From b4625ce4bae9ee431029fea33cc9aad615bdac7832ec8a0dd5a3b8616804802f Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Wed, 29 Jun 2022 12:42:40 +0000
Subject: [PATCH] Accepting request 985788 from home:msmeissn:branches:security

- rekor-zypper-verify.sh: add a small script that verifies the on-system
  zypper repo cache against rekor transparency log.

OBS-URL: https://build.opensuse.org/request/show/985788
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=11
---
 rekor-zypper-verify.sh | 31 +++++++++++++++++++++++++++++++
 rekor.changes          |  6 ++++++
 rekor.spec             |  2 ++
 3 files changed, 39 insertions(+)
 create mode 100644 rekor-zypper-verify.sh

diff --git a/rekor-zypper-verify.sh b/rekor-zypper-verify.sh
new file mode 100644
index 0000000..11c4aa8
--- /dev/null
+++ b/rekor-zypper-verify.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+#
+# This scripts verifies presence of the current repomd signatures in the rekor log
+# for each of existing libzypp tracked repos.
+#
+
+zypper -q refresh
+
+for repo in /etc/zypp/repos.d/*.repo
+do
+	if grep enabled=1 $repo >/dev/null; then
+		repodirname=`grep '^\[' "$repo"|sed -e 's/.*\[//;s/\].*//;'`
+		name="`grep ^name= $repo|sed -e 's/name=//;'`"
+		if [ "x$name" == "x" ]; then
+			name="$repodirname"
+		fi
+
+		# echo "name: $name, repodirname $repodirname"
+
+		repodata="/var/cache/zypp/raw/$repodirname/repodata"
+		if [ -d "$repodata" ]; then
+			if rekor-cli verify --artifact "$repodata/repomd.xml" --signature "$repodata/repomd.xml.asc" --public-key "$repodata/repomd.xml.key" >/dev/null 2>&1; then
+				echo "$name repomd.xml signature is in rekor log"
+			else
+				echo "$name repomd.xml signature is NOT in rekor log"
+			fi
+		else
+			echo "$name has no repodata/ directory in $repodata, not a RPM-MD repository?"
+		fi
+	fi
+done
diff --git a/rekor.changes b/rekor.changes
index 469d868..01b2ac2 100644
--- a/rekor.changes
+++ b/rekor.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jun 29 12:26:43 UTC 2022 - Marcus Meissner <meissner@suse.com>
+
+- rekor-zypper-verify.sh: add a small script that verifies the on-system
+  zypper repo cache against rekor transparency log.
+
 -------------------------------------------------------------------
 Mon Jun 20 06:54:51 UTC 2022 - Marcus Meissner <meissner@suse.com>
 
diff --git a/rekor.spec b/rekor.spec
index 39560ce..d98d734 100644
--- a/rekor.spec
+++ b/rekor.spec
@@ -27,6 +27,7 @@ License:        Apache-2.0
 URL:            https://github.com/sigstore/rekor
 Source:         https://github.com/sigstore/rekor/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        vendor.tar.xz
+Source2:        rekor-zypper-verify.sh
 BuildRequires:  golang-packaging
 BuildRequires:  golang(API)
 %{go_nostrip}
@@ -55,6 +56,7 @@ done
 for app in %{apps} ; do
 install -D -m 0755 rekor-${app} %{buildroot}%{_bindir}/rekor-${app}
 done
+install -m 0755 %SOURCE2 %{buildroot}%{_bindir}/rekor-zypp-verify
 
 %files
 %license LICENSE