mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-29 21:25:35 +00:00
226427e5a2
We can just check the GPG signature for the upstream tarballs that are GPG signed. We keep a copy of the relevant GPG keys in tree so that we only use a controlled set of keys. I validated the GPG keys by: - Creating a fresh keyring. - Importing the keys with gpg --receive-key. - Importing my own GPG public key in that keyring. - Importing the gpg keys that the PGP pathfinder told me were on the path to those keys (which weren't directly in their keyring, so I had to manually find some steps first). - Using `gpg --check-sigs` to validate that the all those keys I got are the right ones. Then the relevant GPG keys were exported with `gpg --export --armor` and stripped with https://github.com/glandium/pgpstrip/. For MPC, the first GPG-signed version upstream was 0.8.2, while the GCC script to download prerequisites downloads 0.8.1. So instead of using 0.8.1, we use 0.8.2, which we can verify. For GMP, the GCC script downloads 4.3.2. The only web-of-trust path is through a revoked key, which signs a revoked uid of the GMP key. Releases newer than 5.1.0 are signed with a new key that can be validated with the steps above. So instead of using 4.3.2, we use 5.1.3 (last of the 5.1.x line). But MPFR 2.4.2, which the GCC script downloads, doesn't build against GMP 5.1.3, so instead of that, we use MPFR 3.1.5. Sadly, the remaining GCC prerequisites are not signed, so I had to: - Download the files from ftp.gnu.org. - Download the corresponding files from snapshot.debian.org. - Compare the raw files when possible, or the uncompressed (not extracted) files (when, thankfully, they matched). - Validate those snapshot.debian.org files checksums against the checksums in the corresponding Sources.bz2/xz files. - Validate the Sources.bz2/xz checksums against the corresponding InRelease files. - Validate the InRelease files GPG signatures against the Debian archives keyring. With all those things we actually don't get through the GCC script, we also change how we get those prerequisites, by diverting the commands the script runs and making it output the urls instead of downloading and extracting the files. All downloaded files, GPG-validated or otherwise, have their SHA-256 digest checked against a list in build/unix/build-gcc/checksums. --HG-- extra : rebase_source : e6809a6ac392e6c5f99801826e1d30bdeee7ddf5 |
||
---|---|---|
.. | ||
07F3DBBECC1A39605078094D980C197698C3739D.key | ||
33C235A34C46AA3FFB293709A328C3A2C3C45C06.key | ||
343C2FF0FBEE5EC2EDBEF399F3599FF828C67298.key | ||
13975A70E63C361C73AE69EF6EEB81F8981C74C7.key | ||
AD17A21EF8AED8F1CC02DBD9F7D5C9BF765C61E3.key | ||
build-gcc.sh | ||
checksums | ||
EAF1C276A747E9ED86210CBAC3126D3B4AE55E93.key | ||
PR64905.patch |