add commit signature checking when building software

This commit is contained in:
Anton Livaja 2024-12-06 10:51:58 -05:00
parent fa73b09cc0
commit c93ec85e9f
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
1 changed files with 29 additions and 1 deletions

View File

@ -1,6 +1,34 @@
# Verifying Signatures # Verifying Signatures
When building and downloading software it is essential to verify signatures to ensure its integrity. When building and downloading software it is essential to verify signatures to ensure its integrity. It is also important to verify that the latest commit, and ideally that all commits that are being used to build from are verified to have signatures from trusted keys. This can be done using `git verify-commit HEAD` or similar. A script like below can be modified to check for trusted keys for all commits:
```bash
#!/bin/bash
mapfile -t trusted_keys < trusted_keys.txt
is_trusted_key() {
local key="$1"
for trusted_key in "${trusted_keys[@]}"; do
if [[ "$key" == "$trusted_key" ]]; then
return 0
fi
done
return 1
}
git rev-list --all | while read commit; do
if git verify-commit "$commit" > /dev/null 2>&1; then
key_id=$(git show "$commit" | grep 'gpgsig' | awk '{print $NF}')
if ! is_trusted_key "$key_id"; then
echo "$commit: Signed but NOT by a trusted key ($key_id)"
fi
else
echo "$commit: Not signed"
fi
done
```
Verification of software depends on two primary aspects: Verification of software depends on two primary aspects: