init

2 files changed, 103 insertions, 0 deletions

diff --git a/Library/Homebrew/cask/lib/hbc/verify/checksum.rb b/Library/Homebrew/cask/lib/hbc/verify/checksum.rb
new file mode 100644
index 000000000..3af6f1667
--- /dev/null
+++ b/Library/Homebrew/cask/lib/hbc/verify/checksum.rb
@@ -0,0 +1,43 @@
+require "digest"
+
+class Hbc::Verify::Checksum
+  def self.me?(cask)
+    return true unless cask.sha256 == :no_check
+    ohai "No checksum defined for Cask #{cask}, skipping verification"
+    false
+  end
+
+  attr_reader :cask, :downloaded_path
+
+  def initialize(cask, downloaded_path)
+    @cask = cask
+    @downloaded_path = downloaded_path
+  end
+
+  def verify
+    return unless self.class.me?(cask)
+    ohai "Verifying checksum for Cask #{cask}"
+    verify_checksum
+  end
+
+  private
+
+  def expected
+    @expected ||= cask.sha256
+  end
+
+  def computed
+    @computed ||= Digest::SHA2.file(downloaded_path).hexdigest
+  end
+
+  def verify_checksum
+    raise Hbc::CaskSha256MissingError, "sha256 required: sha256 '#{computed}'" if expected.nil? || expected.empty?
+
+    if expected == computed
+      odebug "SHA256 checksums match"
+    else
+      ohai 'Note: running "brew update" may fix sha256 checksum errors'
+      raise Hbc::CaskSha256MismatchError.new(downloaded_path, expected, computed)
+    end
+  end
+end
diff --git a/Library/Homebrew/cask/lib/hbc/verify/gpg.rb b/Library/Homebrew/cask/lib/hbc/verify/gpg.rb
new file mode 100644
index 000000000..6190f67d1
--- /dev/null
+++ b/Library/Homebrew/cask/lib/hbc/verify/gpg.rb
@@ -0,0 +1,60 @@
+class Hbc::Verify::Gpg
+  def self.me?(cask)
+    cask.gpg
+  end
+
+  attr_reader :cask, :downloaded_path
+
+  def initialize(cask, downloaded_path, command = Hbc::SystemCommand)
+    @command = command
+    @cask = cask
+    @downloaded_path = downloaded_path
+  end
+
+  def available?
+    return @available unless @available.nil?
+    @available = self.class.me?(cask) && installed?
+  end
+
+  def installed?
+    cmd = @command.run("/usr/bin/type",
+                       args: ["-p", "gpg"])
+
+    # if `gpg` is found, return its absolute path
+    cmd.success? ? cmd.stdout : false
+  end
+
+  def fetch_sig(force = false)
+    unversioned_cask = cask.version.is_a?(Symbol)
+    cached = cask.metadata_subdir("gpg") unless unversioned_cask
+
+    meta_dir = cached || cask.metadata_subdir("gpg", :now, true)
+    sig_path = meta_dir.join("signature.asc")
+
+    curl(cask.gpg.signature, "-o", sig_path.to_s) unless cached || force
+
+    sig_path
+  end
+
+  def import_key
+    args = if cask.gpg.key_id
+             ["--recv-keys", cask.gpg.key_id]
+           elsif cask.gpg.key_url
+             ["--fetch-key", cask.gpg.key_url.to_s]
+           end
+
+    @command.run!("gpg", args: args)
+  end
+
+  def verify
+    return unless available?
+    import_key
+    sig = fetch_sig
+
+    ohai "Verifying GPG signature for #{cask}"
+
+    @command.run!("gpg",
+                  args:         ["--verify", sig, downloaded_path],
+                  print_stdout: true)
+  end
+end