:43 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

STRICTGPG setting added.

Browse source 
Prepared for development tree
This commit is contained in:
Matteo Rossini 2016-01-04 23:17:37 +01:00
parent 748f21757b
commit 7f1ad1acb5
8 changed files with 125 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
ChangeLog.txt
View file

@ -1,3 +1,14 @@
Version 1.7.a1 - 04/Jan/2015
It's the time for a stable version of slackpkg+. Currently it is just a
development version to fix older feature and add/test new. I'll need more
test possible to make it bugfree ;).
- Code reordering; now slackpkg+ is only slackpkgplus.sh
- Added repositories; improved checkrepos.sh
- BugFix: slackpk give 'grep: write error' when running with "sudo su -"
- SecurityFix: Strict GPG Check. Packages MUST to be signed with root-GPG-KEY.
If can disable it via CHECKGPG in slackpkgplus.sh; see README
- New repository for slackpkg+ development version
Version 1.6.1 - 20/Dec/2015
- Added DOWNLOADONLY to just download packages without installing it

11
src/ChangeLog.txt
View file

@ -1,3 +1,14 @@
Version 1.7.a1 - 04/Jan/2015
It's the time for a stable version of slackpkg+. Currently it is just a
development version to fix older feature and add/test new. I'll need more
test possible to make it bugfree ;).
- Code reordering; now slackpkg+ is only slackpkgplus.sh
- Added repositories; improved checkrepos.sh
- BugFix: slackpk give 'grep: write error' when running with "sudo su -"
- SecurityFix: Strict GPG Check. Packages MUST to be signed with root-GPG-KEY.
If can disable it via CHECKGPG in slackpkgplus.sh; see README
- New repository for slackpkg+ development version
Version 1.6.1 - 20/Dec/2015
- Added DOWNLOADONLY to just download packages without installing it

20
src/README
View file

@ -511,6 +511,26 @@ Default is "package"
-----
STRICTGPG
slackpkg was bird to install slackware packages from official mirrors; they
are signed with the official slackware GPG-KEY, so no other packages may be
added (unless you disable GPG check).
slackpkg+ introduces the ability to download keys from many repositories; as
implication, slackpkg+ allow also to copy packages from other repositories and
the original signature; in this way a repository can contain a mix of packages
that may confuse the user.
Strict GPG check disallow users to do that. This improve the security.
However some user may want to do a custom repository with any type of
packages.
To use a similar repository you may set STRICTGPG=off
Note that sometime you may need to import manually the GPG-KEY with the command
# gpg --import GPG-KEY
-----
INSTALL LOG
Slackpkg+ now create a log of all installed packages in /var/lib/slackpkg/install.log

1
src/repositories.lst
View file

@ -38,6 +38,7 @@ http://slackware.org.uk/msb/14.1/1.8/x86_64
http://slackware.org.uk/msb/testing/1.12/x86 yes yes MATE SlackBuilds <mateslackbuilds@gmail.com>
http://slackware.org.uk/msb/testing/1.12/x86_64 yes yes MATE SlackBuilds <mateslackbuilds@gmail.com>
http://slakfinder.org/slackpkg+ yes yes Matteo Rossini <zerouno@slacky.it>
http://slakfinder.org/slackpkg+dev yes yes Matteo Rossini <zerouno@slacky.it>
http://slint.fr/packages/14.0-i486 yes yes Didier Spaier <didier@slint.fr>
http://slint.fr/packages/14.0-x86_64 yes yes Didier Spaier <didier@slint.fr>
http://slint.fr/packages/14.1-i486 yes yes Didier Spaier <didier@slint.fr>

2
src/repositories.txt
View file

@ -1,7 +1,7 @@
Supported Repositories:
> Supports GPG
> slackpkgplus: http://slakfinder.org/slackpkg+/
> slackpkgplus: http://slakfinder.org/slackpkg+{,dev}/
> multilib: http://taper.alienbase.nl/mirrors/people/alien/multilib/{13.37,14.0,14.1,current}/
> alienbob: http://taper.alienbase.nl/mirrors/people/alien/sbrepos/{13.37,14.0,14.1,current}/{x86,x86_64}/
> ktown: http://taper.alienbase.nl/mirrors/alien-kde/{13.37,14.0,14.1,current}/{latest,5}/{x86,x86_64}/

60
src/slackpkgplus.sh
View file

@ -25,6 +25,7 @@ if [ -e $CONF/slackpkgplus.conf ];then
EXTSENSITIVE_SEARCH=$SENSITIVE_SEARCH
EXTCACHEUPDATE=$CACHEUPDATE
EXTDOWNLOADONLY=$DOWNLOADONLY
EXTSTRICTGPG=$STRICTGPG
. $CONF/slackpkgplus.conf
@ -39,6 +40,7 @@ if [ -e $CONF/slackpkgplus.conf ];then
SENSITIVE_SEARCH=${EXTSENSITIVE_SEARCH:-$SENSITIVE_SEARCH}
CACHEUPDATE=${EXTCACHEUPDATE:-$CACHEUPDATE}
DOWNLOADONLY=${EXTDOWNLOADONLY:-$DOWNLOADONLY}
STRICTGPG=${EXTSTRICTGPG:-$STRICTGPG}
USEBLACKLIST=true
if [ "$USEBL" == "0" ];then
@ -457,6 +459,7 @@ if [ "$SLACKPKGPLUS" = "on" ];then
fi
if [ $(basename $1) = "MANIFEST.bz2" ];then
rm -f $WORKDIR/*-filelist.gz 2>/dev/null
if [ ! -s $2 ];then
echo -n|bzip2 -c >$2
fi
@ -551,6 +554,24 @@ if [ "$SLACKPKGPLUS" = "on" ];then
done
fi
if [ $(basename $1) = "GPG-KEY" ];then
mkdir -p ${WORKDIR}/gpg
rm -f ${WORKDIR}/gpg/* 2>/dev/null
gpg $2
if gpg $2|grep -q "$SLACKKEY" || [ "$STRICTGPG" == "off" ];then
for PREPO in $(echo ${PRIORITY[*]}|sed 's/SLACKPKGPLUS_[^ ]*//g');do
gpg --output "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg" --dearmor $2
done
else
echo
echo " !!! F A T A L !!!"
echo " Slackware repository does NOT contain the Official GPG-KEY"
echo " You SHOULD disable GPG Strict check 'STRICTGPG=off'"
echo " in /etc/slackpkg/slackpkgplus.conf"
echo
sleep 5
echo "Fatal: Slackware repository does not contains the official gpg-key!!" >>$TMPDIR/error.log
gpg $2 >>$TMPDIR/error.log 2>&1
fi
for PREPO in ${REPOPLUS[*]};do
if [ "${PREPO:0:4}" = "dir:" ];then
continue
@ -562,10 +583,13 @@ if [ "$SLACKPKGPLUS" = "on" ];then
elif echo $URLFILE |grep -q "^dir:/";then
continue
else
echo
$DOWNLOADER $2-tmp ${MIRRORPLUS[${PREPO/SLACKPKGPLUS_}]}GPG-KEY
fi
if [ $? -eq 0 ];then
gpg $2-tmp
gpg --import $2-tmp
gpg --output "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg" --dearmor $2-tmp
else
echo
echo " !!! W A R N I N G !!!"
@ -577,6 +601,7 @@ if [ "$SLACKPKGPLUS" = "on" ];then
sleep 5
fi
rm $2-tmp
echo
done
fi
} # END function getfile()
@ -584,13 +609,42 @@ if [ "$SLACKPKGPLUS" = "on" ];then
# override slackpkg checkgpg()
# new checkgpg() is used to check gpg and to merge the CHECKSUMS.md5 files
function checkgpg() {
local FILENAME
local REPO
if echo $1|egrep -q "/SLACKPKGPLUS_(file|dir|http|ftp|https)[0-9]";then
echo 1
return
fi
if [ -e "${1}.asc" ];then
gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
else
FILENAME=$(basename ${1})
if [ "$FILENAME" == "CHECKSUMS.md5" ];then
REPO=slackware
[ -e "${WORKDIR}/gpg/GPG-KEY-slackware64.gpg" ]&&REPO=slackware64
elif [ ${FILENAME:0:13} == "CHECKSUMS.md5" ];then
REPO=$(echo $FILENAME|cut -f2 -d-|sed 's/\.gz$//')
else
REPO=$(echo $1|sed -r -e "s,^$TEMP,/," -e "s,/\./,/,g" -e "s,//,/,g" -e "s,^/,," -e "s,/.*$,," -e "s,SLACKPKGPLUS_,,")
fi
if [ "$STRICTGPG" != "off" ];then
if [ ! -z "$REPO" ] && [ -e "${WORKDIR}/gpg/GPG-KEY-${REPO}.gpg" ] ; then
echo "Using GPG-KEY-${REPO}.gpg" >&2
gpg --no-default-keyring \
--keyring ${WORKDIR}/gpg/GPG-KEY-${REPO}.gpg \
--verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
else
echo "No matching GPG-KEY for repository '$REPO' checking $FILENAME" >&2
echo "Try to run 'slackpkg update gpg' or 'slackpkg -checkgpg=off $CMD ...'" >&2
echo "No matching GPG-KEY for repository '$REPO' checking $FILENAME" >>$TMPDIR/error.log
echo "Try to run 'slackpkg update gpg' or 'slackpkg -checkgpg=off $CMD ...'" >>$TMPDIR/error.log
echo 0
fi
else
gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
fi
else # $1.asc not downloaded
echo 1
fi
if [ "$(basename $1)" == "CHECKSUMS.md5" ];then
@ -1107,7 +1161,7 @@ if [ "$SLACKPKGPLUS" = "on" ];then
SPKGPLUS_VERSION="1.6.1"
SPKGPLUS_VERSION="1.7.a1"
VERSION="$VERSION / slackpkg+ $SPKGPLUS_VERSION"

17
src/slackpkgplus.x86.sample
View file

@ -42,6 +42,12 @@ SENSITIVE_SEARCH=on
# Select the show order in dialogbox. Available "package" "repository" "tag" "path" "arch"
SHOWORDER=package
# Enable (on) / Disable (off) a Strict GPG Check. A repository should contains packages signed
# with the only original GPG-KEY. In some custom repository may be wanted to mix eterogeneous
# packages; to use that repository set Strict GPG Check to off. P.S: a repository can
# contain just ONE gpg-key; you may manually import the other.
STRICTGPG=on
# If two or more repositories contains some same packages, you can specify
# from which repository you prefer to search it.
# The syntax is "<repository_name>:<package_name>"
@ -69,7 +75,8 @@ TAG_PRIORITY=off
# List repositories you want to use (defined below)
# remember to launch 'slackpkg update' if you modify that row.
REPOPLUS=( slackpkgplus restricted alienbob slacky )
#REPOPLUS=( slackpkgplus restricted alienbob slacky )
REPOPLUS=( slackpkgplus )
# Define mirrors (uncomment one or more mirror; remember to add it to REPOPLUS)
@ -78,12 +85,12 @@ REPOPLUS=( slackpkgplus restricted alienbob slacky )
# for that repositories you may need to run slackpkg with 'slackpkg -checkgpg=off ...'
# Slackware 14.1 - i386
MIRRORPLUS['alienbob']=http://taper.alienbase.nl/mirrors/people/alien/sbrepos/14.1/x86/
MIRRORPLUS['restricted']=http://taper.alienbase.nl/mirrors/people/alien/restricted_sbrepos/14.1/x86/
MIRRORPLUS['slacky']=http://repository.slacky.eu/slackware-14.1/
#MIRRORPLUS['alienbob']=http://taper.alienbase.nl/mirrors/people/alien/sbrepos/14.1/x86/
#MIRRORPLUS['restricted']=http://taper.alienbase.nl/mirrors/people/alien/restricted_sbrepos/14.1/x86/
#MIRRORPLUS['slacky']=http://repository.slacky.eu/slackware-14.1/
# use this to keep the slackpkg+ package updated
MIRRORPLUS['slackpkgplus']=http://slakfinder.org/slackpkg+/
MIRRORPLUS['slackpkgplus']=http://slakfinder.org/slackpkg+dev/
# Local repository:
#MIRRORPLUS['alienbob']=file://repositories/alien/sbrepos/14.1/x86/

17
src/slackpkgplus.x86_64.sample
View file

@ -50,6 +50,12 @@ SENSITIVE_SEARCH=on
# Select the show order in dialogbox. Available "package" "repository" "tag" "path" "arch"
SHOWORDER=package
# Enable (on) / Disable (off) a Strict GPG Check. A repository should contains packages signed
# with the only original GPG-KEY. In some custom repository may be wanted to mix eterogeneous
# packages; to use that repository set Strict GPG Check to off. P.S: a repository can
# contain just ONE gpg-key; you may manually import the other.
STRICTGPG=on
# If two or more repositories contains some same packages, you can specify
# from which repository you prefer to search it.
# The syntax is "<repository_name>:<package_name>"
@ -85,7 +91,8 @@ TAG_PRIORITY=off
# List repositories you want to use (defined below)
# remember to launch 'slackpkg update' if you modify that row.
REPOPLUS=( slackpkgplus restricted alienbob slacky )
#REPOPLUS=( slackpkgplus restricted alienbob slacky )
REPOPLUS=( slackpkgplus )
# Define mirrors (uncomment one or more mirror; remember to add it to REPOPLUS)
@ -95,12 +102,12 @@ REPOPLUS=( slackpkgplus restricted alienbob slacky )
# Slackware 14.1 - x86_64
#MIRRORPLUS['multilib']=http://taper.alienbase.nl/mirrors/people/alien/multilib/14.1/
MIRRORPLUS['alienbob']=http://taper.alienbase.nl/mirrors/people/alien/sbrepos/14.1/x86_64/
MIRRORPLUS['restricted']=http://taper.alienbase.nl/mirrors/people/alien/restricted_sbrepos/14.1/x86_64/
MIRRORPLUS['slacky']=http://repository.slacky.eu/slackware64-14.1/
#MIRRORPLUS['alienbob']=http://taper.alienbase.nl/mirrors/people/alien/sbrepos/14.1/x86_64/
#MIRRORPLUS['restricted']=http://taper.alienbase.nl/mirrors/people/alien/restricted_sbrepos/14.1/x86_64/
#MIRRORPLUS['slacky']=http://repository.slacky.eu/slackware64-14.1/
# use this to keep the slackpkg+ package updated
MIRRORPLUS['slackpkgplus']=http://slakfinder.org/slackpkg+/
MIRRORPLUS['slackpkgplus']=http://slakfinder.org/slackpkg+dev/
# Slackware current - x86_64
#MIRRORPLUS['multilib']=http://taper.alienbase.nl/mirrors/people/alien/multilib/current/