Harden get-latest-pulsecore.sh

This uses stricter input validation and key handling. It also uses Sequoia instead of GnuPG for key fetching.
QubesOS · Jun 2, 2023 · 77a8b02 · 77a8b02
1 parent 4df5593
commit 77a8b02
Showing 1 changed file with 29 additions and 13 deletions.
diff --git a/get-latest-pulsecore.sh b/get-latest-pulsecore.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -ex
+set -euxo pipefail
 
 exit_updater() {
     local exit_code=$?
@@ -22,29 +22,45 @@ fi
 
 REPO_URL=https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git
 
-LATEST_REPO_VERSION="$(git ls-remote --exit-code --refs --tags --sort="v:refname" "$REPO_URL" '*.*' | tail -n1 | cut -d/ -f3 | sed 's/^v//')"
+LATEST_REPO_VERSION=$(
+  git ls-remote --exit-code --refs --tags --sort="v:refname" "$REPO_URL" |
+  head -c $((1 << 16)) |
+  sed -nE $'$ s%^[0-9a-f]{40}\trefs/tags/v([0-9]+(\\.[0-9]{1,5}){1,2})$%\\1%p'
+)
 LATEST_QUBES_VERSION="$(find "$LOCALDIR/pulse" -type d -name "pulsecore-*" | sed "s|$LOCALDIR/pulse/pulsecore-||" | sort -g | tail -1)"
 
 trap 'exit_updater' 0 1 2 3 6 15
 
 if [ "${LATEST_QUBES_VERSION}" != "${LATEST_REPO_VERSION}" ] && [ ! -e "$LOCALDIR/pulse/pulsecore-${LATEST_REPO_VERSION}" ]; then
     cd "$TMPDIR"
+    mkdir gnupg-tmp gnupg git
+    export "GNUPGHOME=$PWD/gnupg"
+    cd git
 
-    git clone --depth 1 --branch "v$LATEST_REPO_VERSION" "$REPO_URL" .
+    git clone --no-checkout --depth 1 --branch "v$LATEST_REPO_VERSION" "$REPO_URL" .
 
+    trusted_signers=(
+        52DFA7B8BAC74687C8A88EF48165E3D1987E2132
+        B61E1D411D57BD16F11536162477064CE8B9F3BD
+    )
     # Import keys of repo taggers
-    for key in \
-        52DFA7B8BAC74687C8A88EF48165E3D1987E2132 \
-        B61E1D411D57BD16F11536162477064CE8B9F3BD; do
-        gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ||
-            gpg --batch --keyserver keys.openpgp.org --recv-keys "$key" ||
-            gpg --batch --keyserver pgp.mit.edu --recv-keys "$key" ||
-            gpg --batch --keyserver keyserver.pgp.com --recv-keys "$key" ||
-            gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"
-    done
+    for key in "${trusted_signers[@]}"; do
+        echo "$key:6:" | gpg --import-ownertrust
+        for i in keyserver.ubuntu.com keys.openpgp.org pgp.mit.edu keyserver.pgp.com; do
+            sq keyserver --server "$i" get --binary -- "0x$key" && break
+        done
+    done | gpg --homedir=../gnupg-tmp --import --no-armor
+    gpg --homedir=../gnupg-tmp --export -- "${trusted_signers[@]}" | gpg --import --no-armor
+
+    for key in "${trusted_signers[@]}"; do
+        echo "$key:6:"
+    done | gpg --import-ownertrust
+
+    tag_to_verify="refs/tags/v$LATEST_REPO_VERSION"
 
     # Verify integrity
-    git -c gpg.program=gpg tag -v "$(git describe)"
+    git -c gpg.openpgp.program=gpg -c gpg.minTrustLevel=ultimate verify-tag "$tag_to_verify" || exit
+    git checkout "$tag_to_verify^{commit}"
 
     # remove unwanted files
     find "src/pulsecore" -type f ! -regex '.*\.h$' -exec rm -f {} \;