Last active
November 28, 2022 23:47
-
-
Save bureado/90dde9dea76462c71c921fbbff6132c4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Video: https://www.youtube.com/watch?v=Rv4ZlbMb1pE&list=PL9GzfK3UKP1vOcUkp3ayByoBY2pT641YN&index=3 | |
# Usage: ./hash-to-buildinfo.sh <.deb package> | |
# Works with deb packages obtained from a Debian archive | |
# Assumes rekor CLI is in ./ | |
# This all exists because https://unix.stackexchange.com/a/612931 | |
# https://unix.stackexchange.com/a/673157 | |
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763822 | |
# Also read https://wiki.debian.org/SourceOnlyUpload | |
# And https://buildinfos.debian.net/README.txt | |
FILE=$1 | |
# https://buildinfos.debian.net/buildinfo-pool.list | |
BILIST=./buildinfo-pool.list | |
file $1 | grep 'Debian binary package' > /dev/null 2>&1 || exit 1 | |
PKGHAS=`sha1sum $FILE | cut -f1 -d' '` | |
PKGNAM=`dpkg --info $FILE | egrep '^\s+(Package:)' | awk '{print $2;}'` | |
PKGVER=`dpkg --info $FILE | egrep '^\s+(Version:)' | awk '{print $2;}'` | |
PKGARC=`dpkg --info $FILE | egrep '^\s+(Architecture:)' | awk '{print $2;}'` | |
echo "------------------" | |
echo "$PKGHAS claims to be $PKGNAM, version $PKGVER for $PKGARC" | |
echo "------------------" | |
# TODO: binary to source mapping | |
for file in `grep "${PKGNAM}_${PKGVER}" $BILIST | egrep "(${PKGARC}|source)" | grep -v kfreebsd` | |
do | |
BINAME=`basename $file` | |
echo "Fetching $BINAME from buildinfos..." | |
curl --silent -o $BINAME https://buildinfos.debian.net/$file | |
echo "Verifying signature..." | |
gpg --verify $BINAME | |
echo "Finding references to the binary hash of interest in the buildinfo..." | |
grep $PKGHAS $BINAME | |
NAKEDSHA1=`cat $BINAME | sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' | head -n -2 | sha1sum - | cut -f1 -d' '` | |
NAKEDSHA256=`cat $BINAME | sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' | head -n -2 | sha256sum - | cut -f1 -d' '` | |
echo "The SHA1 of the unsigned buildinfo file is $NAKEDSHA256" | |
echo "...you may visit https://buildinfo.debian.net/$NAKEDSHA1 for more information" | |
# I guess inspired in https://rekor.sigstore.dev/api/v1/log/entries/42701a14f1695efcca791223759451f88cfbd624810d869a773df268fc37dc3d | |
echo "Searching for $NAKEDSHA256 in rekor..." | |
REKORUUID=`./rekor search --sha $NAKEDSHA256 2> /dev/null | tail -n1` | |
[ ! -Z $REKORUUID ] && echo "...you may visit https://rekor.sigstore.dev/api/v1/log/entries/$REKORUUID for more information" || echo "Not found!" | |
# TODO: dsc->orig logic | |
# TODO: rebuilder logic | |
# See https://beta.tests.reproducible-builds.org/debian.html and https://github.com/fepitre/package-rebuilder and rebuilderd | |
echo "------------------" | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment