The creator of pureftpd, dnscrypt-proxy, and libsodium has created a tool called 'minisign': https://github.com/jedisct1/minisign. Unfortunately, they only seem to provide PGP signatures for pureftpd and libsodium. They do however provide minisigs on GitHub. I wonder if verify-sig.eclass could/should support minisig? See: https://doc.libsodium.org/installation#integrity-checking.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a897adf292a147ccae858d50a630ac00fd955b25 commit a897adf292a147ccae858d50a630ac00fd955b25 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-04-16 03:35:20 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-04-16 03:58:04 +0000 dev-libs/libsodium: add 1.0.18_p20210508 Upstream regularly backport fixes from the main development branch to the last release branch. This is the first of such releases added in Gentoo (at least for 1.0.18). We also add verify-sig-like behaviour via app-crypt/minisign. Upstream don't provide PGP signatures for all backport/stable releases, so we need to use this instead. Bug: https://bugs.gentoo.org/783066 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libsodium/Manifest | 2 + .../libsodium/libsodium-1.0.18_p20210508.ebuild | 95 ++++++++++++++++++++++ 2 files changed, 97 insertions(+)
I suppose I can take a look -- but I'm not sure if it wouldn't be easier to split it into a second eclass, given all the PGP stuff that would need to be made conditional.
(In reply to Michał Górny from comment #2) > I suppose I can take a look -- but I'm not sure if it wouldn't be easier to > split it into a second eclass, given all the PGP stuff that would need to be > made conditional. It’s genuinely no bother if you think this should be its own eclass, but it made sense to ask you first. I’m worried that pretty much no logic will be shared too.
FYI, with USE flag "verify-sig" set, there is a circular dependency of app-crypt/minisign depending on dev-libs/libsodium to be built and dev-libs/libsodium depending on minisign for "verify-sig" magic to be done. To resolve this you could build dev-libs/libsodium without "verify-sig" USE flag first and enable the USE flag thereafter. But, this would defeat the purpose of having "verify-sig" set. Unfortunately, there seems no other way than this. ➤ env USE=verify-sig emerge dev-libs/libsodium Calculating dependencies... done! [nomerge ] dev-libs/libsodium-1.0.18_p20210617:0/23::gentoo USE="asm urandom verify-sig -minimal -static-libs" CPU_FLAGS_X86="aes sse4_1" [ebuild N ] app-crypt/minisign-0.9::gentoo 0 KiB [ebuild N ] dev-libs/libsodium-1.0.18_p20210617:0/23::gentoo USE="asm urandom verify-sig -minimal -static-libs" CPU_FLAGS_X86="aes sse4_1" 1 KiB Total: 2 packages (2 new), Size of downloads: 1 KiB * Error: circular dependencies: (app-crypt/minisign-0.9:0/0::gentoo, ebuild scheduled for merge) depends on (dev-libs/libsodium-1.0.18_p20210617:0/23::gentoo, ebuild scheduled for merge) (buildtime_slot_op) (app-crypt/minisign-0.9:0/0::gentoo, ebuild scheduled for merge) (buildtime) It might be possible to break this cycle by applying the following change: - dev-libs/libsodium-1.0.18_p20210617 (Change USE: -verify-sig) Note that this change can be reverted, once the package has been installed.
As we cannot get away from this circular dependency the suggestion could be implemented in the ebuild instead: It might be possible to break this cycle by applying the following change: - dev-libs/libsodium-1.0.18_p20210617 (Change USE: -verify-sig) Note that this change can be reverted, once the package has been installed.
(In reply to David Sardari from comment #5) > As we cannot get away from this circular dependency the suggestion could be > implemented in the ebuild instead: I don't think any of this is relevant to this bug. Circular dependencies are real and hard to solve automatically. See e.g. bug 175808 and perhaps more short-term bug 813504.
Exactly. Also, I guess this is fixed now.
(In reply to Michał Górny from comment #7) > Exactly. Also, I guess this is fixed now. Hm, is it? minisig is a bit different to signify, although quite similar. Anyway, I have a draft for this, but I'm going to revisit once the wireshark/openssl dgst stuff is done.
https://marc.info/?l=gentoo-dev&m=169474762819066&w=2
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6695ceddfc2b55392293665205c6e28c3cf0503a commit 6695ceddfc2b55392293665205c6e28c3cf0503a Author: Sam James <sam@gentoo.org> AuthorDate: 2023-09-14 06:01:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-16 09:43:06 +0000 dev-libs/libsodium: use new verify-sig minisign support Closes: https://bugs.gentoo.org/783066 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libsodium/libsodium-1.0.19-r1.ebuild | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e9067d309e8b9f8a73b2312d409883f348b0ea5 commit 9e9067d309e8b9f8a73b2312d409883f348b0ea5 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-09-14 02:38:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-16 09:43:05 +0000 verify-sig.eclass: minisig support Closes: https://bugs.gentoo.org/783066 Signed-off-by: Sam James <sam@gentoo.org> eclass/verify-sig.eclass | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-)
(In reply to Sam James from comment #8) > (In reply to Michał Górny from comment #7) > > Exactly. Also, I guess this is fixed now. > > Hm, is it? minisig is a bit different to signify, although quite similar. > > Anyway, I have a draft for this, but I'm going to revisit once the > wireshark/openssl dgst stuff is done. I was about to revert my changes, because I *THOUGHT* I had it the wrong way around: """ Actually, no, I think I got it the wrong way around. signify can always handle minisig format, but minisig can't always handle signify format. """ But actually, no: 1) See https://github.com/aperezdc/signify/issues/20#issuecomment-510452505 wrt -H 2) I get this w/ libsodium: ``` * Verifying libsodium-1.0.19.tar.gz ... signify: invalid comment in libsodium-1.0.19.tar.gz.sig; must start with 'untrusted comment: ' * ERROR: dev-libs/libsodium-1.0.19-r1::gentoo failed (unpack phase): * Signify signature verification failed ``` so yeah, I think we're fine to keep the minisig support.
