Skip to content

Instantly share code, notes, and snippets.

@bureado
Last active November 28, 2022 23:47
Show Gist options
  • Save bureado/90dde9dea76462c71c921fbbff6132c4 to your computer and use it in GitHub Desktop.
Save bureado/90dde9dea76462c71c921fbbff6132c4 to your computer and use it in GitHub Desktop.
#!/bin/sh
# Video: https://www.youtube.com/watch?v=Rv4ZlbMb1pE&list=PL9GzfK3UKP1vOcUkp3ayByoBY2pT641YN&index=3
# Usage: ./hash-to-buildinfo.sh <.deb package>
# Works with deb packages obtained from a Debian archive
# Assumes rekor CLI is in ./
# This all exists because https://unix.stackexchange.com/a/612931
# https://unix.stackexchange.com/a/673157
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763822
# Also read https://wiki.debian.org/SourceOnlyUpload
# And https://buildinfos.debian.net/README.txt
FILE=$1
# https://buildinfos.debian.net/buildinfo-pool.list
BILIST=./buildinfo-pool.list
file $1 | grep 'Debian binary package' > /dev/null 2>&1 || exit 1
PKGHAS=`sha1sum $FILE | cut -f1 -d' '`
PKGNAM=`dpkg --info $FILE | egrep '^\s+(Package:)' | awk '{print $2;}'`
PKGVER=`dpkg --info $FILE | egrep '^\s+(Version:)' | awk '{print $2;}'`
PKGARC=`dpkg --info $FILE | egrep '^\s+(Architecture:)' | awk '{print $2;}'`
echo "------------------"
echo "$PKGHAS claims to be $PKGNAM, version $PKGVER for $PKGARC"
echo "------------------"
# TODO: binary to source mapping
for file in `grep "${PKGNAM}_${PKGVER}" $BILIST | egrep "(${PKGARC}|source)" | grep -v kfreebsd`
do
BINAME=`basename $file`
echo "Fetching $BINAME from buildinfos..."
curl --silent -o $BINAME https://buildinfos.debian.net/$file
echo "Verifying signature..."
gpg --verify $BINAME
echo "Finding references to the binary hash of interest in the buildinfo..."
grep $PKGHAS $BINAME
NAKEDSHA1=`cat $BINAME | sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' | head -n -2 | sha1sum - | cut -f1 -d' '`
NAKEDSHA256=`cat $BINAME | sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' | head -n -2 | sha256sum - | cut -f1 -d' '`
echo "The SHA1 of the unsigned buildinfo file is $NAKEDSHA256"
echo "...you may visit https://buildinfo.debian.net/$NAKEDSHA1 for more information"
# I guess inspired in https://rekor.sigstore.dev/api/v1/log/entries/42701a14f1695efcca791223759451f88cfbd624810d869a773df268fc37dc3d
echo "Searching for $NAKEDSHA256 in rekor..."
REKORUUID=`./rekor search --sha $NAKEDSHA256 2> /dev/null | tail -n1`
[ ! -Z $REKORUUID ] && echo "...you may visit https://rekor.sigstore.dev/api/v1/log/entries/$REKORUUID for more information" || echo "Not found!"
# TODO: dsc->orig logic
# TODO: rebuilder logic
# See https://beta.tests.reproducible-builds.org/debian.html and https://github.com/fepitre/package-rebuilder and rebuilderd
echo "------------------"
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment