usr_sbin/apt-check-sigs

   1 #!/bin/bash
   2
   3 # Copyright (c) 2001 Anthony Towns <ajt@debian.org>
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 2 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14
  15 rm -rf /tmp/apt-release-check
  16 mkdir /tmp/apt-release-check || exit 1
  17 cd /tmp/apt-release-check
  18
  19 >OK
  20 >MISSING
  21 >NOCHECK
  22 >BAD
  23
  24 arch=`dpkg --print-installation-architecture`
  25
  26 am_root () {
  27         [ `id -u` -eq 0 ]
  28 }
  29
  30 get_md5sumsize () {
  31         cat "$1" | awk '/^MD5Sum:/,/^SHA1:/' |
  32           MYARG="$2" perl -ne '@f = split /\s+/; if ($f[3] eq $ENV{"MYARG"}) { print "$f[1] $f[2]\n"; exit(0); }'
  33 }
  34
  35 checkit () {
  36         local FILE="$1"
  37         local LOOKUP="$2"
  38
  39         Y="`get_md5sumsize Release "$LOOKUP"`"
  40         Y="`echo "$Y" | sed 's/^ *//;s/  */ /g'`"
  41
  42         if [ ! -e "/var/lib/apt/lists/$FILE" ]; then
  43                 if [ "$Y" = "" ]; then
  44                         # No file, but not needed anyway
  45                         echo "OK"
  46                         return
  47                 fi
  48                 echo "$FILE" >>MISSING
  49                 echo "MISSING $Y"
  50                 return
  51         fi
  52         if [ "$Y" = "" ]; then
  53                 echo "$FILE" >>NOCHECK
  54                 echo "NOCHECK"
  55                 return
  56         fi
  57         X="`md5sum < /var/lib/apt/lists/$FILE | cut -d\  -f1` `wc -c < /var/lib/apt/lists/$FILE`"
  58         X="`echo "$X" | sed 's/^ *//;s/  */ /g'`"
  59         if [ "$X" != "$Y" ]; then
  60                 echo "$FILE" >>BAD
  61                 echo "BAD"
  62                 return
  63         fi
  64         echo "$FILE" >>OK
  65         echo "OK"
  66 }
  67
  68 echo
  69 echo "Checking sources in /etc/apt/sources.list:"
  70 echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
  71 echo
  72 (echo "You should take care to ensure that the distributions you're downloading"
  73 echo "are the ones you think you are downloading, and that they are as up to"
  74 echo "date as you would expect (testing and unstable should be no more than"
  75 echo "two or three days out of date, stable-updates no more than a few weeks"
  76 echo "or a month)."
  77 ) | fmt
  78 echo
  79
  80 cat /etc/apt/sources.list |
  81   sed 's/^ *//' | grep '^[^#]' |
  82   while read ty url dist comps; do
  83         if [ "${url%%:*}" = "http" -o "${url%%:*}" = "ftp" ]; then
  84                 baseurl="${url#*://}"
  85         else
  86                 continue
  87         fi
  88
  89         echo "Source: ${ty} ${url} ${dist} ${comps}"
  90
  91         rm -f Release Release.gpg
  92         lynx -reload -dump "${url}/dists/${dist}/Release" >/dev/null 2>&1
  93         wget -q -O Release "${url}/dists/${dist}/Release"
  94
  95         if ! grep -q '^' Release; then
  96                 echo "  * NO TOP-LEVEL Release FILE"
  97                 >Release
  98         else
  99                 origline=`sed -n 's/^Origin: *//p' Release | head -1`
 100                 lablline=`sed -n 's/^Label: *//p' Release | head -1`
 101                 suitline=`sed -n 's/^Suite: *//p' Release | head -1`
 102                 codeline=`sed -n 's/^Codename: *//p' Release | head -1`
 103                 dateline=`grep "^Date:" Release | head -1`
 104                 dscrline=`grep "^Description:" Release | head -1`
 105                 echo "  o Origin: $origline/$lablline"
 106                 echo "  o Suite: $suitline/$codeline"
 107                 echo "  o $dateline"
 108                 echo "  o $dscrline"
 109
 110                 if [ "${dist%%/*}" != "$suitline" -a "${dist%%/*}" != "$codeline" ]; then
 111                         echo "  * WARNING: asked for $dist, got $suitline/$codeline"
 112                 fi
 113
 114                 lynx -reload -dump "${url}/dists/${dist}/Release.gpg" >/dev/null 2>&1
 115                 wget -q -O Release.gpg "${url}/dists/${dist}/Release.gpg"
 116
 117                 gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | sed -n "s/^\[GNUPG:\] //p" | (okay=0; err=""; while read gpgcode rest; do
 118                         if [ "$gpgcode" = "GOODSIG" ]; then
 119                             if [ "$err" != "" ]; then
 120                                 echo "  * Signed by ${err# } key: ${rest#* }"
 121                             else
 122                                 echo "  o Signed by: ${rest#* }"
 123                                 okay=1
 124                             fi
 125                             err=""
 126                         elif [ "$gpgcode" = "BADSIG" ]; then
 127                             echo "  * BAD SIGNATURE BY: ${rest#* }"
 128                             err=""
 129                         elif [ "$gpgcode" = "ERRSIG" ]; then
 130                             echo "  * COULDN'T CHECK SIGNATURE BY KEYID: ${rest%% *}"
 131                             err=""
 132                         elif [ "$gpgcode" = "SIGREVOKED" ]; then
 133                             err="$err REVOKED"
 134                         elif [ "$gpgcode" = "SIGEXPIRED" ]; then
 135                             err="$err EXPIRED"
 136                         fi
 137                     done
 138                     if [ "$okay" != 1 ]; then
 139                         echo "  * NO VALID SIGNATURE"
 140                         >Release
 141                     fi)
 142         fi
 143         okaycomps=""
 144         for comp in $comps; do
 145                 if [ "$ty" = "deb" ]; then
 146                         X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Release")
 147                         Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Packages")
 148                         if [ "$X $Y" = "OK OK" ]; then
 149                                 okaycomps="$okaycomps $comp"
 150                         else
 151                                 echo "  * PROBLEMS WITH $comp ($X, $Y)"
 152                         fi
 153                 elif [ "$ty" = "deb-src" ]; then
 154                         X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Release" | sed 's,//*,_,g'`" "${comp}/source/Release")
 155                         Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Sources" | sed 's,//*,_,g'`" "${comp}/source/Sources")
 156                         if [ "$X $Y" = "OK OK" ]; then
 157                                 okaycomps="$okaycomps $comp"
 158                         else
 159                                 echo "  * PROBLEMS WITH component $comp ($X, $Y)"
 160                         fi
 161                 fi
 162         done
 163         [ "$okaycomps" = "" ] || echo "  o Okay:$okaycomps"
 164         echo
 165   done
 166
 167 echo "Results"
 168 echo "~~~~~~~"
 169 echo
 170
 171 allokay=true
 172
 173 cd /tmp/apt-release-check
 174 diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -type f -maxdepth 1 | sed 's,^\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVALIDATED
 175
 176 cd /tmp/apt-release-check
 177 if grep -q ^ UNVALIDATED; then
 178     allokay=false
 179     (echo "The following files in /var/lib/apt/lists have not been validated."
 180     echo "This could turn out to be a harmless indication that this script"
 181     echo "is buggy or out of date, or it could let trojaned packages get onto"
 182     echo "your system."
 183     ) | fmt
 184     echo
 185     sed 's/^/    /' < UNVALIDATED
 186     echo
 187 fi
 188
 189 if grep -q ^ BAD; then
 190     allokay=false
 191     (echo "The contents of the following files in /var/lib/apt/lists does not"
 192     echo "match what was expected. This may mean these sources are out of date,"
 193     echo "that the archive is having problems, or that someone is actively"
 194     echo "using your mirror to distribute trojans."
 195     if am_root; then
 196         echo "The files have been renamed to have the extension .FAILED and"
 197         echo "will be ignored by apt."
 198         cat BAD | while read a; do
 199             mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED
 200         done
 201     fi) | fmt
 202     echo
 203     sed 's/^/    /' < BAD
 204     echo
 205 fi
 206
 207 if grep -q ^ MISSING; then
 208     allokay=false
 209     (echo "The following files from /var/lib/apt/lists were missing. This"
 210     echo "may cause you to miss out on updates to some vulnerable packages."
 211     ) | fmt
 212     echo
 213     sed 's/^/    /' < MISSING
 214     echo
 215 fi
 216
 217 if grep -q ^ NOCHECK; then
 218     allokay=false
 219     (echo "The contents of the following files in /var/lib/apt/lists could not"
 220     echo "be validated due to the lack of a signed Release file, or the lack"
 221     echo "of an appropriate entry in a signed Release file. This probably"
 222     echo "means that the maintainers of these sources are slack, but may mean"
 223     echo "these sources are being actively used to distribute trojans."
 224     if am_root; then
 225         echo "The files have been renamed to have the extension .FAILED and"
 226         echo "will be ignored by apt."
 227         cat NOCHECK | while read a; do
 228             mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED
 229         done
 230     fi) | fmt
 231     echo
 232     sed 's/^/    /' < NOCHECK
 233     echo
 234 fi
 235
 236 if $allokay; then
 237     echo 'Everything seems okay!'
 238     echo
 239 fi
 240
 241 rm -rf /tmp/apt-release-check