pool/rekor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 985788 from home:msmeissn:branches:security

Browse Source 
- rekor-zypper-verify.sh: add a small script that verifies the on-system
  zypper repo cache against rekor transparency log.

OBS-URL: https://build.opensuse.org/request/show/985788
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=11
This commit is contained in:
Marcus Meissner 2022-06-29 12:42:40 +00:00 committed by Git OBS Bridge
parent 6c1414acb5
commit b4625ce4ba
3 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
rekor-zypper-verify.sh Normal file
View File

@ -0,0 +1,31 @@
#!/bin/bash
#
# This scripts verifies presence of the current repomd signatures in the rekor log
# for each of existing libzypp tracked repos.
#
zypper -q refresh
for repo in /etc/zypp/repos.d/*.repo
do
if grep enabled=1 $repo >/dev/null; then
repodirname=`grep '^\[' "$repo"|sed -e 's/.*\[//;s/\].*//;'`
name="`grep ^name= $repo|sed -e 's/name=//;'`"
if [ "x$name" == "x" ]; then
name="$repodirname"
fi
# echo "name: $name, repodirname $repodirname"
repodata="/var/cache/zypp/raw/$repodirname/repodata"
if [ -d "$repodata" ]; then
if rekor-cli verify --artifact "$repodata/repomd.xml" --signature "$repodata/repomd.xml.asc" --public-key "$repodata/repomd.xml.key" >/dev/null 2>&1; then
echo "$name repomd.xml signature is in rekor log"
else
echo "$name repomd.xml signature is NOT in rekor log"
fi
else
echo "$name has no repodata/ directory in $repodata, not a RPM-MD repository?"
fi
fi
done

6
rekor.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Jun 29 12:26:43 UTC 2022 - Marcus Meissner <meissner@suse.com>
- rekor-zypper-verify.sh: add a small script that verifies the on-system
zypper repo cache against rekor transparency log.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jun 20 06:54:51 UTC 2022 - Marcus Meissner <meissner@suse.com> Mon Jun 20 06:54:51 UTC 2022 - Marcus Meissner <meissner@suse.com>

2
rekor.spec
View File

@ -27,6 +27,7 @@ License: Apache-2.0
URL: https://github.com/sigstore/rekor URL: https://github.com/sigstore/rekor
Source: https://github.com/sigstore/rekor/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source: https://github.com/sigstore/rekor/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: vendor.tar.xz Source1: vendor.tar.xz
Source2: rekor-zypper-verify.sh
BuildRequires: golang-packaging BuildRequires: golang-packaging
BuildRequires: golang(API) BuildRequires: golang(API)
%{go_nostrip} %{go_nostrip}
@ -55,6 +56,7 @@ done
for app in %{apps} ; do for app in %{apps} ; do
install -D -m 0755 rekor-${app} %{buildroot}%{_bindir}/rekor-${app} install -D -m 0755 rekor-${app} %{buildroot}%{_bindir}/rekor-${app}
done done
install -m 0755 %SOURCE2 %{buildroot}%{_bindir}/rekor-zypp-verify
%files %files
%license LICENSE %license LICENSE