ngtcp2 1.4.0 payload fixups

.xz binary is up, use that insead of .bz2. It looks like the new GPG key is a subkey, which needs the old parent key as well, for gpg to pass verification. Otherwise a 'Can't check signature: No public key' error is seen. It also looks like the new keys are only available throught the Ubuntu keyserver, which isn't the primary one we're using. Solve this by using a direct link to download these from Ubuntu. This also needs restoring the direct key download logic deleted earlier: revert dee8952: _dl.sh: drop support for downloading keys from urls Also delete redundant `--max-time` options when direct downloading keys. `my_curl` already adds this option.
curl · Mar 18, 2024 · fd37654 · fd37654
1 parent 10dc967
commit fd37654
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 8 deletions.
diff --git a/_dl.sh b/_dl.sh
@@ -108,11 +108,11 @@ cat <<EOF
   },
   {
     "name": "ngtcp2",
-    "url": "https://github.com/ngtcp2/ngtcp2/releases/download/v{ver}/ngtcp2-{ver}.tar.bz2",
-    "sig": "https://github.com/ngtcp2/ngtcp2/releases/download/v{ver}/ngtcp2-{ver}.tar.bz2.asc",
+    "url": "https://github.com/ngtcp2/ngtcp2/releases/download/v{ver}/ngtcp2-{ver}.tar.xz",
+    "sig": "https://github.com/ngtcp2/ngtcp2/releases/download/v{ver}/ngtcp2-{ver}.tar.xz.asc",
     "redir": "redir",
     "tag": ".+",
-    "keys": "516B622918D15C478AB1EA3A5339A2BE82E07DEC"
+    "keys": "https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&exact=on&search=0x27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&exact=on&search=0xF4F3B91474D1EB29889BD0EF7E8403D5D673C366"
   },
   {
     "name": "wolfssl",
@@ -373,7 +373,7 @@ check_dl() {
     if [ ! -s pkg.sig ]; then
       >&2 echo "! ${name}: Verify: Failed (Signature expected, but missing)"
     elif grep -a -q -F 'BEGIN SSH SIGNATURE' pkg.sig; then
-      [[ "${key}" = 'https://'* ]] && key="$(my_curl --max-time 60 "${key}")"
+      [[ "${key}" = 'https://'* ]] && key="$(my_curl "${key}")"
       exec 3<<EOF
 ${key}
 EOF
@@ -385,7 +385,11 @@ EOF
       fi
     else
       for key in ${keys}; do
-        gpg_recv_key "${key}" >/dev/null 2>&1
+        if [[ "${key}" = 'https://'* ]]; then
+          my_curl "${key}" | my_gpg --quiet --import >/dev/null 2>&1
+        else
+          gpg_recv_key "${key}" >/dev/null 2>&1
+        fi
       done
 
       if my_gpg --verify-options show-primary-uid-only --verify pkg.sig pkg.bin >/dev/null 2>&1; then
@@ -613,14 +617,18 @@ live_dl() {
         >&2 echo "! ${name}: Verify: Failed (Signature expected, but missing)"
         exit 1
       elif grep -a -q -F 'BEGIN SSH SIGNATURE' pkg.sig; then
-        [[ "${key}" = 'https://'* ]] && key="$(my_curl --max-time 60 "${key}")"
+        [[ "${key}" = 'https://'* ]] && key="$(my_curl "${key}")"
         exec 3<<EOF
 ${key}
 EOF
         ssh-keygen -Y check-novalidate -n 'file' -f /dev/fd/3 -s pkg.sig < pkg.bin || exit 1
       else
         for key in ${keys}; do
-          gpg_recv_key "${key}"
+          if printf '%s' "${key}" | grep -q -a '^https://'; then
+            my_curl "${key}" | my_gpg --quiet --import 2>/dev/null
+          else
+            gpg_recv_key "${key}"
+          fi
         done
         my_gpg --verify-options show-primary-uid-only --verify pkg.sig pkg.bin || exit 1
       fi

diff --git a/_versions.sh b/_versions.sh
@@ -39,7 +39,7 @@ export NGHTTP2_HASH=625d6c3da1d9ca4fd643a638256431ae68fd1901653b2a61a245eea7b261
 export NGHTTP3_VER_='1.2.0'
 export NGHTTP3_HASH=d2e216bae7bd7362f850922e4237a5caa204853b3594b22adccab4c1e1c1d1aa
 export NGTCP2_VER_='1.4.0'
-export NGTCP2_HASH=70b647144fe258c18763a87130750d0b5ec61ba5cb9a2cd2eb6eef70108594c3
+export NGTCP2_HASH=b5d1433b9f5c06ce249e1e390e97dcfa49bf7ada5cb7c8bed8e6cd4feaf1ca4a
 export WOLFSSL_VER_='5.6.6'
 export WOLFSSL_HASH=3d2ca672d41c2c2fa667885a80d6fa03c3e91f0f4f72f87aef2bc947e8c87237
 export MBEDTLS_VER_='3.5.2'