From 4a715d24969a351ddd255fccee9dfd7e726d2555 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Wed, 25 May 2016 12:36:29 +0200 Subject: plugins/psql: fix spelling in comment --- plugins/psql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/psql b/plugins/psql index a7c0a72..2e194f6 100755 --- a/plugins/psql +++ b/plugins/psql @@ -4,7 +4,7 @@ # # uses psql to download a TABLE (or VIEW) of the form: # CREATE TABLE known_hosts ( -# namelist text, # comma seperated +# namelist text, # comma separated # type text, # key text # ); -- cgit v1.2.3 From 0b161b76dac289f4b7100916bac27961aed88120 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Mon, 19 Jul 2021 13:24:53 +0200 Subject: make config variables readonly --- update-openssh-known-hosts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts index 6d72663..ef897aa 100755 --- a/update-openssh-known-hosts +++ b/update-openssh-known-hosts @@ -25,6 +25,8 @@ CACHEDIR=${CACHEDIR:-/var/cache/openssh-known-hosts} LOCK=${LOCK:-/var/lock/openssh-known-hosts} OUTFILE=${OUTFILE:-/var/lib/openssh-known-hosts/ssh_known_hosts} +readonly CONFDIR PLUGIN_PATH CACHEDIR LOCK OUTFILE + path_search () { search="$1" shift -- cgit v1.2.3 From 265011411069c0c26dd693f714a43a6c7e6ad9ea Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Mon, 19 Jul 2021 13:33:32 +0200 Subject: use bash arrays in path_search() --- update-openssh-known-hosts | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts index ef897aa..c8f7e39 100755 --- a/update-openssh-known-hosts +++ b/update-openssh-known-hosts @@ -28,22 +28,21 @@ OUTFILE=${OUTFILE:-/var/lib/openssh-known-hosts/ssh_known_hosts} readonly CONFDIR PLUGIN_PATH CACHEDIR LOCK OUTFILE path_search () { - search="$1" - shift - local IFS - IFS=: - set -- $@ + local search=$1 + local -a pathlist + IFS=: read -ra pathlist <<< "$2" + if [[ ${search} =~ / ]]; then echo "${search}" return 0 fi - for path; do + for path in "${pathlist[@]}"; do if [ -f "${path}/${search}" ]; then echo "${path}/${search}" return 0 fi done - echo "'${search}' not found in '$*'!" >&2 + echo "'${search}' not found in '$2'!" >&2 exit 127 } -- cgit v1.2.3 From 53614d19826293d753aad599f2b2900d8d6303ed Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Mon, 19 Jul 2021 13:35:16 +0200 Subject: factor out download_source() --- update-openssh-known-hosts | 55 ++++++++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 24 deletions(-) diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts index c8f7e39..325a997 100755 --- a/update-openssh-known-hosts +++ b/update-openssh-known-hosts @@ -52,6 +52,36 @@ cleanup () { lockfile-remove "${LOCK}" } +download_source () ( + local sourcename=$1 + local sourcefile=$2 + + cd "${CACHEDIR}/${sourcename}" + set -a + . "${sourcefile}" + set +a + # shellcheck disable=SC2091 + $(path_search "$PLUGIN" "$PLUGIN_PATH") >| log 2>&1 || { + exitcode=$? + rm -f new + ignore='' + for e in ${EXIT_IGNORE:-0}; do + if [[ $e = "$exitcode" ]]; then + ignore=1 + break + fi + done + if [ -z "$ignore" ] || [ "$fail" ]; then + echo "${source} exited with code ${exitcode}, log follows:" + cat log + echo + fi + if [ "$fail" ]; then + exit 1 + fi + } >&2 +) + if [ $# -eq 1 ] && [ "$1" = "-f" ]; then fail=1 else @@ -72,30 +102,7 @@ find -mindepth 2 -maxdepth 2 -type f -name new -delete run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do source=${sourcefile##*/} mkdir -p "${source}" - ( - set -a - cd "${source}" - . "${sourcefile}" - $(path_search "$PLUGIN" "$PLUGIN_PATH") >| log 2>&1 || { - exitcode=$? - rm -f new - ignore='' - for e in ${EXIT_IGNORE:-0}; do - if [[ $e = "$exitcode" ]]; then - ignore=1 - break - fi - done - if [ -z "$ignore" -o "$fail" ]; then - echo "${source} exited with code ${exitcode}, log follows:" - cat log - echo - fi - if [ "$fail" ]; then - exit 1 - fi - } >&2 - ) || exit 1 + download_source "${source}" "${sourcefile}" if [ -e "${source}/new" ]; then mv "${source}/new" "${source}/current" fi -- cgit v1.2.3 From f855dc5ac98432ef4b126446c50a9737d98f0fb8 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Mon, 19 Jul 2021 13:36:58 +0200 Subject: always use read with -r --- update-openssh-known-hosts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts index 325a997..9eee3ec 100755 --- a/update-openssh-known-hosts +++ b/update-openssh-known-hosts @@ -99,7 +99,7 @@ cd "${CACHEDIR}" find -mindepth 2 -maxdepth 2 -type f -name new -delete -run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do +run-parts --list "${CONFDIR}/sources/" | while read -r sourcefile; do source=${sourcefile##*/} mkdir -p "${source}" download_source "${source}" "${sourcefile}" @@ -115,8 +115,8 @@ run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do unset filter[$i] fi done - while read hostlist rest; do - IFS=, read -a hostarray <<<"$hostlist" + while read -r hostlist rest; do + IFS=, read -ra hostarray <<<"$hostlist" new_hostlist='' for host in "${hostarray[@]}"; do for rule in "${filter[@]}"; do -- cgit v1.2.3 From a18b87e43ece9a448ab912225e1a26d8fd4b3e7f Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Mon, 30 Sep 2024 01:36:22 +0200 Subject: Use OpenPGP when referring to the standard or objects These are OpenPGP signatures that any conforming implementation should be able to handle. They are not specific to GnuPG, which is one of many implementations, even though a very prominent one. --- examples/curl | 2 +- examples/rsync | 2 +- plugins/curl | 4 ++-- plugins/rsync | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/curl b/examples/curl index 18ed01b..b8f6d96 100644 --- a/examples/curl +++ b/examples/curl @@ -6,4 +6,4 @@ URL='https://www.example.com/known_hosts' # optional: SIGURL='http://www.example.com/known_hosts.sig' -KEYRING='/path/to/gpgv-compatible.keyring' +KEYRING='/path/to/openpgp-compatible.keyring' diff --git a/examples/rsync b/examples/rsync index 1d9fd4c..cbb6d64 100644 --- a/examples/rsync +++ b/examples/rsync @@ -11,5 +11,5 @@ URL='rsync://rsync.example.com/pub/known_hosts' # optional: SIGURL='rsync://rsync.example.com/pub/known_hosts.sig' -KEYRING='/path/to/gpgv-compatible.keyring' +KEYRING='/path/to/openpgp-compatible.keyring' diff --git a/plugins/curl b/plugins/curl index 9c47601..989891a 100755 --- a/plugins/curl +++ b/plugins/curl @@ -5,8 +5,8 @@ # ENVIRONMENT VARIABLES: # URL URL to download known_hosts file from # CURL_OPTIONS options passed to curl -# SIGURL URL of the GnuPG signature -# KEYRING path to the keyring for use by gpgv +# SIGURL URL of the OpenPGP signature +# KEYRING path to the OpenPGP keyring with certificates # set -e diff --git a/plugins/rsync b/plugins/rsync index 1a57660..2ff5c1a 100755 --- a/plugins/rsync +++ b/plugins/rsync @@ -4,8 +4,8 @@ # # ENVIRONMENT VARIABLES: # URL URL to download known_hosts file from -# SIGURL URL of the GnuPG signature -# KEYRING path to the keyring for use by gpgv +# SIGURL URL of the OpenPGP signature +# KEYRING path to the OpenPGP keyring with certificates # set -e -- cgit v1.2.3 From c26168119320ca5b03e6b420e3c4192d1e2ecc6a Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Mon, 30 Sep 2024 02:00:58 +0200 Subject: Current gpgv requires the datafile for detached signatures Otherwise we get the following error: gpgv: no signed data gpgv: can't hash datafile: No data --- plugins/curl | 2 +- plugins/rsync | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/curl b/plugins/curl index 989891a..b9dd2cb 100755 --- a/plugins/curl +++ b/plugins/curl @@ -14,7 +14,7 @@ set -e if [ "${SIGURL}" ]; then curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}" [ -e new ] || exit 0 - gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1 + gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1 # return 1 because it's not clear what other codes may used else curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}" diff --git a/plugins/rsync b/plugins/rsync index 2ff5c1a..1c2cae2 100755 --- a/plugins/rsync +++ b/plugins/rsync @@ -15,7 +15,7 @@ rsync -vt --timeout=300 "${URL}" new if [ "${SIGURL}" ]; then rsync -vt --timeout=300 "${SIGURL}" new.sig - gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1 + gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1 # return 1 because it's not clear what other codes may used fi -- cgit v1.2.3 From 31b9dc01eb871055de006a3fb94fdaea2059966a Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Wed, 2 Oct 2024 03:32:13 +0200 Subject: Clarify comment on exit code override to workaround overlapping codes The framework expects to be able to ignore specific exit codes from the plugins, but if we are possibly returning exit codes from different tools, then it's hard to untangle what tool generated which exit code. In the plugins at hand the exit code 1 seems like a safe one, given both curl and rsync usage, so we currently turn any OpenPGP verification error into that. --- plugins/curl | 3 ++- plugins/rsync | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/plugins/curl b/plugins/curl index b9dd2cb..29c0ace 100755 --- a/plugins/curl +++ b/plugins/curl @@ -15,7 +15,8 @@ if [ "${SIGURL}" ]; then curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}" [ -e new ] || exit 0 gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1 - # return 1 because it's not clear what other codes may used + # return 1 because it's not clear what other codes may be safe to + # use that do not overlap with codes from curl. else curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}" fi diff --git a/plugins/rsync b/plugins/rsync index 1c2cae2..6aec09c 100755 --- a/plugins/rsync +++ b/plugins/rsync @@ -16,7 +16,8 @@ rsync -vt --timeout=300 "${URL}" new if [ "${SIGURL}" ]; then rsync -vt --timeout=300 "${SIGURL}" new.sig gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1 - # return 1 because it's not clear what other codes may used + # return 1 because it's not clear what other codes may be safe to + # use that do not overlap with codes from rsync. fi # vim:set ft=sh: -- cgit v1.2.3 From b29ad4a5696aa1cbf85b77ae64c99865e57d2d6b Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Mon, 30 Sep 2024 01:39:13 +0200 Subject: Add sopv support This is a subset of the Stateless OpenPGP CLI , that can easily replace the GnuPG usage. There are multiple implementations providing this interface. --- plugins/curl | 6 +++++- plugins/rsync | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/plugins/curl b/plugins/curl index 29c0ace..3ae028c 100755 --- a/plugins/curl +++ b/plugins/curl @@ -14,7 +14,11 @@ set -e if [ "${SIGURL}" ]; then curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}" [ -e new ] || exit 0 - gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1 + if command -v sopv >/dev/null; then + sopv verify new.sig "${KEYRING}" /dev/null; then + sopv verify new.sig "${KEYRING}" Date: Thu, 24 Oct 2024 10:55:42 +0200 Subject: remove examples/kit_edu, service gone --- examples/kit_edu | 5 ----- examples/kit_edu.filter | 2 -- 2 files changed, 7 deletions(-) delete mode 100644 examples/kit_edu delete mode 100644 examples/kit_edu.filter diff --git a/examples/kit_edu b/examples/kit_edu deleted file mode 100644 index e676499..0000000 --- a/examples/kit_edu +++ /dev/null @@ -1,5 +0,0 @@ -PLUGIN=curl -EXIT_IGNORE='6 7 28' - -CURL_OPTIONS='--connect-timeout 10' -URL='https://rzadmin.rz.uni-karlsruhe.de/openssh/ssh_known_hosts' diff --git a/examples/kit_edu.filter b/examples/kit_edu.filter deleted file mode 100644 index 556ab25..0000000 --- a/examples/kit_edu.filter +++ /dev/null @@ -1,2 +0,0 @@ -allow \.(fzk|uka|uni-karlsruhe)\.de$ -allow \.kit\.edu$ -- cgit v1.2.3 From da301a83b9bf37988bcb4b3029ee2dcd85983995 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Thu, 24 Oct 2024 11:16:25 +0200 Subject: changelog for 0.6.3 --- changelog | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 91 insertions(+), 2 deletions(-) diff --git a/changelog b/changelog index ef7ce56..b76f83b 100644 --- a/changelog +++ b/changelog @@ -1,4 +1,93 @@ -commit 43b1b4cbfb1aeabf3c9542c27c971790bf77cf91 (HEAD, master) +commit 274f3a6fca8d003140eed1fdd6bf70e016403bad +Author: Timo Weingärtner +Date: 2024-10-24 10:55:42 +0200 + + remove examples/kit_edu, service gone + +commit b29ad4a5696aa1cbf85b77ae64c99865e57d2d6b +Author: Guillem Jover +Date: 2024-09-30 01:39:13 +0200 + + Add sopv support + + This is a subset of the Stateless OpenPGP CLI + , + that can easily replace the GnuPG usage. + + There are multiple implementations providing this interface. + +commit 31b9dc01eb871055de006a3fb94fdaea2059966a +Author: Guillem Jover +Date: 2024-10-02 03:32:13 +0200 + + Clarify comment on exit code override to workaround overlapping codes + + The framework expects to be able to ignore specific exit codes from the + plugins, but if we are possibly returning exit codes from different + tools, then it's hard to untangle what tool generated which exit code. + + In the plugins at hand the exit code 1 seems like a safe one, given both + curl and rsync usage, so we currently turn any OpenPGP verification + error into that. + +commit c26168119320ca5b03e6b420e3c4192d1e2ecc6a +Author: Guillem Jover +Date: 2024-09-30 02:00:58 +0200 + + Current gpgv requires the datafile for detached signatures + + Otherwise we get the following error: + + gpgv: no signed data + gpgv: can't hash datafile: No data + +commit a18b87e43ece9a448ab912225e1a26d8fd4b3e7f +Author: Guillem Jover +Date: 2024-09-30 01:36:22 +0200 + + Use OpenPGP when referring to the standard or objects + + These are OpenPGP signatures that any conforming implementation should + be able to handle. They are not specific to GnuPG, which is one of many + implementations, even though a very prominent one. + +commit f855dc5ac98432ef4b126446c50a9737d98f0fb8 +Author: Timo Weingärtner +Date: 2021-07-19 13:36:58 +0200 + + always use read with -r + +commit 53614d19826293d753aad599f2b2900d8d6303ed +Author: Timo Weingärtner +Date: 2021-07-19 13:35:16 +0200 + + factor out download_source() + +commit 265011411069c0c26dd693f714a43a6c7e6ad9ea +Author: Timo Weingärtner +Date: 2021-07-19 13:33:32 +0200 + + use bash arrays in path_search() + +commit 0b161b76dac289f4b7100916bac27961aed88120 +Author: Timo Weingärtner +Date: 2021-07-19 13:24:53 +0200 + + make config variables readonly + +commit 4a715d24969a351ddd255fccee9dfd7e726d2555 +Author: Timo Weingärtner +Date: 2016-05-25 12:36:29 +0200 + + plugins/psql: fix spelling in comment + +commit 5759da2f6316fccc56d722e06d6e4bdda26251be (tag: 0.6.2) +Author: Timo Weingärtner +Date: 2015-02-17 19:50:11 +0100 + + changelog for 0.6.2 + +commit 43b1b4cbfb1aeabf3c9542c27c971790bf77cf91 Author: Timo Weingärtner Date: 2015-02-17 19:39:41 +0100 @@ -6,7 +95,7 @@ Date: 2015-02-17 19:39:41 +0100 applied with care, the two remaining things are meant that way -commit 0e971e742afad1669dbae0d75eead51e76af1899 (origin/master) +commit 0e971e742afad1669dbae0d75eead51e76af1899 Author: Timo Weingärtner Date: 2015-01-22 20:34:42 +0100 -- cgit v1.2.3