bureado · November 28, 2022 23:47
diff --git a/hash-to-buildinfo.sh b/hash-to-buildinfo.sh
 #!/bin/sh

 # Video: https://www.youtube.com/watch?v=Rv4ZlbMb1pE&list=PL9GzfK3UKP1vOcUkp3ayByoBY2pT641YN&index=3

 # Usage: ./hash-to-buildinfo.sh <.deb package>
 # Works with deb packages obtained from a Debian archive
 # Assumes rekor CLI is in ./

 # This all exists because https://unix.stackexchange.com/a/612931
 # https://unix.stackexchange.com/a/673157
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763822

 # Also read https://wiki.debian.org/SourceOnlyUpload
 # And https://buildinfos.debian.net/README.txt

 FILE=$1

 # https://buildinfos.debian.net/buildinfo-pool.list
 BILIST=./buildinfo-pool.list

 file $1 | grep 'Debian binary package' > /dev/null 2>&1 || exit 1

 PKGHAS=`sha1sum $FILE | cut -f1 -d' '`

 PKGNAM=`dpkg --info $FILE | egrep '^\s+(Package:)' | awk '{print $2;}'`
 PKGVER=`dpkg --info $FILE | egrep '^\s+(Version:)' | awk '{print $2;}'`
 PKGARC=`dpkg --info $FILE | egrep '^\s+(Architecture:)' | awk '{print $2;}'`

 echo "------------------"
 echo "$PKGHAS claims to be $PKGNAM, version $PKGVER for $PKGARC"
 echo "------------------"

 # TODO: binary to source mapping

 for file in `grep "${PKGNAM}_${PKGVER}" $BILIST | egrep "(${PKGARC}|source)" | grep -v kfreebsd`
 do
  BINAME=`basename $file`
  echo "Fetching $BINAME from buildinfos..."
  curl --silent -o $BINAME https://buildinfos.debian.net/$file
  echo "Verifying signature..."
  gpg --verify $BINAME
  echo "Finding references to the binary hash of interest in the buildinfo..."
  grep $PKGHAS $BINAME
  NAKEDSHA1=`cat $BINAME | sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' | head -n -2 | sha1sum - | cut -f1 -d' '`
  NAKEDSHA256=`cat $BINAME | sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' | head -n -2 | sha256sum - | cut -f1 -d' '`
  echo "The SHA1 of the unsigned buildinfo file is $NAKEDSHA256"
  echo "...you may visit https://buildinfo.debian.net/$NAKEDSHA1 for more information"
  # I guess inspired in https://rekor.sigstore.dev/api/v1/log/entries/42701a14f1695efcca791223759451f88cfbd624810d869a773df268fc37dc3d
  echo "Searching for $NAKEDSHA256 in rekor..."
  REKORUUID=`./rekor search --sha $NAKEDSHA256 2> /dev/null | tail -n1`
  [ ! -Z $REKORUUID ] && echo "...you may visit https://rekor.sigstore.dev/api/v1/log/entries/$REKORUUID for more information" || echo "Not found!"
  
  # TODO: dsc->orig logic
  # TODO: rebuilder logic
  # See https://beta.tests.reproducible-builds.org/debian.html and https://github.com/fepitre/package-rebuilder and rebuilderd
  echo "------------------"
 done
	#!/bin/sh

	# Video: https://www.youtube.com/watch?v=Rv4ZlbMb1pE&list=PL9GzfK3UKP1vOcUkp3ayByoBY2pT641YN&index=3

	# Usage: ./hash-to-buildinfo.sh <.deb package>
	# Works with deb packages obtained from a Debian archive
	# Assumes rekor CLI is in ./

	# This all exists because https://unix.stackexchange.com/a/612931
	# https://unix.stackexchange.com/a/673157
	# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763822

	# Also read https://wiki.debian.org/SourceOnlyUpload
	# And https://buildinfos.debian.net/README.txt

	FILE=$1

	# https://buildinfos.debian.net/buildinfo-pool.list
	BILIST=./buildinfo-pool.list

	file $1 \| grep 'Debian binary package' > /dev/null 2>&1 \|\| exit 1

	PKGHAS=`sha1sum $FILE \| cut -f1 -d' '`

	PKGNAM=`dpkg --info $FILE \| egrep '^\s+(Package:)' \| awk '{print $2;}'`
	PKGVER=`dpkg --info $FILE \| egrep '^\s+(Version:)' \| awk '{print $2;}'`
	PKGARC=`dpkg --info $FILE \| egrep '^\s+(Architecture:)' \| awk '{print $2;}'`

	echo "------------------"
	echo "$PKGHAS claims to be $PKGNAM, version $PKGVER for $PKGARC"
	echo "------------------"

	# TODO: binary to source mapping

	for file in `grep "${PKGNAM}_${PKGVER}" $BILIST \| egrep "(${PKGARC}\|source)" \| grep -v kfreebsd`
	do
	BINAME=`basename $file`
	echo "Fetching $BINAME from buildinfos..."
	curl --silent -o $BINAME https://buildinfos.debian.net/$file
	echo "Verifying signature..."
	gpg --verify $BINAME
	echo "Finding references to the binary hash of interest in the buildinfo..."
	grep $PKGHAS $BINAME
	NAKEDSHA1=`cat $BINAME \| sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' \| head -n -2 \| sha1sum - \| cut -f1 -d' '`
	NAKEDSHA256=`cat $BINAME \| sed -n '/^Format/,/-----BEGIN PGP SIGNATURE/p' \| head -n -2 \| sha256sum - \| cut -f1 -d' '`
	echo "The SHA1 of the unsigned buildinfo file is $NAKEDSHA256"
	echo "...you may visit https://buildinfo.debian.net/$NAKEDSHA1 for more information"
	# I guess inspired in https://rekor.sigstore.dev/api/v1/log/entries/42701a14f1695efcca791223759451f88cfbd624810d869a773df268fc37dc3d
	echo "Searching for $NAKEDSHA256 in rekor..."
	REKORUUID=`./rekor search --sha $NAKEDSHA256 2> /dev/null \| tail -n1`
	[ ! -Z $REKORUUID ] && echo "...you may visit https://rekor.sigstore.dev/api/v1/log/entries/$REKORUUID for more information" \|\| echo "Not found!"

	# TODO: dsc->orig logic
	# TODO: rebuilder logic
	# See https://beta.tests.reproducible-builds.org/debian.html and https://github.com/fepitre/package-rebuilder and rebuilderd
	echo "------------------"
	done