Add signature verification option (#241)

Co-authored-by: Stéphane Peter <megastep@megastep.org>

makeself-header.sh

@@ -11,6 +11,7 @@ fi
 CRCsum="$CRCsum"
 MD5="$MD5sum"
 SHA="$SHAsum"
+SIGNATURE="$Signature"
 TMPROOT=\${TMPDIR:=/tmp}
 USER_PWD="\$PWD"
 export USER_PWD
@@ -161,6 +162,7 @@ MS_Help()
   \$0 --lsm    Print embedded lsm entry (or no LSM)
   \$0 --list   Print the list of files in the archive
   \$0 --check  Checks integrity of the archive
+  \$0 --verify-sig key Verify signature agains a provided key id
 
  2) Running \$0 :
   \$0 [options] [--] [additional arguments to embedded script]
@@ -190,6 +192,30 @@ MS_Help()
 EOH
 }
 
+MS_Verify_Sig()
+{
+    GPG_PATH=\`exec <&- 2>&-; which gpg || command -v gpg || type gpg\`
+    MKTEMP_PATH=\`exec <&- 2>&-; which mktemp || command -v mktemp || type mktemp\`
+    test -x "\$GPG_PATH" || GPG_PATH=\`exec <&- 2>&-; which gpg || command -v gpg || type gpg\`
+    test -x "\$MKTEMP_PATH" || MKTEMP_PATH=\`exec <&- 2>&-; which mktemp || command -v mktemp || type mktemp\`
+    skip_lines=\`expr \$(cat \$1 | wc -l) - \$skip + 1 | tr -d " "\`
+    temp_dir=\`mktemp -d -t XXXXX\`
+    echo \$SIGNATURE | base64 --decode > \$temp_dir/tmp_sig.gpg
+    gpg_result=\`tail -n \$skip_lines \$1 | $GPG_PATH --verify \$temp_dir/tmp_sig.gpg - 2>&1\`
+    rm -rf \$temp_dir
+    if [ "\$(echo \$gpg_result | grep -c Good)" -eq "1" ];then
+        if [ "\$(echo \$gpg_result | grep -c \$sig_key)" -eq "1" ];then
+            echo "Signature is good"
+        else
+            echo "Signature key does not match" >&2
+            exit 2
+        fi
+    else
+        echo "Signature is bad" >&2
+        exit 2
+    fi
+}
+
 MS_Check()
 {
     OLD_PATH="\$PATH"
@@ -320,6 +346,7 @@ ownership=$OWNERSHIP
 verbose=n
 cleanup=y
 cleanupargs=
+sig_key=
 
 initargs="\$@"
 
@@ -417,6 +444,11 @@ EOLSM
 	MS_Check "\$0" y
 	exit 0
 	;;
+    --verify-sig)
+    sig_key="\$2"
+    if ! shift 2; then MS_help; exit 1; fi
+    MS_Verify_Sig "\$0"
+    ;;
     --confirm)
 	verbose=y
 	shift

makeself.sh

@@ -158,6 +158,7 @@ MS_Usage()
     echo "    --nox11            : Disable automatic spawn of a xterm"
     echo "    --nowait           : Do not wait for user input after executing embedded"
     echo "                         program from an xterm"
+    echo "    --sign passphrase  : Signature private key to sign the package with"
     echo "    --lsm file         : LSM file describing the package"
     echo "    --license file     : Append a license file"
     echo "    --help-header file : Add a header to the archive's --help output"
@@ -205,12 +206,15 @@ TAR_EXTRA=""
 GPG_EXTRA=""
 DU_ARGS=-ks
 HEADER=`dirname "$0"`/makeself-header.sh
+SIGNATURE=""
 TARGETDIR=""
 NOOVERWRITE=n
 DATE=`LC_ALL=C date`
 EXPORT_CONF=n
 SHA256=n
 OWNERSHIP=n
+SIGN=n
+GPG_PASSPHRASE=""
 
 # LSM file stuff
 LSM_CMD="echo No LSM. >> \"\$archname\""
@@ -332,8 +336,13 @@ do
         shift 2 || { MS_Usage; exit 1; }
         ;;
     --target)
-	TARGETDIR="$2"
-	KEEP=y
+	  TARGETDIR="$2"
+	  KEEP=y
+    shift 2 || { MS_Usage; exit 1; }
+ 	  ;;
+    --sign)
+    SIGN=y
+    GPG_PASSPHRASE="$2"
     shift 2 || { MS_Usage; exit 1; }
     ;;
     --nooverwrite)
@@ -739,6 +748,19 @@ else
 		fi
 	fi
 fi
+if test "$SIGN" = y; then
+    GPG_PATH=`exec <&- 2>&-; which gpg || command -v gpg || type gpg`
+    if test -x "$GPG_PATH"; then
+        SIGNATURE=`$GPG_PATH --pinentry-mode=loopback --batch --yes --passphrase "$GPG_PASSPHRASE" --output - --detach-sig $tmpfile | base64 | tr -d \\\\n`
+    fi
+    if test "$QUIET" = "n"; then
+        if test -x "$GPG_PATH"; then
+            echo "Signature: $SIGNATURE"
+        else
+            echo "Signature: gpg couldn't sign the tmp file"
+        fi
+    fi
+fi
 
 totalsize=0
 for size in $fsize;
@@ -754,6 +776,7 @@ if test "$APPEND" = y; then
     CRCsum="$crcsum"
     MD5sum="$md5sum"
     SHAsum="$shasum"
+    Signature="$SIGNATURE"
     # Generate the header
     . "$HEADER"
     # Append the new data
@@ -769,6 +792,7 @@ else
     CRCsum="$crcsum"
     MD5sum="$md5sum"
     SHAsum="$shasum"
+    Signature="$SIGNATURE"
 
     # Generate the header
     . "$HEADER"

test/signtest

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+SUT=$(realpath $(dirname $0)/../makeself.sh)
+SOURCE=$(realpath ..)
+GPG_SECRET_KEY="secret_key.gpg"
+GPG_KEY_ID="64F66800CCC556CB7E8FE108EE8CE9E55B602BD9"
+BAD_GPG_KEY_ID="64F66800CCC556CB7E8FE108EE8CE9E55B602BD8"
+GPG_KEY_PASSPHRASE="123123"
+################################################################################
+
+setupGPGKey() 
+{
+  echo $GPG_KEY_PASSPHRASE | gpg --batch --yes --passphrase-fd 0 --import $GPG_SECRET_KEY
+}
+
+deleteGPGKey() 
+{
+  gpg --batch --yes --delete-secret-keys $GPG_KEY_ID
+}
+
+testCreateSingedArchive() 
+{
+    setupGPGKey
+    mkdir archive
+    touch archive/file
+    output=$($SUT --sign $GPG_KEY_PASSPHRASE archive makeself-test.run "Test" id)
+    assertReturn "$output" 0
+    assertEqual "$(echo $output | grep -c Signature:)" "1"
+    deleteGPGKey
+}
+
+testVerifySingedArchive()
+{
+    setupGPGKey
+    assertReturn "$(./makeself-test.run --verify-sig $GPG_KEY_ID --quiet)" 0
+    assertReturn "$(./makeself-test.run --verify-sig $BAD_GPG_KEY_ID --quiet)" 2
+    deleteGPGKey
+    rm -rf archive
+}
+
+################################################################################
+
+source bashunit/bashunit.bash