mirror of
https://github.com/donl/homebrew-cask-versions.git
synced 2026-07-19 14:26:46 -06:00
Add methods for cryptographic authentication of Cask packages with
the GPG software suite.
Homebrew Cask invokes the system-standard `gpg` binary to import
keys to the GPG keychain, download signatures to versioned metadata
folders, and verify packages. Homebrew Cask aborts if any step fails.
GPG verification is not currently invoked during the audit or
installation processes, and is intentionally left undocumented.
Example usage:
gpg = Cask::GpgCheck.new(cask)
gpg.verify(package_archive_path) if gpg.available
50 lines
1.2 KiB
Ruby
50 lines
1.2 KiB
Ruby
class Cask::GpgCheck
|
|
attr_reader :available
|
|
|
|
def initialize(cask, command=Cask::SystemCommand)
|
|
@command = command
|
|
@cask = cask
|
|
@available = @cask.gpg ? installed? : false
|
|
end
|
|
|
|
def installed?
|
|
cmd = @command.run('/usr/bin/type',
|
|
:args => ['-p', 'gpg'])
|
|
|
|
# if `gpg` is found, return its absolute path
|
|
cmd.success? ? cmd.stdout : false
|
|
end
|
|
|
|
|
|
def fetch_sig(force=false)
|
|
unversioned_cask = @cask.version.is_a?(Symbol)
|
|
cached = @cask.metadata_subdir('gpg') unless unversioned_cask
|
|
|
|
meta_dir = cached || @cask.metadata_subdir('gpg', :now, true)
|
|
sig_path = meta_dir.join("signature.asc")
|
|
|
|
curl(@cask.gpg.signature, '-o', sig_path.to_s) unless cached || force
|
|
|
|
sig_path
|
|
end
|
|
|
|
def import_key
|
|
args = case
|
|
when @cask.gpg.key_id then ['--recv-keys', @cask.gpg.key_id]
|
|
when @cask.gpg.key_url then ['--fetch-key', @cask.gpg.key_url.to_s]
|
|
end
|
|
|
|
@command.run!('gpg', :args => args)
|
|
end
|
|
|
|
def verify(file)
|
|
import_key
|
|
sig = fetch_sig
|
|
|
|
ohai "Verifying GPG signature for #{@cask}"
|
|
|
|
@command.run!('gpg',
|
|
:args => ['--verify', sig, file],
|
|
:print_stdout => true)
|
|
end
|
|
end
|