git-sig/sig

206 lines
5.0 KiB
Plaintext
Raw Normal View History

2020-11-12 22:56:38 +00:00
#! /usr/bin/env bash
set -e
2020-11-13 02:31:26 +00:00
MIN_BASH_VERSION=4
MIN_GPG_VERSION=2.2
MIN_OPENSSL_VERSION=1.1
2020-11-12 22:56:38 +00:00
die() {
echo "$@" >&2
exit 1
}
2020-11-13 02:31:26 +00:00
check_version(){
[[ $2 == $3 ]] && return 0
local IFS=.
local i ver1=($2) ver2=($3)
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++));
do ver1[i]=0;
done
for ((i=0; i<${#ver1[@]}; i++)); do
[[ -z ${ver2[i]} ]] && ver2[i]=0
((10#${ver1[i]} > 10#${ver2[i]})) && return 0
((10#${ver1[i]} < 10#${ver2[i]})) && die \
"Error: ${1} ${3}+ not found"
done
}
check_tools(){
if [ -z "${BASH_VERSINFO}" ] \
|| [ -z "${BASH_VERSINFO[0]}" ] \
|| [ ${BASH_VERSINFO[0]} -lt ${MIN_BASH_VERSION} ]; then
die "Error: bash ${MIN_BASH_VERSION}+ not found";
fi
2020-11-12 23:02:19 +00:00
for cmd in "$@"; do
2020-11-13 02:31:26 +00:00
command -v "$1" >/dev/null || die "Error: $cmd not found"
case $cmd in
gpg)
version=$(gpg --version | head -n1 | cut -d" " -f3)
check_version "gpg" "${version}" "${MIN_GPG_VERSION}"
;;
openssl)
version=$(openssl version | cut -d" " -f2 | sed 's/[a-z]//g')
check_version "openssl" "${version}" "${MIN_OPENSSL_VERSION}"
;;
esac
2020-11-12 23:02:19 +00:00
done
}
2020-11-13 02:31:26 +00:00
get_temp(){
echo "$(
mktemp \
--quiet \
--directory \
-t "$(basename "$0").XXXXXX" 2>/dev/null
|| mktemp \
--quiet \
--directory
)"
}
2020-11-13 03:24:37 +00:00
get_files(){
if command -v git >/dev/null; then
git ls-files | grep -v ".${PROGRAM}"
else
find . \
-type f \
-not -path "./.git/*" \
-not -path "./.${PROGRAM}/*"
fi
2020-11-12 22:56:38 +00:00
}
2020-11-13 03:24:37 +00:00
cmd_manifest() {
mkdir -p ".${PROGRAM}"
printf "$(get_files | xargs openssl sha256 -r)" \
| sed -e 's/ \*/ /g' -e 's/ \.\// /g' \
| LC_ALL=C sort -k2 \
> ".${PROGRAM}/manifest.txt"
2020-11-12 22:56:38 +00:00
}
verify_file() {
2020-11-13 22:40:49 +00:00
[ $# -eq 3 ] || die \
"Usage: verify_file <threshold> <group> <file>"
2020-11-13 03:24:37 +00:00
local threshold="${1}"
2020-11-13 22:40:49 +00:00
local group="${2}"
local filename="${3}"
local group_config=""
2020-11-13 02:31:26 +00:00
local sig_count=0
local seen_fingerprints=""
local fingerprint
local signer
2020-11-13 22:40:49 +00:00
[ ! -z "$group" ] && group_config="$( \
gpg --with-colons --list-config group \
| grep -i "^cfg:group:${group}:" \
)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"
2020-11-12 22:56:38 +00:00
for sig_filename in "${filename%.*}".*.asc; do
gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
echo "Invalid signature: ${sig_filename}";
exit 1;
}
fingerprint=$( \
gpg --list-packets "${sig_filename}" \
| grep keyid \
| sed 's/.*keyid //g'
)
signer=$( \
gpg \
--list-keys \
--with-colons "${fingerprint}" 2>&1 \
| awk -F: '$1 == "uid" {print $10}' \
| head -n1 \
)
2020-11-13 22:40:49 +00:00
[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] \
&& die "Duplicate signature: ${sig_filename}";
[ ! -z "$group_config" ] \
&& [[ "${group_config}" != *"${fingerprint}"* ]] \
&& die "Signature not in group \"${group}\": ${sig_filename}";
2020-11-12 22:56:38 +00:00
echo "Verified signature by \"${signer}\""
2020-11-13 22:40:49 +00:00
2020-11-12 22:56:38 +00:00
seen_fingerprints="${seen_fingerprints} ${fingerprint}"
((sig_count=sig_count+1))
done
[[ "$sig_count" -ge "$threshold" ]] || {
echo "Minimum number of signatures not met: ${sig_count}/${threshold}";
exit 1;
}
}
cmd_verify() {
2020-11-13 22:40:49 +00:00
local opts selected_line min=1 group=""
opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"
local err=$?
eval set -- "$opts"
while true; do case $1 in
-m|--min) min="$2"; shift 2 ;;
-g|--group) group="$2"; shift 2 ;;
--) shift; break ;;
esac done
2020-11-13 03:39:11 +00:00
#TODO: if git: show git signature status to aid in trust building
#TODO: if git and if invalid: show diff against last valid version
2020-11-13 02:31:26 +00:00
( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
|| die "Error: No signatures"
2020-11-12 22:56:38 +00:00
cmd_manifest
2020-11-13 22:40:49 +00:00
verify_file "${min}" "${group}" .${PROGRAM}/manifest.txt
2020-11-12 22:56:38 +00:00
}
2020-11-13 02:47:11 +00:00
cmd_add(){
2020-11-13 02:31:26 +00:00
cmd_manifest
gpg --armor --detach-sig .${PROGRAM}/manifest.txt
local fingerprint=$( \
gpg --list-packets .${PROGRAM}/manifest.txt.asc \
| grep "issuer key ID" \
| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
)
mv .${PROGRAM}/manifest.{"txt.asc","${fingerprint}.asc"}
}
2020-11-12 22:56:38 +00:00
cmd_version() {
cat <<-_EOF
2020-11-13 22:40:49 +00:00
==========================================
= sig: simple multisig trust toolchain =
= =
= v0.0.1 =
= =
= https://gitlab.com/pchq/sig =
==========================================
2020-11-12 22:56:38 +00:00
_EOF
}
cmd_usage() {
cmd_version
cat <<-_EOF
Usage:
2020-11-13 22:40:49 +00:00
$PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]
2020-11-12 22:56:38 +00:00
Verify all signing policies for this directory are met
2020-11-13 02:47:11 +00:00
$PROGRAM add
2020-11-12 22:56:38 +00:00
Add signature to manifest for this directory
2020-11-13 02:31:26 +00:00
$PROGRAM manifest
Generate hash manifest for this directory
2020-11-12 22:56:38 +00:00
$PROGRAM help
Show this text.
$PROGRAM version
Show version information.
_EOF
}
2020-11-13 22:40:49 +00:00
check_tools head cut find sort sed gpg openssl getopt
2020-11-13 02:47:11 +00:00
2020-11-12 22:56:38 +00:00
PROGRAM="${0##*/}"
COMMAND="$1"
case "$1" in
2020-11-12 22:59:26 +00:00
verify) shift; cmd_verify "$@" ;;
2020-11-13 02:47:11 +00:00
add) shift; cmd_add "$@" ;;
2020-11-13 02:31:26 +00:00
manifest) shift; cmd_manifest "$@" ;;
2020-11-12 22:59:26 +00:00
version|--version) shift; cmd_version "$@" ;;
help|--help) shift; cmd_usage "$@" ;;
*) cmd_usage "$@" ;;
2020-11-12 22:56:38 +00:00
esac
exit 0