>>>>> On Mon, 04 Sep 2023, Michał Górny wrote:
> --- a/eclass/verify-sig.eclass
> +++ b/eclass/verify-sig.eclass
> @@ -214,12 +214,15 @@ verify-sig_verify_message() {
> }
> # @FUNCTION: verify-sig_verify_unsigned_checksums
> -# @USAGE: <checksum-file> <algo> <files>
> +# @USAGE: <checksum-file> <format> <files>
Below, verify-sig_verify_signed_checksums() still says "algo", change
that too for consistency?
> # @DESCRIPTION:
> # Verify the checksums for all files listed in the space-separated list
> -# <files> (akin to ${A}) using a <checksum-file>. <algo> specifies
> -# the checksum algorithm (e.g. sha256). <checksum-file> can be "-"
> -# for stdin.
> +# <files> (akin to ${A}) using a <checksum-file>. <format> specifies
> +# the checksum file format. <checksum-file> can be "-" for stdin.
> +#
> +# The following formats are supported:
> +# - sha256 -- sha256sum (<hash> <filename>)
> +# - openssl-dgst -- openssl dgst (<algo>(<filename>)=<hash>)
This won't be rendered as a list in the man page, but will be rewrapped
as a paragraph. (Putting a space before the "-" will help.)
The existing variable documentation of VERIFY_SIG_METHOD suffers from
the same problem, BTW.
> #
> # The function dies if one of the files does not match checksums or
> # is missing from the checksum file.
> @@ -234,32 +237,46 @@ verify-sig_verify_unsigned_checksums() {
> local algo=${2}
Maybe rename the variable to "format", when the documentation now says
that the second parameter specifies the format?
> local files=()
> read -r -d '' -a files <<<"${3}"
> - local chksum_prog chksum_len
> + local chksum_prog chksum_len format=coreutils
And rename this one too. (I don't find it intuitive for a checksum
format to be named "coreutils", when coreutils provides cksum, md5sum,
b2sum, etc.)
>
> case ${algo} in
> sha256)
> - chksum_prog=sha256sum
> chksum_len=64
> ;;
> + openssl-dgst)
> + format=${algo}
> + ;;
> *)
> - die "${FUNCNAME}: unknown checksum algo ${algo}"
> + die "${FUNCNAME}: unknown checksum format ${algo}"
> ;;
> esac
>
> [[ ${checksum_file} == - ]] && checksum_file=/dev/stdin
> - local checksum filename junk ret=0 count=0
> - while read -r checksum filename junk; do
> - if [[ ${checksum} == "-----BEGIN" ]]; then
> + local line checksum filename junk ret=0 count=0
> + while read -r line; do
> + if [[ ${line} == "-----BEGIN"* ]]; then
> die "${FUNCNAME}: PGP armor found, use
> verify-sig_verify_signed_checksums instead"
> fi
>
> - [[ ${#checksum} -eq ${chksum_len} ]] || continue
> - [[ -z ${checksum//[0-9a-f]} ]] || continue
> - has "${filename}" "${files[@]}" || continue
> - [[ -z ${junk} ]] || continue
> -
> - "${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
> - if [[ ${?} -eq 0 ]]; then
> + case ${format} in
> + coreutils)
> + read -r checksum filename junk <<<"${line}"
> + [[ ${#checksum} -ne ${chksum_len} ]] && continue
> + [[ -n ${checksum//[0-9a-f]} ]] && continue
> + [[ -n ${junk} ]] && continue
> + ;;
> + openssl-dgst)
> + [[ ${line} != *"("*")="* ]] && continue
> + checksum=${line##*)=}
> + algo=${line%%(*}
> + filename=${line#*(}
> + filename=${filename%)=*}
> + ;;
> + esac
> +
> + ! has "${filename}" "${files[@]}" && continue
This might be clearer if it was written as:
has "${filename}" "${files[@]}" || continue
> +
> + if "${algo,,}sum" -c --strict - <<<"${checksum} ${filename}";
> then
> (( count++ ))
> else
> ret=1
signature.asc
Description: PGP signature
