summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTimo Weingärtner <timo@tiwe.de>2024-10-24 11:18:07 +0200
committerTimo Weingärtner <timo@tiwe.de>2024-10-24 11:18:07 +0200
commit43718b8be48640580bf9cc0d57e98b8f5d166998 (patch)
tree9640cb9d37e96be95e9ac2420b8c7b69c41be61d
parent86ff9a1cd6428d469d1015a8b7b781501eb0ad49 (diff)
parentda301a83b9bf37988bcb4b3029ee2dcd85983995 (diff)
downloadopenssh-known-hosts-43718b8be48640580bf9cc0d57e98b8f5d166998.tar.gz
Merge tag '0.6.3' into debian
release 0.6.3
-rw-r--r--changelog93
-rw-r--r--examples/curl2
-rw-r--r--examples/kit_edu5
-rw-r--r--examples/kit_edu.filter2
-rw-r--r--examples/rsync2
-rwxr-xr-xplugins/curl13
-rwxr-xr-xplugins/psql2
-rwxr-xr-xplugins/rsync13
-rwxr-xr-xupdate-openssh-known-hosts76
9 files changed, 154 insertions, 54 deletions
diff --git a/changelog b/changelog
index ef7ce56..b76f83b 100644
--- a/changelog
+++ b/changelog
@@ -1,4 +1,93 @@
-commit 43b1b4cbfb1aeabf3c9542c27c971790bf77cf91 (HEAD, master)
+commit 274f3a6fca8d003140eed1fdd6bf70e016403bad
+Author: Timo Weingärtner <timo@tiwe.de>
+Date: 2024-10-24 10:55:42 +0200
+
+ remove examples/kit_edu, service gone
+
+commit b29ad4a5696aa1cbf85b77ae64c99865e57d2d6b
+Author: Guillem Jover <guillem@hadrons.org>
+Date: 2024-09-30 01:39:13 +0200
+
+ Add sopv support
+
+ This is a subset of the Stateless OpenPGP CLI
+ <https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/>,
+ that can easily replace the GnuPG usage.
+
+ There are multiple implementations providing this interface.
+
+commit 31b9dc01eb871055de006a3fb94fdaea2059966a
+Author: Guillem Jover <guillem@hadrons.org>
+Date: 2024-10-02 03:32:13 +0200
+
+ Clarify comment on exit code override to workaround overlapping codes
+
+ The framework expects to be able to ignore specific exit codes from the
+ plugins, but if we are possibly returning exit codes from different
+ tools, then it's hard to untangle what tool generated which exit code.
+
+ In the plugins at hand the exit code 1 seems like a safe one, given both
+ curl and rsync usage, so we currently turn any OpenPGP verification
+ error into that.
+
+commit c26168119320ca5b03e6b420e3c4192d1e2ecc6a
+Author: Guillem Jover <guillem@hadrons.org>
+Date: 2024-09-30 02:00:58 +0200
+
+ Current gpgv requires the datafile for detached signatures
+
+ Otherwise we get the following error:
+
+ gpgv: no signed data
+ gpgv: can't hash datafile: No data
+
+commit a18b87e43ece9a448ab912225e1a26d8fd4b3e7f
+Author: Guillem Jover <guillem@hadrons.org>
+Date: 2024-09-30 01:36:22 +0200
+
+ Use OpenPGP when referring to the standard or objects
+
+ These are OpenPGP signatures that any conforming implementation should
+ be able to handle. They are not specific to GnuPG, which is one of many
+ implementations, even though a very prominent one.
+
+commit f855dc5ac98432ef4b126446c50a9737d98f0fb8
+Author: Timo Weingärtner <timo@tiwe.de>
+Date: 2021-07-19 13:36:58 +0200
+
+ always use read with -r
+
+commit 53614d19826293d753aad599f2b2900d8d6303ed
+Author: Timo Weingärtner <timo@tiwe.de>
+Date: 2021-07-19 13:35:16 +0200
+
+ factor out download_source()
+
+commit 265011411069c0c26dd693f714a43a6c7e6ad9ea
+Author: Timo Weingärtner <timo@tiwe.de>
+Date: 2021-07-19 13:33:32 +0200
+
+ use bash arrays in path_search()
+
+commit 0b161b76dac289f4b7100916bac27961aed88120
+Author: Timo Weingärtner <timo@tiwe.de>
+Date: 2021-07-19 13:24:53 +0200
+
+ make config variables readonly
+
+commit 4a715d24969a351ddd255fccee9dfd7e726d2555
+Author: Timo Weingärtner <timo@tiwe.de>
+Date: 2016-05-25 12:36:29 +0200
+
+ plugins/psql: fix spelling in comment
+
+commit 5759da2f6316fccc56d722e06d6e4bdda26251be (tag: 0.6.2)
+Author: Timo Weingärtner <timo@tiwe.de>
+Date: 2015-02-17 19:50:11 +0100
+
+ changelog for 0.6.2
+
+commit 43b1b4cbfb1aeabf3c9542c27c971790bf77cf91
Author: Timo Weingärtner <timo@tiwe.de>
Date: 2015-02-17 19:39:41 +0100
@@ -6,7 +95,7 @@ Date: 2015-02-17 19:39:41 +0100
applied with care, the two remaining things are meant that way
-commit 0e971e742afad1669dbae0d75eead51e76af1899 (origin/master)
+commit 0e971e742afad1669dbae0d75eead51e76af1899
Author: Timo Weingärtner <timo@tiwe.de>
Date: 2015-01-22 20:34:42 +0100
diff --git a/examples/curl b/examples/curl
index 18ed01b..b8f6d96 100644
--- a/examples/curl
+++ b/examples/curl
@@ -6,4 +6,4 @@ URL='https://www.example.com/known_hosts'
# optional:
SIGURL='http://www.example.com/known_hosts.sig'
-KEYRING='/path/to/gpgv-compatible.keyring'
+KEYRING='/path/to/openpgp-compatible.keyring'
diff --git a/examples/kit_edu b/examples/kit_edu
deleted file mode 100644
index e676499..0000000
--- a/examples/kit_edu
+++ /dev/null
@@ -1,5 +0,0 @@
-PLUGIN=curl
-EXIT_IGNORE='6 7 28'
-
-CURL_OPTIONS='--connect-timeout 10'
-URL='https://rzadmin.rz.uni-karlsruhe.de/openssh/ssh_known_hosts'
diff --git a/examples/kit_edu.filter b/examples/kit_edu.filter
deleted file mode 100644
index 556ab25..0000000
--- a/examples/kit_edu.filter
+++ /dev/null
@@ -1,2 +0,0 @@
-allow \.(fzk|uka|uni-karlsruhe)\.de$
-allow \.kit\.edu$
diff --git a/examples/rsync b/examples/rsync
index 1d9fd4c..cbb6d64 100644
--- a/examples/rsync
+++ b/examples/rsync
@@ -11,5 +11,5 @@ URL='rsync://rsync.example.com/pub/known_hosts'
# optional:
SIGURL='rsync://rsync.example.com/pub/known_hosts.sig'
-KEYRING='/path/to/gpgv-compatible.keyring'
+KEYRING='/path/to/openpgp-compatible.keyring'
diff --git a/plugins/curl b/plugins/curl
index 9c47601..3ae028c 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -5,8 +5,8 @@
# ENVIRONMENT VARIABLES:
# URL URL to download known_hosts file from
# CURL_OPTIONS options passed to curl
-# SIGURL URL of the GnuPG signature
-# KEYRING path to the keyring for use by gpgv
+# SIGURL URL of the OpenPGP signature
+# KEYRING path to the OpenPGP keyring with certificates
#
set -e
@@ -14,8 +14,13 @@ set -e
if [ "${SIGURL}" ]; then
curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}"
[ -e new ] || exit 0
- gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
- # return 1 because it's not clear what other codes may used
+ if command -v sopv >/dev/null; then
+ sopv verify new.sig "${KEYRING}" <new || exit 1
+ else
+ gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+ fi
+ # return 1 because it's not clear what other codes may be safe to
+ # use that do not overlap with codes from curl.
else
curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}"
fi
diff --git a/plugins/psql b/plugins/psql
index a7c0a72..2e194f6 100755
--- a/plugins/psql
+++ b/plugins/psql
@@ -4,7 +4,7 @@
#
# uses psql to download a TABLE (or VIEW) of the form:
# CREATE TABLE known_hosts (
-# namelist text, # comma seperated
+# namelist text, # comma separated
# type text,
# key text
# );
diff --git a/plugins/rsync b/plugins/rsync
index 1a57660..1ee6831 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -4,8 +4,8 @@
#
# ENVIRONMENT VARIABLES:
# URL URL to download known_hosts file from
-# SIGURL URL of the GnuPG signature
-# KEYRING path to the keyring for use by gpgv
+# SIGURL URL of the OpenPGP signature
+# KEYRING path to the OpenPGP keyring with certificates
#
set -e
@@ -15,8 +15,13 @@ rsync -vt --timeout=300 "${URL}" new
if [ "${SIGURL}" ]; then
rsync -vt --timeout=300 "${SIGURL}" new.sig
- gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
- # return 1 because it's not clear what other codes may used
+ if command -v sopv >/dev/null; then
+ sopv verify new.sig "${KEYRING}" <new || exit 1
+ else
+ gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+ fi
+ # return 1 because it's not clear what other codes may be safe to
+ # use that do not overlap with codes from rsync.
fi
# vim:set ft=sh:
diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts
index 6d72663..9eee3ec 100755
--- a/update-openssh-known-hosts
+++ b/update-openssh-known-hosts
@@ -25,23 +25,24 @@ CACHEDIR=${CACHEDIR:-/var/cache/openssh-known-hosts}
LOCK=${LOCK:-/var/lock/openssh-known-hosts}
OUTFILE=${OUTFILE:-/var/lib/openssh-known-hosts/ssh_known_hosts}
+readonly CONFDIR PLUGIN_PATH CACHEDIR LOCK OUTFILE
+
path_search () {
- search="$1"
- shift
- local IFS
- IFS=:
- set -- $@
+ local search=$1
+ local -a pathlist
+ IFS=: read -ra pathlist <<< "$2"
+
if [[ ${search} =~ / ]]; then
echo "${search}"
return 0
fi
- for path; do
+ for path in "${pathlist[@]}"; do
if [ -f "${path}/${search}" ]; then
echo "${path}/${search}"
return 0
fi
done
- echo "'${search}' not found in '$*'!" >&2
+ echo "'${search}' not found in '$2'!" >&2
exit 127
}
@@ -51,6 +52,36 @@ cleanup () {
lockfile-remove "${LOCK}"
}
+download_source () (
+ local sourcename=$1
+ local sourcefile=$2
+
+ cd "${CACHEDIR}/${sourcename}"
+ set -a
+ . "${sourcefile}"
+ set +a
+ # shellcheck disable=SC2091
+ $(path_search "$PLUGIN" "$PLUGIN_PATH") >| log 2>&1 || {
+ exitcode=$?
+ rm -f new
+ ignore=''
+ for e in ${EXIT_IGNORE:-0}; do
+ if [[ $e = "$exitcode" ]]; then
+ ignore=1
+ break
+ fi
+ done
+ if [ -z "$ignore" ] || [ "$fail" ]; then
+ echo "${source} exited with code ${exitcode}, log follows:"
+ cat log
+ echo
+ fi
+ if [ "$fail" ]; then
+ exit 1
+ fi
+ } >&2
+)
+
if [ $# -eq 1 ] && [ "$1" = "-f" ]; then
fail=1
else
@@ -68,33 +99,10 @@ cd "${CACHEDIR}"
find -mindepth 2 -maxdepth 2 -type f -name new -delete
-run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do
+run-parts --list "${CONFDIR}/sources/" | while read -r sourcefile; do
source=${sourcefile##*/}
mkdir -p "${source}"
- (
- set -a
- cd "${source}"
- . "${sourcefile}"
- $(path_search "$PLUGIN" "$PLUGIN_PATH") >| log 2>&1 || {
- exitcode=$?
- rm -f new
- ignore=''
- for e in ${EXIT_IGNORE:-0}; do
- if [[ $e = "$exitcode" ]]; then
- ignore=1
- break
- fi
- done
- if [ -z "$ignore" -o "$fail" ]; then
- echo "${source} exited with code ${exitcode}, log follows:"
- cat log
- echo
- fi
- if [ "$fail" ]; then
- exit 1
- fi
- } >&2
- ) || exit 1
+ download_source "${source}" "${sourcefile}"
if [ -e "${source}/new" ]; then
mv "${source}/new" "${source}/current"
fi
@@ -107,8 +115,8 @@ run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do
unset filter[$i]
fi
done
- while read hostlist rest; do
- IFS=, read -a hostarray <<<"$hostlist"
+ while read -r hostlist rest; do
+ IFS=, read -ra hostarray <<<"$hostlist"
new_hostlist=''
for host in "${hostarray[@]}"; do
for rule in "${filter[@]}"; do