add commit signature checking when building software

quorum-key-management/src/verifying-signatures.md

@@ -1,6 +1,34 @@
 # Verifying Signatures
 
-When building and downloading software it is essential to verify signatures to ensure its integrity. 
+When building and downloading software it is essential to verify signatures to ensure its integrity. It is also important to verify that the latest commit, and ideally that all commits that are being used to build from are verified to have signatures from trusted keys. This can be done using `git verify-commit HEAD` or similar. A script like below can be modified to check for trusted keys for all commits:
+
+```bash
+#!/bin/bash
+
+mapfile -t trusted_keys < trusted_keys.txt
+
+is_trusted_key() {
+    local key="$1"
+    for trusted_key in "${trusted_keys[@]}"; do
+        if [[ "$key" == "$trusted_key" ]]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+git rev-list --all | while read commit; do
+    if git verify-commit "$commit" > /dev/null 2>&1; then
+        key_id=$(git show "$commit" | grep 'gpgsig' | awk '{print $NF}')
+        
+        if ! is_trusted_key "$key_id"; then
+            echo "$commit: Signed but NOT by a trusted key ($key_id)"
+        fi
+    else
+        echo "$commit: Not signed"
+    fi
+done
+```
 
 Verification of software depends on two primary aspects: