32 lines
941 B
Bash
32 lines
941 B
Bash
|
#!/bin/bash
|
||
|
#
|
||
|
# This scripts verifies presence of the current repomd signatures in the rekor log
|
||
|
# for each of existing libzypp tracked repos.
|
||
|
#
|
||
|
|
||
|
zypper -q refresh
|
||
|
|
||
|
for repo in /etc/zypp/repos.d/*.repo
|
||
|
do
|
||
|
if grep enabled=1 $repo >/dev/null; then
|
||
|
repodirname=`grep '^\[' "$repo"|sed -e 's/.*\[//;s/\].*//;'`
|
||
|
name="`grep ^name= $repo|sed -e 's/name=//;'`"
|
||
|
if [ "x$name" == "x" ]; then
|
||
|
name="$repodirname"
|
||
|
fi
|
||
|
|
||
|
# echo "name: $name, repodirname $repodirname"
|
||
|
|
||
|
repodata="/var/cache/zypp/raw/$repodirname/repodata"
|
||
|
if [ -d "$repodata" ]; then
|
||
|
if rekor-cli verify --artifact "$repodata/repomd.xml" --signature "$repodata/repomd.xml.asc" --public-key "$repodata/repomd.xml.key" >/dev/null 2>&1; then
|
||
|
echo "$name repomd.xml signature is in rekor log"
|
||
|
else
|
||
|
echo "$name repomd.xml signature is NOT in rekor log"
|
||
|
fi
|
||
|
else
|
||
|
echo "$name has no repodata/ directory in $repodata, not a RPM-MD repository?"
|
||
|
fi
|
||
|
fi
|
||
|
done
|