Switch download verification from hash to signature

Similar to the Linux kernel, the signature is over uncompressed file, so uncompress it first (via DispVM if possible).
QubesOS · Nov 13, 2024 · b6275f4 · b6275f4
1 parent fd648ac
commit b6275f4
Show file tree

Hide file tree

Showing 6 changed files with 132 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,7 @@
 *.swp
 *.tar.xz
+*.tar
+*.tar.sign
+*.tar.xz.UNTRUSTED
 *.bin
 /pkgs/
diff --git a/.qubesbuilder b/.qubesbuilder
@@ -5,4 +5,7 @@ host:
 source:
   files:
   - url: https://www.kernel.org/pub/linux/kernel/firmware/linux-firmware-@[email protected]
-    sha512: linux-firmware-@[email protected]
+    signature: https://www.kernel.org/pub/linux/kernel/firmware/linux-firmware-@[email protected]
+    uncompress: true
+    pubkeys:
+    - firmware-1-key.asc
diff --git a/Makefile b/Makefile
@@ -6,6 +6,8 @@ VERSION := $(shell cat version)
 
 FEDORA_SOURCES := https://src.fedoraproject.org/rpms/linux-firmware/raw/f$(subst fc,,$(DIST))/f/sources
 SRC_FILE := linux-firmware-$(VERSION).tar.xz
+SRC_TARFILE := linux-firmware-$(VERSION).tar
+SIGN_FILE := $(SRC_TARFILE).sign
 
 BUILDER_DIR ?= ../..
 SRC_DIR ?= qubes-src
@@ -21,13 +23,28 @@ ifeq ($(FETCH_CMD),)
 $(error "You can not run this Makefile without having FETCH_CMD defined")
 endif
 
-%: %.sha512
-	@$(FETCH_CMD) $@$(UNTRUSTED_SUFF) -- $(DISTFILES_MIRROR)$@
-	@sha512sum --status -c <(printf "$$(cat $<)  -\n") <$@$(UNTRUSTED_SUFF) || \
-		{ echo "Wrong SHA512 checksum on $@$(UNTRUSTED_SUFF)!"; exit 1; }
-	@mv $@$(UNTRUSTED_SUFF) $@
+.INTERMEDIATE: firmware-keyring.gpg
+firmware-keyring.gpg: firmware-1-key.asc
+	cat $^ | gpg --dearmor >$@
 
-get-sources: $(SRC_FILE)
+.INTERMEDIATE: $(SRC_TARFILE)$(UNTRUSTED_SUFF)
+%.tar$(UNTRUSTED_SUFF): %.tar.xz$(UNTRUSTED_SUFF)
+	if [ -f /usr/bin/qvm-run-vm ]; \
+	then qvm-run-vm --no-gui --dispvm 2>/dev/null xzcat <$< > $@; \
+	else xzcat <$< > $@; fi
+
+$(SRC_TARFILE): $(SRC_TARFILE)$(UNTRUSTED_SUFF) $(SIGN_FILE) firmware-keyring.gpg
+	gpgv --keyring ./$(word 3,$^) $(word 2,$^) $(word 1,$^) || \
+	  { echo "Wrong signature on $@$(UNTRUSTED_SUFF)!"; exit 1; }
+	mv $@$(UNTRUSTED_SUFF) $@
+
+$(SRC_FILE)$(UNTRUSTED_SUFF):
+	@$(FETCH_CMD) $@ -- $(DISTFILES_MIRROR)$(SRC_FILE)
+
+$(SIGN_FILE):
+	@$(FETCH_CMD) $(SIGN_FILE) -- $(DISTFILES_MIRROR)$@
+
+get-sources: $(SRC_TARFILE)
 	@true
 
 verify-sources:

diff --git a/firmware-1-key.asc b/firmware-1-key.asc
@@ -0,0 +1,101 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBE6HwcoBEADEsPaBiaRbGU2GLvWupHRLz7weXiVk21bFrh7lno2YPtvOqDR9
+TP4BIzk2+53AhWadF0dhzKI1NeG2od8fofEHMMbI467/7gzEB78Rv4+3Srwz1Zu0
+bMFJPcdtAvBaJvHB6wP6mCl0eGCFIX9dN2ktr3GW6Z+mxxCeD+7Sm43Lt7PXU6Ff
+W9sMmwxgV/ytXGEsZjM0MIcxUpTKX1WAEAK6Sjlv5No7tphHGR6B4eWWRXTB+CUE
+gYsVRfx0LI1cHiZCWYb5P65iy29IxSzy/8/jcTVuFKUyVMxNolfzF9HonL7iRCel
+oGDRGcCSPhftuCVC6dfBT1/XDHC9LuYVVfJQ1lT/yooBDkWmFoT3HWW2OjCECCVe
+wsTS0C42xGpNab6iytaG2L6AWZh27XMi4V9rGGjaskmbpa4Inu3/SIClxXqc68yz
+u1MRwViH09mcQIk7PlpQEGVaNCi5/1/on78sqUFrM3RNVMP3vNWtpP3Pjhpi2uQm
+nsheeOZ8A1kaQ33lg7aNnPO4FKk1Fs0C8/BCJsiaFZW7vKWkus0u3hubavUrfBaT
+6nCUWijdKVzWdrlj4GAEHWnsDBYBqAXjOLwPX7LOIGFy9+gjdgCVY84YTQsKP1mF
+cp7b7ZFI6MnTnZnlKdk3C4la4LFhWGRV6ULOvhDtyA9rZpYIGffMCd6f6QARAQAB
+tB9Kb3NoIEJveWVyIDxqd2JveWVyQGtlcm5lbC5vcmc+iQJOBBMBCAA4FiEETN6F
+deVHv4Nf4VgHoxtr1ySGz9YFAmQsF2YCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
+F4AACgkQoxtr1ySGz9amHw/+M09gNDF2H0uh/6UOhf9HD1l6DrDY9Av51Ben3VYz
+e68zqGADIWhdSGQUUPKC5oG/vK7GqqBd0ZipkDroxgV8f2eWFfDg5IajRFr45nLs
+5rGMWB3Xp3tvVPfogfnuFu5RJcQuODu4wIk0x9nX/z9YRsQbofrsS3WHJGgZTl1L
+tIN6/FuCMarnEF+cSCLxYAUF/rEUkJpVw8x9khBFf1jdHJDCga2Q29FuAXWrNaDd
+inc6jyN4Xuh/+KOtcr0ggvHplzi8y+neGY4OKk3GszIojbYI1z/xniKl3N8Sb5zC
+u7ZEGE2F6WsijhdrtSl7iJPAUCY/FMk8z4SJVKKelxpIB/ggUl6O90YWDgmPepkk
+YJMGxXAx/qgnPeBPKhuZotyUM/HmbA8+GSMuX9cMpUEYGDEy5EHwdER1kFldGD2m
+h8VSy/oasjSuO1UPkS+dZAHIvVVRHI7Fu2JMbYmuUn3xdkHh4hGgkOPzYvVBh6MB
+w/DJkb3oNA1aA2nSyOrpZ2M/9i7qO7+bqqktr1+ns0f4C07dqgHAROhoOyrRDnOW
+6nmAeNjxUMjFyVBfx8pbEdCbo64vPwQihJydV2P9fi8P1o4PpTh1aINPsterhGyh
+QAcFjKBwAO3YzCfwhPOzHi0fOE377oo4B6RQDmtUgeBWSPWnSoAlIjsYDumNoHd5
+PpK0Jkpvc2ggQm95ZXIgPGp3Ym95ZXJAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
+AgAiBQJOjbQ3AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCjG2vXJIbP
+1iEFEAC9HKFw9obHCATY4yIfHV8+/W17qBkhyL/6jo1JWKacd4BxDRir3nP8OyCt
+jbJ9f9XyRwg58ZDbjbeUPwCIU8a6OyMm61hi4HcrVaQTkflT1ZNN5uZXdxCsGPLr
+SwvHdPbhBwtXNUk/7H087NU1zZf4Sv3rVxEhUpqVAuKPC+mQW7IC4wQPxo24XBRl
+BfknJxuiOpuiCwD5N1Vcoqg/d4CVLiM3bnGQUyjDBJML6mTyJ7iMR96nBU8bdAxL
+2AkcTS0CIQq6j+7EvlcLhWV4AsCGmVj6Wfs1lXP/vi4ZkQJkVdoBuViI8MVthh3o
+2xS4QFiK4Opi48Lg7Ix75PHN0jr7laZojgrEgFv/U8aixc+piOVXmH30TTlFsZSl
+44Kp/s7K9Ukgti5svmm9z1teDUZAIlZsVaATPHb2Ewgog/4SHLr7U/AGupKCEf/o
+MM10IrS+6ID6o/A51h90DT7vR6wlszQ8Ip2djM1oVuA38nnXnQR8GPVIf15ZOPSR
+KbR+VBiPZKR6Qjdtv7dvRdoH5vpvIvD7GoSkAdqY1WPlgDUKiCEIO2+iWOn9fG+O
+00UxhVvmKHw+TFPimS7y5C8NL+TQYZp7rA0o1zOckyKajTCyzZXmoHGrCqmwCXEk
+ncS8BNtDjjJo5bNpn1Xi6z4edunSaLsY0tnEVB74sChN3ZhbObQeSm9zaCBCb3ll
+ciA8amJveWVyQHJlZGhhdC5jb20+iQI4BBMBAgAiBQJOibPYAhsDBgsJCAcDAgYV
+CAIJCgsEFgIDAQIeAQIXgAAKCRCjG2vXJIbP1n14D/9iy/cBm55cRa8CM0gxhXQx
+uKJpb1+yO0YywC3mg1m3E4FsxephMjqcKACSXp1PLlFbOgQg3K2NrQFvirPS8YPW
+8YPfW1PhvnBA0Iik5vZjXyhdXzEuLsZraLoMu3u5BJJ3M/Vg4EmLYJiM0pndewat
+nfBrmb/AZlllyjhhLIUparuOqYSutvGclzWOn+4pkN4nhkK/YjuCwsic+t8Lv2pl
+BfxTTlxrWPnfkKdpSv4orVAEuiZwFkaoFrfHqPOP1qyjBWXrHfQPoqDoTVxzIn+F
+TgnLuAQqU9LDMsLRHxz+dMfZubZUDul9tQndgM/nC4B3CGAil6BE4/Ad9fNao8eK
+aWuLwnOBR2PHbThHvOLjfRfNcfH/BZaOhlBzk7M7vxrIIHv/2B1M5hkpepaeQNaD
+O1gsgMzuFIYcvilWESW8V23W/cA95PsdneucAAwHeiJX7JxjR8wBTyKO7vIBBozw
+WqS7eevkxyVd1qcyD/0w9JFl+zYlRLyo0LA4aK+eN5LjGhgC3+WyeHaZmF+ikq0y
+I/FjiSIH71sm9RCwvnKST5HTkGjFypE5vQ7Un8Ned787/h1Y3dZvc/tpLztcv4Vp
+tJq+uy3Oveqbup+Y38nbkxUPNmMZPXgPqRVmJ8Dl79h6KUcee7GAYI6GTLfE1YvT
+CL9aihtrVOulNCNIPeJsOLQfSm9zaCBCb3llciA8andib3llckByZWRoYXQuY29t
+PokCOAQTAQIAIgUCTomzwgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ
+oxtr1ySGz9b87g/9E9lm2S8GiSQcqMmrreB405EyvbY2voozTA1UwBhgOzMsLOSb
+ChzUg0ZhaFymacnEJY5I9TI9gt6SCPlMDR5iuZu4i9qO0dYEzUz7vJaVmJgZNZwW
+j8uyWFzPQ+oAW34a+3LgnyuM1n1+wL8OkuzVjkAp/Ej+MiqdfLIdmejR5g/a0nAe
+NQlCnrxQyG/zJ9h9taYHLzj4msxrYd5M4+2JbsBLLNx02/HM/qs4uR53hg4cELdL
+8hh9CxGVZKA/IU4IZt7DbOhloNuRVXjJcd+367tp17gPUssbgVU71O6q4cb1RuQZ
+UuFvKDK0yWugDikkRL7WplVTM2JT316V6DRce1m2RGBojklleK20Rwn4zJFxITBj
+gP489vHFrMHQT/4+pKd2EokxNl2C3IIpDeWvRL4hDWzN06kWLun7whZLfUaqOkIV
+t2uAFgGnOU81wTk+/INaI5NaTFEX3ZSTfKge+KQBO4tUx+vLH90PaZbPz3CHUlF3
+3gLlgcs9y+4E3CtUYq7VZzkkExsfP4YrilpH0Bfr8v5EtjG/W0E4Yp1kYWnQbYEQ
+8JhxBF5lKyfNrH9joP6lBTCfyk6iV3w9BOs2R52+utXDAcnkQf1agHkNLDYhvh6b
+6/GidXc29O/SfErNuso/D2Gbds0aTqsKovN+r4yQ9pT0mCKHqYo8P+4Pnqy0Hkpv
+c2ggQm95ZXIgPGp3Ym95ZXJAZ21haWwuY29tPokCOAQTAQIAIgIbAwYLCQgHAwIG
+FQgCCQoLBBYCAwECHgECF4AFAk6Ia58ACgkQoxtr1ySGz9ZXfw/8D9PqabtHKoHU
+mNUY0SDRpRGdr/GryUu/y1JyCH7fEHRtUr/czK7vhRlC0C5FkjPGs1Uk5Clh8eEa
+xqXapT5HXFyJCRaSZnXnxcES1gbwA83RagL1bhJg1tzkyfLuPFsaLz/xIlzzYyNR
+iVyFowHGmH+gao3KpmjIVTESz/Cow989ABg9mgDyCsSP/1E8czr2AQ4sFHCp9gUj
+aorON8gldwKzdueTe9Sm+mVbaMbnVbu7Wab6UH8lLWx7kFy+JSM/XXcyDtVu2nDd
+f+2YJum7Uu6rRymzfdLFR0jQ2YTLypKy8ticUuhG4qKplea6Jep20WRftkEFwKF8
+IFjiLRjTRbO0rAmp+svGC29AOJKp6kbpEpcnfnQuMjQohhhiyYjbmRU7v0VH6Fwz
+FRbY1LPJfjCVJzNNADMKz4gXfugOyKBoATY+3aFCC3aWynEubnM4+n2ferlAb8di
+sBT/XYolypJcybODb/NgoHO2xtSFsrRqEPwIBlHieEgms0RJJoUYJ87V3jP5xcPV
+ZqbBAseiToj/8nE31oDqQdA8iTpL47Oehe3ytoibkXbsFKLNVP7JUv0xFLkbcr0S
+01M7pMptLUyxtf2Uhw5nTZ3YRJNmGmG0gsgACaT68yFVOJVhq4BBaxmGYKOKCUPX
+Xm/7ct1BV6w7XEIFCedi2sSDTDckboW5Ag0ETofBygEQALt0Ysxusm8hE6i5RzYh
+ROU+/CsSRewFLREJai0G/v2K9dWMs/3gQYlTdce3YOoi7z1Vs+VOCJsGbY3m1s1O
+78tNoC+VpNi+HIEQY0spHXfvgseHxYs7OUmPppDP6mLFFn3il0OwvbT3rZSVHjEd
+rGTUo0pm66SB6JDIfsFraZ1MPchNaE/X4DqwRrW++xUBZn76V+7PvuohIFS+wMSt
+eBkBGelc/fGHEPDuGluvrJmzciou7dFWilD1O3T+y8bRKyBv+VT78IEpiS420l0X
+C9mPPga3cF/0gj/nFHFcS2WVoClps5eK3e1y/5L2pQVyyg0RTLGhrqtRjZ4M8U4U
+KoCpJEiT6elAe7EyWh5figdWHTbDjrmCd+7vxzb4KldcpIIYsB964Pi1uGxzZpHJ
+wbUJJAdkP8NajsEENdPw8feVmOhe4K0Kw2BrG8XBUUwRP1LsSzdD/q2b7huub+yq
+wi/4Pz10f5QkNwSxpeGxQ++V4tPjtysnB1yEmUkpGIYggCi+dOh9A5bLFd/wVuEY
+JRqtVWHfaosFLaHI0Fqnk9nR1UlijHyFGw7gA1kJZ04Is3ebfTb0vVaPlHboLgNN
+Ku6fF2ilb5y2n3nLuLjt207N3V9iLL/lADCCCtdQX70Ttbnau8S5gBdrm+rbcuCI
+GaFKJEmfuT02jPpowA4wosJxABEBAAGJAiUEGAECAA8FAk6HwcoCGwwFCQlmAYAA
+CgkQoxtr1ySGz9Za/w//cy5naWF+8Q2lGuAJF2FpZb9Tha1jiqEfjlnOZ7nsms4z
+iQHsLQG0oWa2h5THBfLvNQj1ZDeH1Pd/DdRpTbMmsgXEificAaTM5W0lJwRhY3LJ
+8AkI4J5XVLOP5b7ToKo2tz99K42gxpSXLZN/hobdNO5p7h9kbomeTG033F7hv0bU
+4cCGHFiQlkjjHguUUhDbB6ZEGnczKY7th1FMywtaBoo+zAeQkW+Uzawh7lxv3Sgg
+2/K8xfUybfDHXnPox76X6QYN90mLhRQaCvuVuUPC6Jt5RlQujHCFff1hbKNdqEXH
+roxoWaYNUrNnt4HB3xe/tUxjT2d9VWb3YAGe4dcEidDcx3dwsqslvECynA/BHX3f
+SQirvYs7JYGY4wERkYgtsc3s8DJTJWEbRA3FQeRwg1nnK9nYjMDur7ndwQ+0wMxP
+1k++aWiNO9xsQtlGhFp/GnQmppklSbU3szbqEESq5hjVrzg1AxWktipJpTcCvJtZ
+7QePzFWrIXHJQTL4F53Mx5Pwnk4erTesZpjKwrBYNrzUvL2qV49aC1Pnp/USu9Dw
+Ss4LTzVuhd9bGxoOmigewI4HFS3cTLVyZX7a9p9/KRqWsR526oJP+els4fusIOlZ
+PIxNs825zBUFBXmh8Z3Z/ejWCz5eXyBbpFgoaiqN+mud7awQUSQtf6SLGbEYWD8=
+=mmSu
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/linux-firmware-20240811.tar.xz.sha512 b/linux-firmware-20240811.tar.xz.sha512
diff --git a/linux-firmware.spec.in b/linux-firmware.spec.in
@@ -12,7 +12,7 @@ URL:		http://www.kernel.org/
 BuildArch:	noarch
 Epoch:      1
 
-Source0:	https://www.kernel.org/pub/linux/kernel/firmware/%{name}-%{version}.tar.xz
+Source0:	%{name}-%{version}.tar
 
 BuildRequires:	make
 BuildRequires:	git-core