From 7f1ad1acb59728b7abe51aef27aec6dd362dfbb2 Mon Sep 17 00:00:00 2001
From: Matteo Rossini <zerouno@slacky.it>
Date: Mon, 4 Jan 2016 23:17:37 +0100
Subject: [PATCH]     STRICTGPG setting added.     Prepared for development
 tree

---
 ChangeLog.txt                  | 11 +++++++
 src/ChangeLog.txt              | 11 +++++++
 src/README                     | 20 ++++++++++++
 src/repositories.lst           |  1 +
 src/repositories.txt           |  2 +-
 src/slackpkgplus.sh            | 60 ++++++++++++++++++++++++++++++++--
 src/slackpkgplus.x86.sample    | 17 +++++++---
 src/slackpkgplus.x86_64.sample | 17 +++++++---
 8 files changed, 125 insertions(+), 14 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index ff7905a..950c8b8 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,3 +1,14 @@
+Version 1.7.a1 - 04/Jan/2015
+  It's the time for a stable version of slackpkg+. Currently it is just a
+	development version to fix older feature and add/test new. I'll need more
+	test possible to make it bugfree ;).
+	- Code reordering; now slackpkg+ is only slackpkgplus.sh
+	- Added repositories; improved checkrepos.sh
+	- BugFix: slackpk give 'grep: write error' when running with "sudo su -"
+	- SecurityFix: Strict GPG Check. Packages MUST to be signed with root-GPG-KEY.
+	  If can disable it via CHECKGPG in slackpkgplus.sh; see README
+  - New repository for slackpkg+ development version
+
 Version 1.6.1 - 20/Dec/2015
   - Added DOWNLOADONLY to just download packages without installing it
 
diff --git a/src/ChangeLog.txt b/src/ChangeLog.txt
index ff7905a..950c8b8 100644
--- a/src/ChangeLog.txt
+++ b/src/ChangeLog.txt
@@ -1,3 +1,14 @@
+Version 1.7.a1 - 04/Jan/2015
+  It's the time for a stable version of slackpkg+. Currently it is just a
+	development version to fix older feature and add/test new. I'll need more
+	test possible to make it bugfree ;).
+	- Code reordering; now slackpkg+ is only slackpkgplus.sh
+	- Added repositories; improved checkrepos.sh
+	- BugFix: slackpk give 'grep: write error' when running with "sudo su -"
+	- SecurityFix: Strict GPG Check. Packages MUST to be signed with root-GPG-KEY.
+	  If can disable it via CHECKGPG in slackpkgplus.sh; see README
+  - New repository for slackpkg+ development version
+
 Version 1.6.1 - 20/Dec/2015
   - Added DOWNLOADONLY to just download packages without installing it
 
diff --git a/src/README b/src/README
index e99804d..184ac03 100644
--- a/src/README
+++ b/src/README
@@ -511,6 +511,26 @@ Default is "package"
 
 -----
 
+STRICTGPG
+
+slackpkg was bird to install slackware packages from official mirrors; they
+are signed with the official slackware GPG-KEY, so no other packages may be
+added (unless you disable GPG check).
+slackpkg+ introduces the ability to download keys from many repositories; as
+implication, slackpkg+ allow also to copy packages from other repositories and
+the original signature; in this way a repository can contain a mix of packages
+that may confuse the user.
+
+Strict GPG check disallow users to do that. This improve the security.
+
+However some user may want to do a custom repository with any type of
+packages.
+To use a similar repository you may set STRICTGPG=off
+Note that sometime you may need to import manually the GPG-KEY with the command
+# gpg --import GPG-KEY
+
+-----
+
 INSTALL LOG
 
 Slackpkg+ now create a log of all installed packages in /var/lib/slackpkg/install.log
diff --git a/src/repositories.lst b/src/repositories.lst
index c86ee7d..f0f2b21 100644
--- a/src/repositories.lst
+++ b/src/repositories.lst
@@ -38,6 +38,7 @@ http://slackware.org.uk/msb/14.1/1.8/x86_64
 http://slackware.org.uk/msb/testing/1.12/x86                                      yes  yes   MATE SlackBuilds <mateslackbuilds@gmail.com>
 http://slackware.org.uk/msb/testing/1.12/x86_64                                   yes  yes   MATE SlackBuilds <mateslackbuilds@gmail.com>
 http://slakfinder.org/slackpkg+                                                   yes  yes   Matteo Rossini <zerouno@slacky.it>
+http://slakfinder.org/slackpkg+dev                                                yes  yes   Matteo Rossini <zerouno@slacky.it>
 http://slint.fr/packages/14.0-i486                                                yes  yes   Didier Spaier <didier@slint.fr>
 http://slint.fr/packages/14.0-x86_64                                              yes  yes   Didier Spaier <didier@slint.fr>
 http://slint.fr/packages/14.1-i486                                                yes  yes   Didier Spaier <didier@slint.fr>
diff --git a/src/repositories.txt b/src/repositories.txt
index a5b5488..c1013e9 100644
--- a/src/repositories.txt
+++ b/src/repositories.txt
@@ -1,7 +1,7 @@
 Supported Repositories:
 
 > Supports GPG
-> slackpkgplus:  http://slakfinder.org/slackpkg+/
+> slackpkgplus:  http://slakfinder.org/slackpkg+{,dev}/
 > multilib:      http://taper.alienbase.nl/mirrors/people/alien/multilib/{13.37,14.0,14.1,current}/
 > alienbob:      http://taper.alienbase.nl/mirrors/people/alien/sbrepos/{13.37,14.0,14.1,current}/{x86,x86_64}/
 > ktown:         http://taper.alienbase.nl/mirrors/alien-kde/{13.37,14.0,14.1,current}/{latest,5}/{x86,x86_64}/
diff --git a/src/slackpkgplus.sh b/src/slackpkgplus.sh
index 572c6a9..cd7e04a 100755
--- a/src/slackpkgplus.sh
+++ b/src/slackpkgplus.sh
@@ -25,6 +25,7 @@ if [ -e $CONF/slackpkgplus.conf ];then
   EXTSENSITIVE_SEARCH=$SENSITIVE_SEARCH
   EXTCACHEUPDATE=$CACHEUPDATE
   EXTDOWNLOADONLY=$DOWNLOADONLY
+  EXTSTRICTGPG=$STRICTGPG
 
   . $CONF/slackpkgplus.conf
 
@@ -39,6 +40,7 @@ if [ -e $CONF/slackpkgplus.conf ];then
   SENSITIVE_SEARCH=${EXTSENSITIVE_SEARCH:-$SENSITIVE_SEARCH}
   CACHEUPDATE=${EXTCACHEUPDATE:-$CACHEUPDATE}
   DOWNLOADONLY=${EXTDOWNLOADONLY:-$DOWNLOADONLY}
+  STRICTGPG=${EXTSTRICTGPG:-$STRICTGPG}
 
   USEBLACKLIST=true
   if [ "$USEBL" == "0" ];then
@@ -457,6 +459,7 @@ if [ "$SLACKPKGPLUS" = "on" ];then
     fi
 
     if [ $(basename $1) = "MANIFEST.bz2" ];then
+      rm -f $WORKDIR/*-filelist.gz 2>/dev/null
       if [ ! -s $2 ];then
         echo -n|bzip2 -c >$2
       fi
@@ -551,6 +554,24 @@ if [ "$SLACKPKGPLUS" = "on" ];then
       done
     fi
     if [ $(basename $1) = "GPG-KEY" ];then
+      mkdir -p ${WORKDIR}/gpg
+      rm -f ${WORKDIR}/gpg/* 2>/dev/null
+      gpg $2
+      if gpg $2|grep -q "$SLACKKEY" || [ "$STRICTGPG" == "off" ];then
+        for PREPO in $(echo ${PRIORITY[*]}|sed 's/SLACKPKGPLUS_[^ ]*//g');do
+          gpg --output "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg" --dearmor $2
+        done
+      else
+        echo
+        echo "                   !!! F A T A L !!!"
+        echo "    Slackware repository does NOT contain the Official GPG-KEY"
+        echo "    You SHOULD disable GPG Strict check 'STRICTGPG=off'"
+        echo "    in /etc/slackpkg/slackpkgplus.conf"
+        echo
+        sleep 5
+        echo "Fatal: Slackware repository does not contains the official gpg-key!!" >>$TMPDIR/error.log
+        gpg $2 >>$TMPDIR/error.log 2>&1
+      fi
       for PREPO in ${REPOPLUS[*]};do
         if [ "${PREPO:0:4}" = "dir:" ];then
           continue
@@ -562,10 +583,13 @@ if [ "$SLACKPKGPLUS" = "on" ];then
         elif echo $URLFILE |grep -q "^dir:/";then
           continue
         else
+          echo
           $DOWNLOADER $2-tmp ${MIRRORPLUS[${PREPO/SLACKPKGPLUS_}]}GPG-KEY
         fi
         if [ $? -eq 0 ];then
+          gpg $2-tmp
           gpg --import $2-tmp
+          gpg --output "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg" --dearmor $2-tmp
         else
           echo
           echo "                   !!! W A R N I N G !!!"
@@ -577,6 +601,7 @@ if [ "$SLACKPKGPLUS" = "on" ];then
           sleep 5
         fi
         rm $2-tmp
+        echo
       done
     fi
   } # END function getfile()
@@ -584,13 +609,42 @@ if [ "$SLACKPKGPLUS" = "on" ];then
     # override slackpkg checkgpg()
     # new checkgpg() is used to check gpg and to merge the CHECKSUMS.md5 files
   function checkgpg() {
+    local FILENAME
+    local REPO
+
     if echo $1|egrep -q "/SLACKPKGPLUS_(file|dir|http|ftp|https)[0-9]";then
       echo 1
       return
     fi
     if [ -e "${1}.asc" ];then
-      gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
-    else
+
+      FILENAME=$(basename ${1})
+      if [ "$FILENAME" == "CHECKSUMS.md5" ];then
+        REPO=slackware
+        [ -e "${WORKDIR}/gpg/GPG-KEY-slackware64.gpg" ]&&REPO=slackware64
+      elif [ ${FILENAME:0:13} == "CHECKSUMS.md5" ];then
+        REPO=$(echo $FILENAME|cut -f2 -d-|sed 's/\.gz$//')
+      else
+        REPO=$(echo $1|sed -r -e "s,^$TEMP,/," -e "s,/\./,/,g" -e "s,//,/,g" -e "s,^/,," -e "s,/.*$,," -e "s,SLACKPKGPLUS_,,")
+      fi
+
+      if [ "$STRICTGPG" != "off" ];then
+        if [ ! -z "$REPO" ] && [ -e "${WORKDIR}/gpg/GPG-KEY-${REPO}.gpg" ] ; then
+          echo "Using GPG-KEY-${REPO}.gpg" >&2
+          gpg  --no-default-keyring \
+               --keyring ${WORKDIR}/gpg/GPG-KEY-${REPO}.gpg \
+               --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
+        else
+          echo "No matching GPG-KEY for repository '$REPO' checking $FILENAME" >&2
+          echo "Try to run 'slackpkg update gpg' or 'slackpkg -checkgpg=off $CMD ...'" >&2
+          echo "No matching GPG-KEY for repository '$REPO' checking $FILENAME" >>$TMPDIR/error.log
+          echo "Try to run 'slackpkg update gpg' or 'slackpkg -checkgpg=off $CMD ...'" >>$TMPDIR/error.log
+          echo 0
+        fi
+      else
+        gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
+      fi
+    else # $1.asc not downloaded
       echo 1
     fi
     if [ "$(basename $1)" == "CHECKSUMS.md5" ];then
@@ -1107,7 +1161,7 @@ if [ "$SLACKPKGPLUS" = "on" ];then
 
 
 
-  SPKGPLUS_VERSION="1.6.1"
+  SPKGPLUS_VERSION="1.7.a1"
   VERSION="$VERSION / slackpkg+ $SPKGPLUS_VERSION"
   
 
diff --git a/src/slackpkgplus.x86.sample b/src/slackpkgplus.x86.sample
index ad1bddb..77bc527 100644
--- a/src/slackpkgplus.x86.sample
+++ b/src/slackpkgplus.x86.sample
@@ -42,6 +42,12 @@ SENSITIVE_SEARCH=on
 # Select the show order in dialogbox. Available "package" "repository" "tag" "path" "arch"
 SHOWORDER=package
 
+# Enable (on) / Disable (off) a Strict GPG Check. A repository should contains packages signed
+# with the only original GPG-KEY. In some custom repository may be wanted to mix eterogeneous
+# packages; to use that repository set Strict GPG Check to off. P.S: a repository can
+# contain just ONE gpg-key; you may manually import the other.
+STRICTGPG=on
+
 # If two or more repositories contains some same packages, you can specify
 # from which repository you prefer to search it.
 # The syntax is "<repository_name>:<package_name>"
@@ -69,7 +75,8 @@ TAG_PRIORITY=off
 
 # List repositories you want to use (defined below)
 # remember to launch 'slackpkg update' if you modify that row.
-REPOPLUS=( slackpkgplus restricted alienbob slacky )
+#REPOPLUS=( slackpkgplus restricted alienbob slacky )
+REPOPLUS=( slackpkgplus )
 
 
 # Define mirrors (uncomment one or more mirror; remember to add it to REPOPLUS)
@@ -78,12 +85,12 @@ REPOPLUS=( slackpkgplus restricted alienbob slacky )
 #           for that repositories you may need to run slackpkg with 'slackpkg -checkgpg=off ...'
 
 # Slackware 14.1 - i386
-MIRRORPLUS['alienbob']=http://taper.alienbase.nl/mirrors/people/alien/sbrepos/14.1/x86/
-MIRRORPLUS['restricted']=http://taper.alienbase.nl/mirrors/people/alien/restricted_sbrepos/14.1/x86/
-MIRRORPLUS['slacky']=http://repository.slacky.eu/slackware-14.1/
+#MIRRORPLUS['alienbob']=http://taper.alienbase.nl/mirrors/people/alien/sbrepos/14.1/x86/
+#MIRRORPLUS['restricted']=http://taper.alienbase.nl/mirrors/people/alien/restricted_sbrepos/14.1/x86/
+#MIRRORPLUS['slacky']=http://repository.slacky.eu/slackware-14.1/
 
 # use this to keep the slackpkg+ package updated
-MIRRORPLUS['slackpkgplus']=http://slakfinder.org/slackpkg+/
+MIRRORPLUS['slackpkgplus']=http://slakfinder.org/slackpkg+dev/
 
 # Local repository:
 #MIRRORPLUS['alienbob']=file://repositories/alien/sbrepos/14.1/x86/
diff --git a/src/slackpkgplus.x86_64.sample b/src/slackpkgplus.x86_64.sample
index 92eabaa..6d0a3e4 100644
--- a/src/slackpkgplus.x86_64.sample
+++ b/src/slackpkgplus.x86_64.sample
@@ -50,6 +50,12 @@ SENSITIVE_SEARCH=on
 # Select the show order in dialogbox. Available "package" "repository" "tag" "path" "arch"
 SHOWORDER=package
 
+# Enable (on) / Disable (off) a Strict GPG Check. A repository should contains packages signed
+# with the only original GPG-KEY. In some custom repository may be wanted to mix eterogeneous
+# packages; to use that repository set Strict GPG Check to off. P.S: a repository can
+# contain just ONE gpg-key; you may manually import the other.
+STRICTGPG=on
+
 # If two or more repositories contains some same packages, you can specify
 # from which repository you prefer to search it.
 # The syntax is "<repository_name>:<package_name>"
@@ -85,7 +91,8 @@ TAG_PRIORITY=off
 
 # List repositories you want to use (defined below)
 # remember to launch 'slackpkg update' if you modify that row.
-REPOPLUS=( slackpkgplus restricted alienbob slacky )
+#REPOPLUS=( slackpkgplus restricted alienbob slacky )
+REPOPLUS=( slackpkgplus )
 
 
 # Define mirrors (uncomment one or more mirror; remember to add it to REPOPLUS)
@@ -95,12 +102,12 @@ REPOPLUS=( slackpkgplus restricted alienbob slacky )
 
 # Slackware 14.1 - x86_64
 #MIRRORPLUS['multilib']=http://taper.alienbase.nl/mirrors/people/alien/multilib/14.1/
-MIRRORPLUS['alienbob']=http://taper.alienbase.nl/mirrors/people/alien/sbrepos/14.1/x86_64/
-MIRRORPLUS['restricted']=http://taper.alienbase.nl/mirrors/people/alien/restricted_sbrepos/14.1/x86_64/
-MIRRORPLUS['slacky']=http://repository.slacky.eu/slackware64-14.1/
+#MIRRORPLUS['alienbob']=http://taper.alienbase.nl/mirrors/people/alien/sbrepos/14.1/x86_64/
+#MIRRORPLUS['restricted']=http://taper.alienbase.nl/mirrors/people/alien/restricted_sbrepos/14.1/x86_64/
+#MIRRORPLUS['slacky']=http://repository.slacky.eu/slackware64-14.1/
 
 # use this to keep the slackpkg+ package updated
-MIRRORPLUS['slackpkgplus']=http://slakfinder.org/slackpkg+/
+MIRRORPLUS['slackpkgplus']=http://slakfinder.org/slackpkg+dev/
 
 # Slackware current - x86_64
 #MIRRORPLUS['multilib']=http://taper.alienbase.nl/mirrors/people/alien/multilib/current/