cfm · February 8, 2023 00:47
diff --git a/.gitignore b/.gitignore
 *.rpm
diff --git a/README.md b/README.md
diff --git a/buster.Dockerfile b/buster.Dockerfile
 FROM debian:buster

 RUN apt-get update

 RUN apt-get install --yes \
    expect \
 	gpg \
 	rpm \
    wget

 COPY ./test ./

 ENTRYPOINT ./test
diff --git a/fedora-27.Dockerfile b/fedora-27.Dockerfile
 FROM fedora:27

 RUN dnf install -y \
    gnupg2 \
    hostname \
    rpm-sign \
    wget \
    which

 COPY ./test ./

 ENTRYPOINT ./test
diff --git a/fedora-37.Dockerfile b/fedora-37.Dockerfile
 FROM fedora:37

 RUN dnf install -y \
    hostname \
    rpm-sign \
    wget

 COPY ./test ./

 ENTRYPOINT ./test
diff --git a/Makefile b/Makefile
 buster:
 	docker build -f buster.Dockerfile -t sdw-846-buster .
 	docker run sdw-846-buster

 fedora-27:
 	docker build -f fedora-27.Dockerfile -t sdw-846-f27 .
 	docker run sdw-846-f27

 fedora-37:
 	docker build -f fedora-37.Dockerfile -t sdw-846-f37 .
 	docker run sdw-846-f37
diff --git a/test b/test
 #!/bin/sh
 set -eux

 uid="$(whoami)@$(hostname)"
 gpg="$(which gpg || which gpg2)"
 cd /tmp

 # Generate a disposable signing key.
 $gpg --quick-generate-key \
 	--batch \
 	--passphrase "" \
 	"$uid"
 $gpg --export -a "$uid" > key
 rpm --import key

 # Set up RPM to sign with it.
 cat > ~/.rpmmacros <<EOF
 %_signature gpg
 %__gpg ${gpg}
 %_gpg_name ${uid}
 EOF

 # Grab one of our (freedomofpress/securedrop-workstation)'s packages.
 wget -O before.rpm https://yum.securedrop.org/workstation/dom0/f32/securedrop-workstation-dom0-config-0.7.0-1.fc32.noarch.rpm

 # Before:
 rpm --delsign before.rpm
 rpm --checksig before.rpm
 before=$(sha256sum before.rpm | cut -d " " -f 1)

 # Sign it:
 cp before.rpm after.rpm
 rpm --addsign after.rpm
 rpm --checksig after.rpm
 sha256sum after.rpm

 # After:
 rpm --delsign after.rpm
 rpm --checksig after.rpm
 after=$(sha256sum after.rpm | cut -d " " -f 1)

 # Check and report.
 rpm --version
 test "$after" = "$before" && echo "Hashes match!" || (
 	echo "Hashes do not match!  Pausing for 60 sec to let you grab the files for inspection (e.g., via diffoscope):" &&
 	echo "docker container cp \$CONTAINER_ID:/tmp/before.rpm ." &&
 	echo "docker container cp \$CONTAINER_ID:/tmp/after.rpm ." &&
 	sleep 60 &&
 	exit 1
 	)
Command	`rpm --version`	Result
`make buster`	4.14.2.1	`Hashes match!`
`make fedora-27`	4.14.2.1	`Hashes match!`
`make fedora-37`	4.18.0	`Hashes do not match!`
	FROM debian:buster

	RUN apt-get update

	RUN apt-get install --yes \
	expect \
	gpg \
	rpm \
	wget

	COPY ./test ./

	ENTRYPOINT ./test
	FROM fedora:27

	RUN dnf install -y \
	gnupg2 \
	hostname \
	rpm-sign \
	wget \
	which

	COPY ./test ./

	ENTRYPOINT ./test
	FROM fedora:37

	RUN dnf install -y \
	hostname \
	rpm-sign \
	wget

	COPY ./test ./

	ENTRYPOINT ./test
	buster:
	docker build -f buster.Dockerfile -t sdw-846-buster .
	docker run sdw-846-buster

	fedora-27:
	docker build -f fedora-27.Dockerfile -t sdw-846-f27 .
	docker run sdw-846-f27

	fedora-37:
	docker build -f fedora-37.Dockerfile -t sdw-846-f37 .
	docker run sdw-846-f37
	#!/bin/sh
	set -eux

	uid="$(whoami)@$(hostname)"
	gpg="$(which gpg \|\| which gpg2)"
	cd /tmp

	# Generate a disposable signing key.
	$gpg --quick-generate-key \
	--batch \
	--passphrase "" \
	"$uid"
	$gpg --export -a "$uid" > key
	rpm --import key

	# Set up RPM to sign with it.
	cat > ~/.rpmmacros <<EOF
	%_signature gpg
	%__gpg ${gpg}
	%_gpg_name ${uid}
	EOF

	# Grab one of our (freedomofpress/securedrop-workstation)'s packages.
	wget -O before.rpm https://yum.securedrop.org/workstation/dom0/f32/securedrop-workstation-dom0-config-0.7.0-1.fc32.noarch.rpm

	# Before:
	rpm --delsign before.rpm
	rpm --checksig before.rpm
	before=$(sha256sum before.rpm \| cut -d " " -f 1)

	# Sign it:
	cp before.rpm after.rpm
	rpm --addsign after.rpm
	rpm --checksig after.rpm
	sha256sum after.rpm

	# After:
	rpm --delsign after.rpm
	rpm --checksig after.rpm
	after=$(sha256sum after.rpm \| cut -d " " -f 1)

	# Check and report.
	rpm --version
	test "$after" = "$before" && echo "Hashes match!" \|\| (
	echo "Hashes do not match! Pausing for 60 sec to let you grab the files for inspection (e.g., via diffoscope):" &&
	echo "docker container cp \$CONTAINER_ID:/tmp/before.rpm ." &&
	echo "docker container cp \$CONTAINER_ID:/tmp/after.rpm ." &&
	sleep 60 &&
	exit 1
	)