bureado/hash-to-buildinfo.sh

## hash-to-buildinfo.sh
#!/bin/sh

# Video: https://www.youtube.com/watch?v=Rv4ZlbMb1pE&list=PL9GzfK3UKP1vOcUkp3ayByoBY2pT641YN&index=3

# Usage: ./hash-to-buildinfo.sh <.deb package>
# Works with deb packages obtained from a Debian archive
# Assumes rekor CLI is in ./

# This all exists because https://unix.stackexchange.com/a/612931
# https://unix.stackexchange.com/a/673157
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763822

# Also read https://wiki.debian.org/SourceOnlyUpload
# And https://buildinfos.debian.net/README.txt

FILE=$1

# https://buildinfos.debian.net/buildinfo-pool.list
BILIST=./buildinfo-pool.list

file $1 | grep 'Debian binary package' > /dev/null 2>&1 || exit 1

PKGHAS=`sha1sum $FILE | cut -f1 -d' '`

PKGNAM=`dpkg --info $FILE | egrep '^\s+(Package:)' | awk '{print $2;}'`
PKGVER=`dpkg --info $FILE | egrep '^\s+(Version:)' | awk '{print $2;}'`
PKGARC=`dpkg --info $FILE | egrep '^\s+(Architecture:)' | awk '{print $2;}'`

echo "------------------"
echo "$PKGHAS claims to be $PKGNAM, version $PKGVER for $PKGARC"
echo "------------------"

# TODO: binary to source mapping

for file in `grep "${PKGNAM}_${PKGVER}" $BILIST | egrep "(${PKGARC}|source)" | grep -v kfreebsd`
do
  BINAME=`basename $file`
  echo "Fetching $BINAME from buildinfos..."
  curl --silent -o $BINAME https://buildinfos.debian.net/$file
  echo "Verifying signature..."
  gpg --verify $BINAME
  echo "Finding references to the binary hash of interest in the buildinfo..."
  grep $PKGHAS $BINAME
  NAKEDSHA1=`cat $BINAME | sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' | head -n -2 | sha1sum - | cut -f1 -d' '`
  NAKEDSHA256=`cat $BINAME | sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' | head -n -2 | sha256sum - | cut -f1 -d' '`
  echo "The SHA1 of the unsigned buildinfo file is $NAKEDSHA256"
  echo "...you may visit https://buildinfo.debian.net/$NAKEDSHA1 for more information"
  # I guess inspired in https://rekor.sigstore.dev/api/v1/log/entries/42701a14f1695efcca791223759451f88cfbd624810d869a773df268fc37dc3d
  echo "Searching for $NAKEDSHA256 in rekor..."
  REKORUUID=`./rekor search --sha $NAKEDSHA256 2> /dev/null | tail -n1`
  [ ! -Z $REKORUUID ] && echo "...you may visit https://rekor.sigstore.dev/api/v1/log/entries/$REKORUUID for more information" || echo "Not found!"

  # TODO: dsc->orig logic
  # TODO: rebuilder logic
  # See https://beta.tests.reproducible-builds.org/debian.html and https://github.com/fepitre/package-rebuilder and rebuilderd
  echo "------------------"
done
	#!/bin/sh

	# Video: https://www.youtube.com/watch?v=Rv4ZlbMb1pE&list=PL9GzfK3UKP1vOcUkp3ayByoBY2pT641YN&index=3

	# Usage: ./hash-to-buildinfo.sh <.deb package>
	# Works with deb packages obtained from a Debian archive
	# Assumes rekor CLI is in ./

	# This all exists because https://unix.stackexchange.com/a/612931
	# https://unix.stackexchange.com/a/673157
	# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763822

	# Also read https://wiki.debian.org/SourceOnlyUpload
	# And https://buildinfos.debian.net/README.txt

	FILE=$1

	# https://buildinfos.debian.net/buildinfo-pool.list
	BILIST=./buildinfo-pool.list

	file $1 \| grep 'Debian binary package' > /dev/null 2>&1 \|\| exit 1

	PKGHAS=`sha1sum $FILE \| cut -f1 -d' '`

	PKGNAM=`dpkg --info $FILE \| egrep '^\s+(Package:)' \| awk '{print $2;}'`
	PKGVER=`dpkg --info $FILE \| egrep '^\s+(Version:)' \| awk '{print $2;}'`
	PKGARC=`dpkg --info $FILE \| egrep '^\s+(Architecture:)' \| awk '{print $2;}'`

	echo "------------------"
	echo "$PKGHAS claims to be $PKGNAM, version $PKGVER for $PKGARC"
	echo "------------------"

	# TODO: binary to source mapping

	for file in `grep "${PKGNAM}_${PKGVER}" $BILIST \| egrep "(${PKGARC}\|source)" \| grep -v kfreebsd`
	do
	BINAME=`basename $file`
	echo "Fetching $BINAME from buildinfos..."
	curl --silent -o $BINAME https://buildinfos.debian.net/$file
	echo "Verifying signature..."
	gpg --verify $BINAME
	echo "Finding references to the binary hash of interest in the buildinfo..."
	grep $PKGHAS $BINAME
	NAKEDSHA1=`cat $BINAME \| sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' \| head -n -2 \| sha1sum - \| cut -f1 -d' '`
	NAKEDSHA256=`cat $BINAME \| sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' \| head -n -2 \| sha256sum - \| cut -f1 -d' '`
	echo "The SHA1 of the unsigned buildinfo file is $NAKEDSHA256"
	echo "...you may visit https://buildinfo.debian.net/$NAKEDSHA1 for more information"
	# I guess inspired in https://rekor.sigstore.dev/api/v1/log/entries/42701a14f1695efcca791223759451f88cfbd624810d869a773df268fc37dc3d
	echo "Searching for $NAKEDSHA256 in rekor..."
	REKORUUID=`./rekor search --sha $NAKEDSHA256 2> /dev/null \| tail -n1`
	[ ! -Z $REKORUUID ] && echo "...you may visit https://rekor.sigstore.dev/api/v1/log/entries/$REKORUUID for more information" \|\| echo "Not found!"

	# TODO: dsc->orig logic
	# TODO: rebuilder logic
	# See https://beta.tests.reproducible-builds.org/debian.html and https://github.com/fepitre/package-rebuilder and rebuilderd
	echo "------------------"
	done