speedo: Get version numbers from online database.

* build-aux/getswdb.sh: New.
* build-aux/speedo.mk: Get release version numbers from swdb.lst.
--

This should make maintaining GnuPG installations easier.  Running

 make -f /foo/gnupg/build-aux/speedo.mk TARGETOS=native WHAT=release

downloads all GnuPG related packages and builds them.  The gnupg
directory may be a GIT checkout but in that case please run
./autogen.sh on it first.  Note that currently swdb.lst is always
downloaded from gnupg.org and thus monitoring the network or the gnupg
machine reveal information on who is currently building GnuPG.  If
there is an easy way to detect that TOR is enabled this can be changed
to directly download from the GnuPG hidden service.

2 files changed, 163 insertions, 23 deletions

diff --git a/build-aux/getswdb.sh b/build-aux/getswdb.sh
new file mode 100755
index 000000000..aa889ee79
--- /dev/null
+++ b/build-aux/getswdb.sh
@@ -0,0 +1,121 @@
+#!/bin/sh
+# Get the online version of the GnuPG software version database
+# Copyright (C) 2014  Werner Koch
+#
+# This file is free software; as a special exception the author gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+# The URL of the file to retrieve.
+urlbase="https://www.gnupg.org/"
+
+WGET=wget
+GPGV=gpgv
+
+srcdir=$(dirname "$0")
+distsigkey="$srcdir/../g10/distsigkey.gpg"
+
+# Convert a 3 part version number it a numeric value.
+cvtver () {
+  awk 'NR==1 {split($NF,A,".");X=1000000*A[1]+1000*A[2]+A[3];print X;exit 0}'
+}
+
+# Prints usage information.
+usage()
+{
+    cat <<EOF
+Usage: $(basename $0) [OPTIONS]
+Get the online version of the GnuPG software version database
+Options:
+    --skip-download  Assume download has already been done.
+    --help           Print this help.
+EOF
+    exit $1
+}
+
+#
+# Parse options
+#
+skip_download=no
+while test $# -gt 0; do
+    case "$1" in
+	# Set up `optarg'.
+	--*=*)
+	    optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'`
+	    ;;
+	*)
+	    optarg=""
+	    ;;
+    esac
+
+    case $1 in
+        --help|-h)
+	    usage 0
+	    ;;
+        --skip-download)
+            skip_download=yes
+            ;;
+	*)
+	    usage 1 1>&2
+	    ;;
+    esac
+    shift
+done
+
+# Get GnuPG version from VERSIOn file.  For a GIT checkout this means
+# that ./autogen.sh must have been run first.  For a regular tarball
+# VERSION is always available.
+if [ ! -f "$srcdir/../VERSION" ]; then
+    echo "VERSION file missing - run autogen.sh first." >&2
+    exit 1
+fi
+version=$(cat "$srcdir/../VERSION")
+version_num=$(echo "$version" | cvtver)
+
+#
+# Download the list and verify.
+#
+if [ $skip_download = yes ]; then
+  if [ ! -f swdb.lst ]; then
+      echo "swdb.lst is missing." >&2
+      exit 1
+  fi
+  if [ ! -f swdb.lst.sig ]; then
+      echo "swdb.lst.sig is missing." >&2
+      exit 1
+  fi
+else
+  if ! $WGET -q -O swdb.lst "$urlbase/swdb.lst" ; then
+      echo "download of swdb.lst failed." >&2
+      exit 1
+  fi
+  if ! $WGET -q -O swdb.lst.sig "$urlbase/swdb.lst.sig" ; then
+      echo "download of swdb.lst.sig failed." >&2
+      exit 1
+  fi
+fi
+if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
+    echo "list of software versions is not valid!" >&2
+    exit 1
+fi
+
+#
+# Check that the online version of GnuPG is not less than this version
+# to help detect rollback attacks.
+#
+gnupg_ver=$(awk '$1=="gnupg21_ver" {print $2;exit}' swdb.lst)
+if [ -z "$gnupg_ver" ]; then
+    echo "GnuPG 2.1 version missing in swdb.lst!" >&2
+    exit 1
+fi
+gnupg_ver_num=$(echo "$gnupg_ver" | cvtver)
+if [ $(( $gnupg_ver_num >= $version_num )) = 0 ]; then
+    echo "GnuPG version in swdb.lst is less than this version!" >&2
+    echo "  This version: $version" >&2
+    echo "  SWDB version: $gnupg_ver" >&2
+    exit 1
+fi
diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk
index 4f0751fca..69af39ce4 100644
--- a/build-aux/speedo.mk
+++ b/build-aux/speedo.mk
@@ -64,6 +64,21 @@ MAKE_J=3
 # Name to use for the w32 installer and sources
 INST_NAME=gnupg-w32
 
+
+# Directory names.
+# They must be absolute, as we switch directories pretty often.
+root := $(shell pwd)/PLAY
+sdir := $(root)/src
+bdir := $(root)/build
+bdir6:= $(root)/build-w64
+idir := $(root)/inst
+idir6:= $(root)/inst-w64
+stampdir := $(root)/stamps
+topsrc := $(shell cd $(dir $(SPEEDO_MK)).. && pwd)
+auxsrc := $(topsrc)/build-aux/speedo
+patdir := $(topsrc)/build-aux/speedo/patches
+w32src := $(topsrc)/build-aux/speedo/w32
+
 # =====BEGIN LIST OF PACKAGES=====
 # The packages that should be built.  The order is also the build order.
 # Fixme: Do we need to build pkg-config for cross-building?
@@ -118,17 +133,34 @@ speedo_gnupg_style = \
 speedo_make_only_style = \
 	zlib
 
+# Get the content of the software DB.
+SWDB := $(shell $(topsrc)/build-aux/getswdb.sh && echo okay)
+ifeq ($(strip $(SWDB)),)
+$(error Error getting GnuPG software version database)
+endif
+
 # Version numbers of the released packages
-# Fixme: Take the version numbers from gnupg-doc/web/swdb.mac
-libgpg_error_ver = 1.13
-npth_ver = 0.91
-libgcrypt_ver = 1.6.1
-libassuan_ver = 2.1.1
-libksba_ver = 1.3.0
-gpgme_ver = 1.5.0
-pinentry_ver = 0.8.4
-gpa_ver = 0.9.5
-gpgex_ver = 1.0.0
+gnupg_ver = $(shell cat $(topsrc)/VERSION)
+libgpg_error_ver = $(shell awk '$$1=="libgpg_error_ver" {print $$2}' swdb.lst)
+npth_ver = $(shell awk '$$1=="npth_ver" {print $$2}' swdb.lst)
+libgcrypt_ver = $(shell awk '$$1=="libgcrypt_ver" {print $$2}' swdb.lst)
+libassuan_ver = $(shell awk '$$1=="libassuan_ver" {print $$2}' swdb.lst)
+libksba_ver = $(shell awk '$$1=="libksba_ver" {print $$2}' swdb.lst)
+gpgme_ver = $(shell awk '$$1=="gpgme_ver" {print $$2}' swdb.lst)
+pinentry_ver = $(shell awk '$$1=="pinentry_ver" {print $$2}' swdb.lst)
+gpa_ver = $(shell awk '$$1=="gpa_ver" {print $$2}' swdb.lst)
+gpgex_ver = $(shell awk '$$1=="gpgex_ver" {print $$2}' swdb.lst)
+
+$(info Information from the version database)
+$(info GnuPG ..........: $(gnupg_ver))
+$(info Libgpg-error ...: $(libgpg_error_ver))
+$(info Npth ...........: $(npth_ver))
+$(info Libgcrypt ......: $(libgcrypt_ver))
+$(info Libassuan ......: $(libassuan_ver))
+$(info GPGME ..........: $(gpgme_ver))
+$(info Pinentry .......: $(pinentry_ver))
+$(info GPA ............: $(gpa_ver))
+$(info GpgEX.... ......: $(gpgex_ver))
 
 
 # Version number for external packages
@@ -397,19 +429,6 @@ MKDIR=mkdir
 MAKENSIS=makensis
 BUILD_ISODATE=$(shell date -u +%Y-%m-%d)
 
-# These paths must be absolute, as we switch directories pretty often.
-root := $(shell pwd)/PLAY
-sdir := $(root)/src
-bdir := $(root)/build
-bdir6:= $(root)/build-w64
-idir := $(root)/inst
-idir6:= $(root)/inst-w64
-stampdir := $(root)/stamps
-topsrc := $(shell cd $(dir $(SPEEDO_MK)).. && pwd)
-auxsrc := $(topsrc)/build-aux/speedo
-patdir := $(topsrc)/build-aux/speedo/patches
-w32src := $(topsrc)/build-aux/speedo/w32
-
 # The next two macros will work only after gnupg has been build.
 INST_VERSION=$(shell head -1 $(idir)/INST_VERSION)
 INST_PROD_VERSION=$(shell head -1 $(idir)/INST_PROD_VERSION)