Implement GPG verification of autotools tarballs

Author: schweikert

CHANGELOG.md

@@ -43,6 +43,7 @@ fping 5.5-rc1 (2025-12-21)
 - Updated autoconf from 2.71 to 2.72
 - Updated automake from 1.16.5 to 1.18.1
 - Updated libtool from 2.4.6 to 2.5.4
+- Implemented verification of autotools tarballs in Github actions.
 
 fping 5.4 (2025-04-19)
 ======================

ci/build-1-autotools.sh

@@ -10,8 +10,8 @@ fi
 # We keep our own list of mirrors because https://ftpmirror.gnu.org is
 # unreliable (frequent errors from selected mirror).
 MIRRORS=(
-    https://mirror.cs.odu.edu/gnu
     https://mirrors.ocf.berkeley.edu/gnu
+    https://mirror.cs.odu.edu/gnu
     https://ftp.gnu.org/gnu
 )
 
@@ -21,6 +21,7 @@ LIBTOOL_REL=libtool/libtool-2.5.4.tar.gz
 
 PREFIX=$(pwd)/ci/build
 PATH=$(pwd)/ci/build/bin:$PATH
+KEYRING=$(pwd)/ci/fping-deps.gpg
 
 if [ ! -d ci ]; then
     echo "you must run this in the root fping directory" >&2
@@ -30,38 +31,53 @@ fi
 # remove standard versions
 sudo apt-get remove -qq autoconf automake autotools-dev libtool
 
+# install dependencies
+sudo apt-get install -y gpgv
+
 # prepare build environment
 cd ci
 rm -rf build
 mkdir -p build/src
 cd build/src
 
-install_release() {
-    local relpath=$1
-    local file=$(basename "$relpath")
-    local dir="${file%%.tar.*}"
-
-    local success=0
+mirror_fetch() {
+    local relpath="$1"
     for mirror in "${MIRRORS[@]}"; do
         local url="$mirror/$relpath"
-        if wget -t 3 -O "$file" "$url"; then
-            success=1
-            break
+        if wget -t 3 "$url"; then
+            return 0
         fi
     done
+    return 1
+}
+
+install_release() {
+    local relpath="$1"
+    local file=$(basename "$relpath")
+    local dir="${file%%.tar.*}"
 
-    if [ $success -eq 0 ]; then
+    if ! mirror_fetch "$relpath"; then
         echo "Failed to download $relpath from any mirror" >&2
         exit 1
     fi
 
+    if ! mirror_fetch "$relpath.sig"; then
+        echo "Failed to download $relpath.sig from any mirror" >&2
+        exit 1
+    fi
+
+    if ! gpgv --keyring "$KEYRING" "$file.sig" "$file"; then
+        echo "GPG verification failed for $file"
+        exit 1
+    fi
+
     tar xf "$file"
     (
         cd "$dir"
         ./configure --prefix=$PREFIX
         make install
     )
-    rm "$file"
+    rm "$file" "$file.sig"
 }
 
 # autoconf

ci/fping-deps.gpg

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+
+# Configuration
+GNU_KEYRING_URL="https://ftp.gnu.org/gnu/gnu-keyring.gpg"
+TMP_KEYRING="gnu-keyring.gpg"
+OUTPUT_KEYRING="ci/fping-deps.gpg"
+
+# Maintainer emails to extract their keys from the GNU keyring.
+MAINTAINER_EMAILS=(
+    "zackw@panix.com"             # Autoconf: Zack Weinberg
+    "karl@freefriends.org"        # Automake: Karl Berry
+    "ileanadumi95@protonmail.com" # Libtool: Ileana Dumitrescu
+)
+
+# Step 1: Initialize an isolated environment to avoid side effects.
+export GNUPGHOME="$(mktemp -d)"
+chmod 700 "$GNUPGHOME"
+echo "Initialized isolated GNUPGHOME at $GNUPGHOME"
+cleanup() {
+    rm -rf "$GNUPGHOME"
+    rm -f "$TMP_KEYRING"
+    echo "Cleaned up."
+}
+trap cleanup EXIT
+
+# Step 2: Download the official GNU Keyring (relies on https certificate checking).
+echo "Downloading GNU Keyring from $GNU_KEYRING_URL"...
+wget -q -O "$TMP_KEYRING" "$GNU_KEYRING_URL"
+
+# Step 3: Extract the specific keys we need.
+echo "Extracting maintainer keys from GNU Keyring..."
+for EMAIL in "${MAINTAINER_EMAILS[@]}"; do
+    # Verify that the key exists in the keyring
+    if ! gpg --no-default-keyring --keyring "./$TMP_KEYRING" --list-keys "$EMAIL" > /dev/null 2>&1; then
+        echo "Error: No key found for $EMAIL in GNU Keyring!"
+        exit 1
+    fi
+    echo "Found key(s) for $EMAIL"
+done
+
+# Export specific keys to our project keyring.
+gpg --no-default-keyring --keyring "./$TMP_KEYRING" --export \
+    "${MAINTAINER_EMAILS[@]}" \
+    > "$OUTPUT_KEYRING"
+
+echo "Success! Updated $OUTPUT_KEYRING with keys from the official GNU Keyring."