From a18b87e43ece9a448ab912225e1a26d8fd4b3e7f Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@hadrons.org>
Date: Mon, 30 Sep 2024 01:36:22 +0200
Subject: Use OpenPGP when referring to the standard or objects

These are OpenPGP signatures that any conforming implementation should
be able to handle. They are not specific to GnuPG, which is one of many
implementations, even though a very prominent one.
---
 plugins/rsync | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'plugins/rsync')

diff --git a/plugins/rsync b/plugins/rsync
index 1a57660..2ff5c1a 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -4,8 +4,8 @@
 #
 # ENVIRONMENT VARIABLES:
 #	URL		URL to download known_hosts file from
-#	SIGURL		URL of the GnuPG signature
-#	KEYRING		path to the keyring for use by gpgv
+#	SIGURL		URL of the OpenPGP signature
+#	KEYRING		path to the OpenPGP keyring with certificates
 #
 
 set -e
-- 
cgit v1.2.3


From c26168119320ca5b03e6b420e3c4192d1e2ecc6a Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@hadrons.org>
Date: Mon, 30 Sep 2024 02:00:58 +0200
Subject: Current gpgv requires the datafile for detached signatures

Otherwise we get the following error:

  gpgv: no signed data
  gpgv: can't hash datafile: No data
---
 plugins/curl  | 2 +-
 plugins/rsync | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'plugins/rsync')

diff --git a/plugins/curl b/plugins/curl
index 989891a..b9dd2cb 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -14,7 +14,7 @@ set -e
 if [ "${SIGURL}" ]; then
 	curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}"
 	[ -e new ] || exit 0
-	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
+	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
 	# return 1 because it's not clear what other codes may used
 else
 	curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}"
diff --git a/plugins/rsync b/plugins/rsync
index 2ff5c1a..1c2cae2 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -15,7 +15,7 @@ rsync -vt --timeout=300 "${URL}" new
 
 if [ "${SIGURL}" ]; then
 	rsync -vt --timeout=300 "${SIGURL}" new.sig
-	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
+	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
 	# return 1 because it's not clear what other codes may used
 fi	
 
-- 
cgit v1.2.3


From 31b9dc01eb871055de006a3fb94fdaea2059966a Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@hadrons.org>
Date: Wed, 2 Oct 2024 03:32:13 +0200
Subject: Clarify comment on exit code override to workaround overlapping codes

The framework expects to be able to ignore specific exit codes from the
plugins, but if we are possibly returning exit codes from different
tools, then it's hard to untangle what tool generated which exit code.

In the plugins at hand the exit code 1 seems like a safe one, given both
curl and rsync usage, so we currently turn any OpenPGP verification
error into that.
---
 plugins/curl  | 3 ++-
 plugins/rsync | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

(limited to 'plugins/rsync')

diff --git a/plugins/curl b/plugins/curl
index b9dd2cb..29c0ace 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -15,7 +15,8 @@ if [ "${SIGURL}" ]; then
 	curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}"
 	[ -e new ] || exit 0
 	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
-	# return 1 because it's not clear what other codes may used
+	# return 1 because it's not clear what other codes may be safe to
+	# use that do not overlap with codes from curl.
 else
 	curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}"
 fi
diff --git a/plugins/rsync b/plugins/rsync
index 1c2cae2..6aec09c 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -16,7 +16,8 @@ rsync -vt --timeout=300 "${URL}" new
 if [ "${SIGURL}" ]; then
 	rsync -vt --timeout=300 "${SIGURL}" new.sig
 	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
-	# return 1 because it's not clear what other codes may used
+	# return 1 because it's not clear what other codes may be safe to
+	# use that do not overlap with codes from rsync.
 fi	
 
 # vim:set ft=sh:
-- 
cgit v1.2.3


From b29ad4a5696aa1cbf85b77ae64c99865e57d2d6b Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@hadrons.org>
Date: Mon, 30 Sep 2024 01:39:13 +0200
Subject: Add sopv support

This is a subset of the Stateless OpenPGP CLI
<https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/>,
that can easily replace the GnuPG usage.

There are multiple implementations providing this interface.
---
 plugins/curl  | 6 +++++-
 plugins/rsync | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

(limited to 'plugins/rsync')

diff --git a/plugins/curl b/plugins/curl
index 29c0ace..3ae028c 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -14,7 +14,11 @@ set -e
 if [ "${SIGURL}" ]; then
 	curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}"
 	[ -e new ] || exit 0
-	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+	if command -v sopv >/dev/null; then
+		sopv verify new.sig "${KEYRING}" <new || exit 1
+	else
+		gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+	fi
 	# return 1 because it's not clear what other codes may be safe to
 	# use that do not overlap with codes from curl.
 else
diff --git a/plugins/rsync b/plugins/rsync
index 6aec09c..1ee6831 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -15,7 +15,11 @@ rsync -vt --timeout=300 "${URL}" new
 
 if [ "${SIGURL}" ]; then
 	rsync -vt --timeout=300 "${SIGURL}" new.sig
-	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+	if command -v sopv >/dev/null; then
+		sopv verify new.sig "${KEYRING}" <new || exit 1
+	else
+		gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+	fi
 	# return 1 because it's not clear what other codes may be safe to
 	# use that do not overlap with codes from rsync.
 fi	
-- 
cgit v1.2.3