• IntegrityCheckingReference

Integrity Checking Reference

All of this documentation is basically copied from the API doc from the library. Incorrect information may be present. Information is edited as to not refer to the library internals itself.

Upstream key example:

        SOURCE=blah
       SOURCE2=blah.asc
    SOURCE_URL=http://blah.com/$SOURCE
   SOURCE2_URL=http://blah.com/$SOURCE2
    SOURCE_GPG=blah.gpg:$SOURCE2:UPSTREAM_KEY
SOURCE2_IGNORE=signature # for auditing purposes

Guru signed example:

    SOURCE=blah
SOURCE_URL=http://blah.com/$SOURCE
SOURCE_GPG=swoolley.gpg:$SOURCE.asc:WORKS_FOR_ME

SHA512 example:

     SOURCE=blah
 SOURCE_URL=http://blah.com/$SOURCE
SOURCE_HASH=sha512:d41d8cd98f00b204e9800998ecf8427e:WORKS_FOR_ME

MD5 example (deprecated, always use other methods):

     SOURCE=blah
 SOURCE_URL=http://blah.com/$SOURCE
SOURCE_HASH=md5:d41d8cd98f00b204e9800998ecf8427e:WORKS_FOR_ME

GPG mode:

• Validates the verification level and the hash algorithm against user defined lists. It finds the public key and signature automatically by searching the spell's directory, the section directory, the grimoire directory, and the current working directory, and additionally, if it is the gpg signature, the spell cache. Verification levels indicate how much effort was put into validating the integrity of the source from the upstream vendor. They are, in order of lowest to highest security:

  • WORKS_FOR_ME (No verification with upstream was done.)

  • UPSTREAM_HASH (Checked the upstream hash file)

  • UPSTREAM_KEY (Checked upstream (gpg) key, signature matched, but the key was not validated)

  • ESTABLISHED_UPSTREAM_KEY (Upstream key was not validated against multiple independent sources, but has been in use for several years)

  • VERIFIED_UPSTREAM_KEY (Upstream key id was verified against multiple independent sources.)

  • ID_CHECK_UPSTREAM_KEY (Key was verified in person with a photo id check.)

  The highest priority key that is reasonably possible to obtain should be used. The format of GPG checking is:

  • <name>.gpg:$SOURCE.sig:verification_level

  Creation of $SOURCE.sig is usually done with the command:

  • gpg [--default-key <key>] --digest-algo SHA512 --detach-sign <path to source>

    And the output file placed in the script directory of the spell.

In HASH mode:

• Validates the verification level (the third parameter) and the hash algorithm against user defined lists. It uses gpg to calculate the hash value except for md5 and sha1, which coreutils provides.

  Hashes available are md5, sha1, sha256, sha384, sha512, and

ripemd160, but sha512 is the currently-used hash.

In IGNORE mode:

• It checks for the following text:

  • volatile (for cvs/svn/any-other-scm)

  • unversioned (the source file changes frequently, but not a direct scm)

  • signature (for gnupg signatures)

  as reasons for ignoring the source code validation. Signatures are silently ignored (i.e. not printed to user). Everything else respects MD5SUM_DL, which is deprecated.

Otherwise, it falls back to MISSING mode, which will usually error out without user intervention (depending on their integrity checking settings). Otherwise, it falls back to old uncompressed md5sum check with MD5[n].

The default verification level is "WORKS_FOR_ME".

• MoinMoin Powered
• Python Powered
• GPL licensed
• Valid HTML 4.01