From bf3c54b75ec397f330ccdddc8cc82fceee7c4130 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= Date: Mon, 16 Nov 2015 13:30:14 +0100 Subject: main/dnssec-root: cleanup --- main/dnssec-root/APKBUILD | 70 ++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 40 deletions(-) (limited to 'main') diff --git a/main/dnssec-root/APKBUILD b/main/dnssec-root/APKBUILD index 425a7e931e..4bade416a0 100644 --- a/main/dnssec-root/APKBUILD +++ b/main/dnssec-root/APKBUILD @@ -1,43 +1,33 @@ +# Contributor: Sören Tempel # Contributor: Natanael Copa # Maintainer: Natanael Copa pkgname=dnssec-root pkgver=20100715 -pkgrel=2 +pkgrel=3 pkgdesc="The DNSSEC root key(s)" url="https://www.iana.org/dnssec/" arch="noarch" license="public-domain" depends="" -makedepends="libxslt gnupg openssl" +makedepends="libxslt gnupg bind-tools" install="" subpackages="" source="https://data.iana.org/root-anchors/icann.pgp - https://data.iana.org/root-anchors/Kjqmt7v.csr + https://data.iana.org/root-anchors/root-anchors.xml https://data.iana.org/root-anchors/root-anchors.asc anchors2ds.xsl " +# Modeled after the following approach: # http://permalink.gmane.org/gmane.network.dns.unbound.user/1039 -_builddir="$srcdir"/build -_dnssecdir="usr/share/dnssec" +_keyflags=257 +_hashalgo=-2 + +_builddir="$srcdir"/$pkgname-$pkgver prepare() { + cd "$srcdir" mkdir -p "$_builddir" - cd "$_builddir" - - # curl https://data.iana.org/root-anchors/root-anchors.xml - cat >root-anchors.xml< - -. - -19036 -8 -2 -49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - - -EOF ( export GNUPGHOME="$_builddir"/gpg @@ -46,43 +36,43 @@ EOF gpg --verify "$srcdir"/root-anchors.asc \ root-anchors.xml ) || return 1 - -# the cert in p7s file expired: -# curl http://data.iana.org/root-anchors/root-anchors.p7s \ -# | openssl pkcs7 -inform DER -print_certs \ -# | openssl x509 -noout -text \ -# | grep 'Not After' -# Not After : Jun 28 22:32:16 2014 GMT - -# openssl smime -verify -content "$srcdir"/root-anchors-$pkgver.xml \ -# -in "$srcdir"/root-anchors.p7s -inform der \ -# -CAfile "$srcdir"/icannbundle.pem \ -# || return 1 } build() { cd "$_builddir" - xsltproc -o root-anchors.txt "$srcdir"/anchors2ds.xsl root-anchors.xml + xsltproc -o root-anchors.txt "$srcdir"/anchors2ds.xsl "$srcdir"/root-anchors.xml + + dig DNSKEY . | grep -w $_keyflags > untrusted.key + dnssec-dsfromkey $_hashalgo untrusted.key > untrusted.ds + cut -d ' ' -f1-6 untrusted.ds | tr '\n' ' ' > root-anchors.tmp + cut -d ' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' ' >> root-anchors.tmp + printf '\n' >> root-anchors.tmp + if ! cmp root-anchors.txt root-anchors.tmp; then + echo "DNSKEY is invalid, don't continue." 1>&2 + exit 1 + fi + + awk '{print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 " " $6 " " $7; for (i = 8; i <= NF; i++) printf $i}' \ + untrusted.key | tr '\n' ' ' > trusted-key.key + printf "\n" >> trusted-key.key } package() { - cd "$_builddir" - mkdir -p "$pkgdir"/$_dnssecdir - install root-anchors.xml root-anchors.txt "$srcdir"/Kjqmt7v.csr \ - "$pkgdir"/$_dnssecdir || return 1 + install -Dm644 "$_builddir"/trusted-key.key \ + "$pkgdir"/usr/share/$pkgname/trusted-key.key || return 1 } md5sums="041a789ee96301623d3e66e4d52c8a0b icann.pgp -427766bf91c674c4f0469ed363f207a8 Kjqmt7v.csr +69e6f9b67e92fbc952d488cc6f67198f root-anchors.xml a5612e1b84a75c29b642b9342286c511 root-anchors.asc 1043c559c923279600a6da395b794597 anchors2ds.xsl" sha256sums="3e9beaaf9bbd1fe78a0d104230cbc04d544e833a2dc6b982992f74a4860a9ae8 icann.pgp -401120c1721ba100b2d9abf2d01332399535ba0f9c71dbd9f97232c5ebd608d2 Kjqmt7v.csr +dfb281b771dc854c18d1cff9d2eecaf184cf7a9668606aaa33e8f01bf4b4d8e4 root-anchors.xml 5bffcac53f810c5fb1e1baf543e2de2f10ec99d7f7cddb5f1e47b1e58cf34cfa root-anchors.asc 2cc436e29e5bfd39c055390045a4c14dfae517ebdad79002983756a508a15e8f anchors2ds.xsl" sha512sums="5fba8334850f2ae753f4f8a30d1e6c62abc341ece2dc83df4bc0f6db2b91ae68942c0d2a38eab3d33b5b91640cd1cf0970777225c15d5f961884c00077d539a2 icann.pgp -8e47be5054bbb801cb914d94a6f0d1e6b9b2eba387714f011f118bf8af6dacfe24a2dec80525ad005c545fa15fd8413cf90615e6d5c50d7925daa4aefff77112 Kjqmt7v.csr +bca506c852bc83aa9d04ed0b52bef6d0baec745e466292273d52f49fd73cec73db4c6d55a9921fe086c7edc618f3ab21dc03146b6d617644495b3926e262e572 root-anchors.xml e9c86b897d7e8edb979cba4bebe353b7c7f21b4061cd6f571c8671b02e73c2ea0b78a980169fa7d40987b9e962a0f1ba17dbb392b5ec6ad14fedce65a139c913 root-anchors.asc 5b496d8f7fcb6a1241d889221f539b68485fea356feec13a94329b0807768c543c828c2821567f59d6a56931a6b2ea22827e49a1527582e3dda844d61c28b198 anchors2ds.xsl" -- cgit v1.2.3