2020-11-12 22:56:38 +00:00
|
|
|
#! /usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
|
2020-11-20 07:41:53 +00:00
|
|
|
readonly MIN_BASH_VERSION=5
|
2020-11-18 18:06:28 +00:00
|
|
|
readonly MIN_GPG_VERSION=2.2
|
|
|
|
readonly MIN_OPENSSL_VERSION=1.1
|
|
|
|
readonly MIN_GETOPT_VERSION=2.33
|
2023-01-19 01:18:02 +00:00
|
|
|
readonly DATE=$(command -v gdate || command -v date)
|
2020-11-13 02:31:26 +00:00
|
|
|
|
2020-11-16 10:40:04 +00:00
|
|
|
## Private Functions
|
|
|
|
|
2020-11-25 02:16:50 +00:00
|
|
|
### Exit with error message
|
2020-11-12 22:56:38 +00:00
|
|
|
die() {
|
|
|
|
echo "$@" >&2
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
2020-11-16 10:40:04 +00:00
|
|
|
### Bail and instruct user on missing package to install for their platform
|
2020-11-14 01:15:00 +00:00
|
|
|
die_pkg() {
|
2020-11-18 18:06:28 +00:00
|
|
|
local -r package=${1?}
|
|
|
|
local -r version=${2?}
|
2020-11-14 01:15:00 +00:00
|
|
|
local install_cmd
|
|
|
|
case "$OSTYPE" in
|
|
|
|
linux*)
|
|
|
|
if command -v "apt" >/dev/null; then
|
|
|
|
install_cmd="apt install ${package}"
|
|
|
|
elif command -v "yum" >/dev/null; then
|
|
|
|
install_cmd="yum install ${package}"
|
|
|
|
elif command -v "pacman" >/dev/null; then
|
|
|
|
install_cmd="pacman -Ss ${package}"
|
2020-11-21 04:50:12 +00:00
|
|
|
elif command -v "emerge" >/dev/null; then
|
|
|
|
install_cmd="emerge ${package}"
|
2020-11-14 01:15:00 +00:00
|
|
|
elif command -v "nix-env" >/dev/null; then
|
|
|
|
install_cmd="nix-env -i ${package}"
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
bsd*) install_cmd="pkg install ${package}" ;;
|
|
|
|
darwin*) install_cmd="port install ${package}" ;;
|
|
|
|
*) die "Error: Your operating system is not supported" ;;
|
|
|
|
esac
|
|
|
|
echo "Error: ${package} ${version}+ does not appear to be installed." >&2
|
2020-11-17 00:22:24 +00:00
|
|
|
[ ! -z "$install_cmd" ] && echo "Try: \`${install_cmd}\`" >&2
|
2020-11-14 01:15:00 +00:00
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
2020-11-17 23:32:41 +00:00
|
|
|
### Ask user to make a binary decision
|
2020-11-21 04:50:12 +00:00
|
|
|
### If not an interactive terminal: auto-accept default
|
2020-11-17 23:32:41 +00:00
|
|
|
ask() {
|
|
|
|
local prompt default
|
|
|
|
while true; do
|
|
|
|
prompt=""
|
|
|
|
default=""
|
|
|
|
if [ "${2}" = "Y" ]; then
|
|
|
|
prompt="Y/n"
|
|
|
|
default=Y
|
|
|
|
elif [ "${2}" = "N" ]; then
|
|
|
|
prompt="y/N"
|
|
|
|
default=N
|
|
|
|
else
|
|
|
|
prompt="y/n"
|
|
|
|
default=
|
|
|
|
fi
|
|
|
|
printf "\\n%s [%s] " "$1" "$prompt"
|
|
|
|
read -r reply
|
|
|
|
[ -z "$reply" ] && reply=$default
|
|
|
|
case "$reply" in
|
|
|
|
Y*|y*) return 0 ;;
|
|
|
|
N*|n*) return 1 ;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
}
|
|
|
|
|
2020-11-16 10:40:04 +00:00
|
|
|
### Check if actual binary version is >= minimum version
|
2020-11-13 02:31:26 +00:00
|
|
|
check_version(){
|
2020-11-14 01:15:00 +00:00
|
|
|
local pkg="${1?}"
|
|
|
|
local have="${2?}"
|
|
|
|
local need="${3?}"
|
2020-11-20 07:41:53 +00:00
|
|
|
local i ver1 ver2 IFS='.'
|
2020-11-18 18:06:28 +00:00
|
|
|
[[ "$have" == "$need" ]] && return 0
|
2020-11-20 07:41:53 +00:00
|
|
|
read -r -a ver1 <<< "$have"
|
|
|
|
read -r -a ver2 <<< "$need"
|
2020-11-18 18:06:28 +00:00
|
|
|
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++));
|
|
|
|
do ver1[i]=0;
|
|
|
|
done
|
|
|
|
for ((i=0; i<${#ver1[@]}; i++)); do
|
|
|
|
[[ -z ${ver2[i]} ]] && ver2[i]=0
|
|
|
|
((10#${ver1[i]} > 10#${ver2[i]})) && return 0
|
|
|
|
((10#${ver1[i]} < 10#${ver2[i]})) && die_pkg "${pkg}" "${need}"
|
|
|
|
done
|
2020-11-13 02:31:26 +00:00
|
|
|
}
|
|
|
|
|
2020-11-16 10:40:04 +00:00
|
|
|
### Check if required binaries are installed at appropriate versions
|
2020-11-13 02:31:26 +00:00
|
|
|
check_tools(){
|
2020-11-17 00:22:24 +00:00
|
|
|
if [ -z "${BASH_VERSINFO[0]}" ] \
|
|
|
|
|| [ "${BASH_VERSINFO[0]}" -lt "${MIN_BASH_VERSION}" ]; then
|
2020-11-14 01:15:00 +00:00
|
|
|
die_pkg "bash" "${MIN_BASH_VERSION}"
|
2020-11-13 02:31:26 +00:00
|
|
|
fi
|
2020-11-12 23:02:19 +00:00
|
|
|
for cmd in "$@"; do
|
2020-11-13 02:31:26 +00:00
|
|
|
command -v "$1" >/dev/null || die "Error: $cmd not found"
|
|
|
|
case $cmd in
|
|
|
|
gpg)
|
|
|
|
version=$(gpg --version | head -n1 | cut -d" " -f3)
|
2020-11-14 01:15:00 +00:00
|
|
|
check_version "gnupg" "${version}" "${MIN_GPG_VERSION}"
|
2020-11-13 02:31:26 +00:00
|
|
|
;;
|
|
|
|
openssl)
|
|
|
|
version=$(openssl version | cut -d" " -f2 | sed 's/[a-z]//g')
|
|
|
|
check_version "openssl" "${version}" "${MIN_OPENSSL_VERSION}"
|
|
|
|
;;
|
2020-11-14 01:15:00 +00:00
|
|
|
getopt)
|
|
|
|
version=$(getopt --version | cut -d" " -f4 | sed 's/[a-z]//g')
|
|
|
|
check_version "getopt" "${version}" "${MIN_GETOPT_VERSION}"
|
|
|
|
;;
|
2020-11-13 02:31:26 +00:00
|
|
|
esac
|
2020-11-12 23:02:19 +00:00
|
|
|
done
|
|
|
|
}
|
|
|
|
|
2020-11-16 10:40:04 +00:00
|
|
|
### Get files that will be added to the manifest for signing
|
|
|
|
### Use git if available, else fall back to find
|
2020-11-13 03:24:37 +00:00
|
|
|
get_files(){
|
2020-11-20 03:51:41 +00:00
|
|
|
if [ -d '.git' ] && command -v git >/dev/null; then
|
2020-11-25 02:16:50 +00:00
|
|
|
git ls-files \
|
|
|
|
--cached \
|
|
|
|
--others \
|
|
|
|
--exclude-standard \
|
|
|
|
| grep -v ".${PROGRAM}"
|
2020-11-13 03:24:37 +00:00
|
|
|
else
|
|
|
|
find . \
|
|
|
|
-type f \
|
|
|
|
-not -path "./.git/*" \
|
|
|
|
-not -path "./.${PROGRAM}/*"
|
|
|
|
fi
|
2020-11-12 22:56:38 +00:00
|
|
|
}
|
|
|
|
|
2020-11-17 23:32:41 +00:00
|
|
|
### Get primary UID for a given fingerprint
|
|
|
|
get_uid(){
|
2020-11-18 18:06:28 +00:00
|
|
|
local -r fp="${1?}"
|
2020-11-17 23:32:41 +00:00
|
|
|
gpg --list-keys --with-colons "${fp}" 2>&1 \
|
|
|
|
| awk -F: '$1 == "uid" {print $10}' \
|
|
|
|
| head -n1
|
|
|
|
}
|
|
|
|
|
|
|
|
### Get primary fingerprint for given search
|
|
|
|
get_primary_fp(){
|
2020-11-18 18:06:28 +00:00
|
|
|
local -r search="${1?}"
|
2020-11-17 23:32:41 +00:00
|
|
|
gpg --list-keys --with-colons "${search}" 2>&1 \
|
|
|
|
| awk -F: '$1 == "fpr" {print $10}' \
|
|
|
|
| head -n1
|
|
|
|
}
|
|
|
|
|
|
|
|
### Get fingerprint for a given pgp file
|
|
|
|
get_file_fp(){
|
2020-11-18 18:06:28 +00:00
|
|
|
local -r filename="${1?}"
|
2020-11-17 23:32:41 +00:00
|
|
|
gpg --list-packets "${filename}" \
|
|
|
|
| grep keyid \
|
|
|
|
| sed 's/.*keyid //g'
|
|
|
|
}
|
|
|
|
|
|
|
|
### Get raw gpgconf group config
|
|
|
|
group_get_config(){
|
2020-11-18 18:06:28 +00:00
|
|
|
local -r config=$(gpgconf --list-options gpg | grep ^group)
|
|
|
|
printf '%s' "${config##*:}"
|
2020-11-17 23:32:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
### Add fingerprint to a given group
|
|
|
|
group_add_fp(){
|
2020-11-18 18:06:28 +00:00
|
|
|
local -r fp=${1?}
|
|
|
|
local -r group_name=${2?}
|
|
|
|
local -r config=$(group_get_config)
|
2020-11-17 23:32:41 +00:00
|
|
|
local group_names=()
|
|
|
|
local member_lists=()
|
2020-11-18 18:06:28 +00:00
|
|
|
local name member_list config i data
|
2020-11-17 23:32:41 +00:00
|
|
|
|
2020-11-18 18:06:28 +00:00
|
|
|
while IFS=' =' read -rd, name member_list; do
|
|
|
|
group_names+=("${name:1}")
|
|
|
|
member_lists+=("$member_list")
|
|
|
|
done <<< "$config,"
|
2020-11-17 23:32:41 +00:00
|
|
|
|
|
|
|
printf '%s\n' "${group_names[@]}" \
|
|
|
|
| grep -w "${group_name}" \
|
|
|
|
|| group_names+=("${group_name}")
|
|
|
|
|
2020-11-18 18:06:28 +00:00
|
|
|
for i in "${!group_names[@]}"; do
|
|
|
|
[ "${group_names[$i]}" == "${group_name}" ] \
|
|
|
|
&& member_lists[$i]="${member_lists[$i]} ${fp}"
|
|
|
|
data+=$(printf '"%s = %s,' "${group_names[$i]}" "${member_lists[$i]}")
|
|
|
|
done
|
2020-11-17 23:32:41 +00:00
|
|
|
|
2020-11-18 18:06:28 +00:00
|
|
|
echo "Adding key \"${fp}\" to group \"${group_name}\""
|
2020-11-20 09:11:09 +00:00
|
|
|
gpg --list-keys >/dev/null 2>&1
|
2020-11-18 18:06:28 +00:00
|
|
|
printf 'group:0:%s' "${data%?}" \
|
|
|
|
| gpgconf --change-options gpg >/dev/null 2>&1
|
2020-11-16 11:17:50 +00:00
|
|
|
}
|
|
|
|
|
2020-11-17 23:32:41 +00:00
|
|
|
### Get fingerprints for a given group
|
|
|
|
group_get_fps(){
|
2020-11-18 18:06:28 +00:00
|
|
|
local -r group_name=${1?}
|
2020-11-17 00:22:24 +00:00
|
|
|
gpg --with-colons --list-config group \
|
2020-11-17 23:32:41 +00:00
|
|
|
| grep -i "^cfg:group:${group_name}:" \
|
|
|
|
| cut -d ':' -f4
|
|
|
|
}
|
|
|
|
|
|
|
|
### Check if fingerprint belongs to a given group
|
|
|
|
### Give user option to add it if they wish
|
|
|
|
group_check_fp(){
|
2020-11-18 18:06:28 +00:00
|
|
|
local -r fp=${1?}
|
|
|
|
local -r group_name=${2?}
|
|
|
|
local -r group_fps=$(group_get_fps "${group_name}")
|
2020-11-17 23:56:39 +00:00
|
|
|
local -r uid=$(get_uid "${fp}")
|
2020-11-17 23:32:41 +00:00
|
|
|
|
|
|
|
if [ -z "$group_fps" ] \
|
|
|
|
|| [[ "${group_fps}" != *"${fp}"* ]]; then
|
|
|
|
|
|
|
|
cat <<-_EOF
|
|
|
|
|
|
|
|
The following key is not a member of group "${group_name}":
|
|
|
|
|
|
|
|
Fingerprint: ${fp}
|
|
|
|
Primary UID: ${uid}
|
|
|
|
_EOF
|
|
|
|
if ask "Add key to group \"${group_name}\" ?" "N"; then
|
|
|
|
group_add_fp "${fp}" "${group_name}"
|
|
|
|
else
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
fi
|
2020-11-17 00:22:24 +00:00
|
|
|
}
|
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
tree_hash() {
|
|
|
|
mkdir -p ".${PROGRAM}"
|
|
|
|
printf "%s" "$(get_files | xargs openssl sha256 -r)" \
|
|
|
|
| sed -e 's/ \*/ /g' -e 's/ \.\// /g' \
|
|
|
|
| LC_ALL=C sort -k2 \
|
|
|
|
| openssl sha256 -r \
|
|
|
|
| sed -e 's/ .*//g'
|
|
|
|
}
|
2020-11-17 23:32:41 +00:00
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
sig_generate(){
|
|
|
|
local -r vcs_ref="$1"
|
|
|
|
local -r review_hash="${2:-null}"
|
|
|
|
local -r version="v0"
|
|
|
|
local -r sig_type="pgp"
|
|
|
|
local -r tree_hash="$(tree_hash)"
|
|
|
|
local -r body="sig:$version:$vcs_ref:$tree_hash:$review_hash:$sig_type"
|
|
|
|
local -r signature=$(\
|
|
|
|
printf "%s" "$body" \
|
|
|
|
| gpg \
|
|
|
|
--detach-sign \
|
|
|
|
--local-user "$key" \
|
|
|
|
| openssl base64 -A \
|
|
|
|
)
|
|
|
|
printf "$body:$signature"
|
|
|
|
}
|
2020-11-13 22:40:49 +00:00
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
parse_gpg_status() {
|
|
|
|
local -r gpg_status="$1"
|
|
|
|
while read -r values; do
|
|
|
|
local key array sip_fp sig_date sig_status sig_author sig_body
|
|
|
|
IFS=" " read -r -a array <<< "$values"
|
|
|
|
key=${array[1]}
|
|
|
|
case $key in
|
|
|
|
"BADSIG"|"ERRSIG"|"EXPSIG"|"EXPKEYSIG"|"REVKEYSIG")
|
|
|
|
sig_fp="${array[2]}"
|
|
|
|
sig_status="$key"
|
|
|
|
;;
|
|
|
|
"GOODSIG")
|
|
|
|
sig_author="${values:34}"
|
|
|
|
sig_fp="${array[2]}"
|
|
|
|
;;
|
|
|
|
"VALIDSIG")
|
|
|
|
sig_status="$key"
|
|
|
|
sig_date="${array[4]}"
|
|
|
|
;;
|
|
|
|
"SIG_ID")
|
|
|
|
sig_date="${array[4]}"
|
|
|
|
;;
|
|
|
|
"NEWSIG")
|
|
|
|
sig_author="${sig_author:-Unknown User <${array[2]}>}"
|
|
|
|
;;
|
|
|
|
TRUST_*)
|
|
|
|
sig_trust="${key//TRUST_/}"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done <<< "$gpg_status"
|
|
|
|
sig_fp=$(get_primary_fp $sig_fp)
|
|
|
|
sig_body="pgp:$sig_fp:$sig_status:$sig_trust:$sig_date:$sig_author"
|
|
|
|
printf "$sig_body"
|
2020-11-17 23:32:41 +00:00
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
verify_git_note(){
|
|
|
|
local -r line="${1}"
|
|
|
|
IFS=':' line_parts=($line)
|
|
|
|
local -r identifier=${line_parts[0]}
|
|
|
|
local -r version=${line_parts[1]}
|
|
|
|
local -r vcs_hash=${line_parts[2]}
|
|
|
|
local -r tree_hash=${line_parts[3]}
|
|
|
|
local -r review_hash=${line_parts[4]:-null}
|
|
|
|
local -r sig_type=${line_parts[5]}
|
|
|
|
local -r sig=${line_parts[6]}
|
|
|
|
local -r body="sig:$version:$vcs_hash:$tree_hash:$review_hash:$sig_type"
|
|
|
|
local sig_status="unknown"
|
|
|
|
[[ "$identifier" == "sig" \
|
|
|
|
&& "$version" == "v0" \
|
|
|
|
&& "$sig_type" == "pgp" \
|
|
|
|
]] || {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
[[ "$tree_hash" == "$(tree_hash)" ]] || {
|
|
|
|
echo "Actual tree hash differs from signature.";
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
gpg_sig_raw="$(
|
|
|
|
gpg --verify --status-fd=1 \
|
|
|
|
<(printf '%s' "$sig" | openssl base64 -d -A) \
|
|
|
|
<(printf '%s' "$body") 2>/dev/null \
|
|
|
|
)"
|
|
|
|
parse_gpg_status "$gpg_sig_raw"
|
|
|
|
}
|
2020-11-13 22:40:49 +00:00
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
verify_git_notes(){
|
|
|
|
local -r commit=$(git rev-parse --short HEAD)
|
|
|
|
local code=1
|
|
|
|
while IFS='' read -r line; do
|
|
|
|
printf "$(verify_git_note "$line")\n"
|
|
|
|
code=0
|
|
|
|
done < <(git notes --ref signatures show "$commit" 2>&1 | grep "^sig:")
|
|
|
|
return $code
|
|
|
|
}
|
2020-11-13 22:40:49 +00:00
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
verify_git_commit(){
|
|
|
|
local gpg_sig_raw
|
|
|
|
gpg_sig_raw=$(git verify-commit HEAD --raw 2>&1)
|
|
|
|
parse_gpg_status "$gpg_sig_raw"
|
|
|
|
}
|
2020-11-13 22:40:49 +00:00
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
verify_git_tags(){
|
|
|
|
local fps="" git_sig_raw code=1
|
|
|
|
for tag in $(git tag --points-at HEAD); do
|
|
|
|
git tag --verify "$tag" >/dev/null 2>&1 && {
|
|
|
|
gpg_sig_raw=$( git verify-tag --raw "$tag" 2>&1 )
|
|
|
|
printf "$(parse_gpg_status "$gpg_sig_raw")\n"
|
|
|
|
code=0
|
|
|
|
}
|
2020-11-12 22:56:38 +00:00
|
|
|
done
|
2023-01-19 01:18:02 +00:00
|
|
|
return $code
|
2020-11-12 22:56:38 +00:00
|
|
|
}
|
|
|
|
|
2020-12-03 10:24:18 +00:00
|
|
|
### Verify head commit is signed
|
2023-01-19 01:18:02 +00:00
|
|
|
### Optionally verify total unique commit/tag/note signatures meet a threshold
|
2020-11-16 10:40:04 +00:00
|
|
|
### Optionally verify all signatures belong to keys in gpg alias group
|
|
|
|
verify_git(){
|
|
|
|
[ $# -eq 2 ] || die "Usage: verify_git <threshold> <group>"
|
2020-11-18 18:06:28 +00:00
|
|
|
local -r threshold="${1}"
|
|
|
|
local -r group="${2}"
|
2023-01-19 01:18:02 +00:00
|
|
|
local sig_count=0 seen_fps="" fp="" tag_fps="" note_fps=""
|
|
|
|
if [[ $(git diff --stat) != '' ]]; then
|
|
|
|
die "Error: git tree is dirty"
|
|
|
|
fi
|
2020-12-03 10:24:18 +00:00
|
|
|
git verify-commit HEAD >/dev/null 2>&1 \
|
2023-01-19 01:18:02 +00:00
|
|
|
|| die "Error: HEAD commit is not signed"
|
|
|
|
|
|
|
|
commit_sig=$(verify_git_commit)
|
|
|
|
if [ -n "$commit_sig" ]; then
|
|
|
|
IFS=':' read -r -a sig <<< "$commit_sig"
|
|
|
|
fp="${sig[1]}"
|
|
|
|
uid="${sig[5]}"
|
|
|
|
echo "Verified signed git commit by \"${uid}\""
|
|
|
|
seen_fps="${fp}"
|
|
|
|
fi
|
2020-11-16 11:17:50 +00:00
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
tag_sigs=$(verify_git_tags)
|
|
|
|
[[ $? == 0 ]] && while IFS= read -r line; do
|
|
|
|
IFS=':' read -r -a sig <<< "$line"
|
|
|
|
fp="${sig[1]}"
|
|
|
|
uid="${sig[5]}"
|
|
|
|
echo "Verified signed git tag by \"${uid}\""
|
|
|
|
if [[ "${seen_fps}" != *"${fp}"* ]]; then
|
|
|
|
seen_fps+=" ${fp}"
|
|
|
|
fi
|
|
|
|
done <<< "$tag_sigs"
|
|
|
|
|
|
|
|
note_sigs=$(verify_git_notes)
|
|
|
|
[[ $? == 0 ]] && while IFS= read -r line; do
|
|
|
|
IFS=':' read -r -a sig <<< "$line"
|
|
|
|
fp="${sig[1]}"
|
|
|
|
uid="${sig[5]}"
|
|
|
|
echo "Verified signed git note by \"${uid}\""
|
|
|
|
if [[ "${seen_fps}" != *"${fp}"* ]]; then
|
|
|
|
seen_fps+=" ${fp}"
|
|
|
|
fi
|
|
|
|
done <<< "$note_sigs"
|
2020-12-03 10:24:18 +00:00
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
for fp in ${seen_fps}; do
|
|
|
|
if [ ! -z "$group" ]; then
|
2020-12-04 04:56:38 +00:00
|
|
|
group_check_fp "${seen_fp}" "${group}" || {
|
2020-12-03 10:24:18 +00:00
|
|
|
echo "Git signing key not in group \"${group}\": ${fp}";
|
|
|
|
return 1;
|
|
|
|
}
|
2023-01-19 01:18:02 +00:00
|
|
|
fi
|
|
|
|
((sig_count=sig_count+1))
|
|
|
|
done
|
2020-12-08 05:23:40 +00:00
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
[[ "${sig_count}" -ge "${threshold}" ]] || {
|
|
|
|
echo "Minimum unique signatures not found: ${sig_count}/${threshold}";
|
|
|
|
return 1;
|
|
|
|
}
|
2020-11-25 02:16:50 +00:00
|
|
|
}
|
|
|
|
|
2020-12-03 10:32:11 +00:00
|
|
|
## Get temporary dir reliably across different mktemp implementations
|
2020-11-25 02:16:50 +00:00
|
|
|
get_temp(){
|
2020-12-04 04:56:38 +00:00
|
|
|
mktemp \
|
|
|
|
--quiet \
|
|
|
|
--directory \
|
|
|
|
-t "$(basename "$0").XXXXXX" 2>/dev/null \
|
|
|
|
|| mktemp \
|
|
|
|
--quiet \
|
|
|
|
--directory
|
2020-11-25 02:16:50 +00:00
|
|
|
}
|
|
|
|
|
2020-12-03 10:32:11 +00:00
|
|
|
## Verify specified branch and show diff between that and current HEAD
|
2020-11-25 02:16:50 +00:00
|
|
|
verify_git_diff(){
|
|
|
|
[ $# -eq 4 ] \
|
|
|
|
|| die "Usage: verify_git_diff <ref> <threshold> <group> <method>"
|
|
|
|
command -v git >/dev/null 2>&1 \
|
|
|
|
|| die "Error: verify diff requires 'git' which is not installed"
|
|
|
|
local -r diff_ref=${1}
|
|
|
|
local -r threshold=${2}
|
|
|
|
local -r group=${3}
|
|
|
|
local -r method=${4}
|
|
|
|
local -r temp_repo=$(get_temp)
|
|
|
|
local -r git_root=$(git rev-parse --show-toplevel)
|
|
|
|
local -r curr_ref=$(git rev-parse HEAD)
|
|
|
|
cp -a "${git_root}/." "${temp_repo}/"
|
|
|
|
cd "${temp_repo}"
|
|
|
|
git reset --hard "${diff_ref}" >/dev/null 2>&1
|
|
|
|
if verify "${threshold}" "${group}" "${method}"; then
|
|
|
|
git --no-pager diff "${diff_ref}" "${curr_ref}"
|
|
|
|
else
|
2023-01-19 01:18:02 +00:00
|
|
|
echo "Verification of specified diff ref failed: ${ref}"
|
2020-11-25 02:16:50 +00:00
|
|
|
fi
|
2020-11-16 10:40:04 +00:00
|
|
|
}
|
|
|
|
|
2020-12-03 10:32:11 +00:00
|
|
|
## Verify current folder/repo with specified signing rules
|
2020-11-25 02:16:50 +00:00
|
|
|
verify(){
|
2023-01-19 01:18:02 +00:00
|
|
|
[ $# -eq 3 ] || die "Usage: verify <threshold> <group>"
|
2020-11-25 02:16:50 +00:00
|
|
|
local -r threshold=${1}
|
|
|
|
local -r group=${2}
|
2023-01-19 01:18:02 +00:00
|
|
|
[ -d .git ] \
|
|
|
|
|| die "Error: This folder is not a git repository"
|
|
|
|
verify_git "${threshold}" "${group}" || return 1
|
2020-12-03 10:32:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
## Add signed tag pointing at this commit.
|
|
|
|
## Optionally push to origin.
|
|
|
|
sign_tag(){
|
|
|
|
[ -d '.git' ] \
|
|
|
|
|| die "Not a git repository"
|
|
|
|
command -v git >/dev/null \
|
|
|
|
|| die "Git not installed"
|
|
|
|
git config --get user.signingKey >/dev/null \
|
|
|
|
|| die "Git user.signingKey not set"
|
|
|
|
local -r push="${1}"
|
2020-12-04 04:56:38 +00:00
|
|
|
local -r commit=$(git rev-parse --short HEAD)
|
|
|
|
local -r fp=$( \
|
2020-12-03 10:32:11 +00:00
|
|
|
git config --get user.signingKey \
|
|
|
|
| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
|
|
|
|
)
|
2020-12-04 04:56:38 +00:00
|
|
|
local -r name="sig-${commit}-${fp}"
|
2020-12-03 10:32:11 +00:00
|
|
|
git tag -fsm "$name" "$name"
|
2023-01-19 01:18:02 +00:00
|
|
|
[[ "$push" -eq "0" ]] || $PROGRAM push
|
2020-12-03 10:32:11 +00:00
|
|
|
}
|
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
## Add signed git note to this commit
|
|
|
|
## Optionally push to origin.
|
|
|
|
sign_note() {
|
|
|
|
[ -d '.git' ] \
|
|
|
|
|| die "Not a git repository"
|
|
|
|
command -v git >/dev/null \
|
|
|
|
|| die "Git not installed"
|
|
|
|
git config --get user.signingKey >/dev/null \
|
|
|
|
|| die "Git user.signingKey not set"
|
|
|
|
local -r push="${1}"
|
|
|
|
local -r key=$( \
|
|
|
|
git config --get user.signingKey \
|
|
|
|
| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
|
|
|
|
)
|
|
|
|
local -r commit=$(git rev-parse HEAD)
|
|
|
|
|
|
|
|
sig_generate "$commit" | git notes --ref signatures append --file=-
|
|
|
|
|
|
|
|
[[ "$push" -eq "0" ]] || $PROGRAM push
|
|
|
|
}
|
2020-12-03 10:32:11 +00:00
|
|
|
|
|
|
|
|
2020-11-16 10:40:04 +00:00
|
|
|
## Public Commands
|
|
|
|
|
2020-11-14 01:15:00 +00:00
|
|
|
cmd_manifest() {
|
|
|
|
mkdir -p ".${PROGRAM}"
|
2020-11-17 00:22:24 +00:00
|
|
|
printf "%s" "$(get_files | xargs openssl sha256 -r)" \
|
2020-11-16 10:40:04 +00:00
|
|
|
| sed -e 's/ \*/ /g' -e 's/ \.\// /g' \
|
|
|
|
| LC_ALL=C sort -k2 \
|
|
|
|
> ".${PROGRAM}/manifest.txt"
|
2020-11-14 01:15:00 +00:00
|
|
|
}
|
|
|
|
|
2020-11-12 22:56:38 +00:00
|
|
|
cmd_verify() {
|
2020-11-25 02:16:50 +00:00
|
|
|
local opts threshold=1 group="" method="" diff=""
|
|
|
|
opts="$(getopt -o t:g:m:d: -l threshold:,group:,method:,diff: -n "$PROGRAM" -- "$@")"
|
2020-11-13 22:40:49 +00:00
|
|
|
eval set -- "$opts"
|
|
|
|
while true; do case $1 in
|
2020-11-16 11:36:19 +00:00
|
|
|
-t|--threshold) threshold="$2"; shift 2 ;;
|
2020-11-13 22:40:49 +00:00
|
|
|
-g|--group) group="$2"; shift 2 ;;
|
2020-11-16 11:36:19 +00:00
|
|
|
-m|--method) method="$2"; shift 2 ;;
|
2020-11-25 02:16:50 +00:00
|
|
|
-d|--diff) diff="$2"; shift 2 ;;
|
2020-11-13 22:40:49 +00:00
|
|
|
--) shift; break ;;
|
|
|
|
esac done
|
|
|
|
|
2020-11-25 02:16:50 +00:00
|
|
|
if verify "$threshold" "$group" "$method"; then
|
|
|
|
return 0
|
|
|
|
elif [ ! -z "$diff" ]; then
|
|
|
|
echo "Verification failed."
|
|
|
|
echo "Attempting verified diff against git ref ${diff} ..."
|
|
|
|
verify_git_diff "$diff" "$threshold" "$group" "$method"
|
2020-11-16 11:36:19 +00:00
|
|
|
fi
|
2020-11-25 02:16:50 +00:00
|
|
|
return 1
|
2020-11-12 22:56:38 +00:00
|
|
|
}
|
|
|
|
|
2020-11-20 09:11:09 +00:00
|
|
|
cmd_fetch() {
|
|
|
|
local opts group="" group_fps=""
|
|
|
|
opts="$(getopt -o g: -l group: -n "$PROGRAM" -- "$@")"
|
|
|
|
eval set -- "$opts"
|
|
|
|
while true; do case $1 in
|
|
|
|
-g|--group) group="${2:-1}"; shift 2 ;;
|
|
|
|
--) shift; break ;;
|
|
|
|
esac done
|
|
|
|
[ $# -eq 1 ] || \
|
|
|
|
die "Usage: $PROGRAM fetch <fingerprint> [-g,--group=<group>]"
|
|
|
|
local -r fingerprint=${1}
|
|
|
|
|
|
|
|
if [ ! -z "$group" ]; then
|
|
|
|
group_fps=$(group_get_fps "${group_name}")
|
|
|
|
if [[ "${group_fps}" == *"${fingerprint}"* ]]; then
|
|
|
|
echo "Key \"${fingerprint}\" is already in group \"${group}\""
|
|
|
|
else
|
|
|
|
group_add_fp "${fingerprint}" "${group}"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
gpg --list-keys "${fingerprint}" > /dev/null 2>&1 \
|
|
|
|
&& echo "Key \"${fingerprint}\" is already in local keychain" \
|
|
|
|
&& return 0
|
|
|
|
|
|
|
|
echo "Requested key is not in keyring. Trying keyservers..."
|
|
|
|
for server in \
|
|
|
|
ha.pool.sks-keyservers.net \
|
|
|
|
hkp://keyserver.ubuntu.com:80 \
|
|
|
|
hkp://p80.pool.sks-keyservers.net:80 \
|
|
|
|
pgp.mit.edu \
|
2020-11-20 09:26:01 +00:00
|
|
|
; do
|
|
|
|
echo "Fetching key \"${fingerprint}\" from \"${server}\"";
|
2020-11-20 09:11:09 +00:00
|
|
|
gpg \
|
|
|
|
--recv-key \
|
|
|
|
--keyserver "$server" \
|
|
|
|
--keyserver-options timeout=10 \
|
|
|
|
--recv-keys "${fingerprint}" \
|
2020-11-20 09:26:01 +00:00
|
|
|
&& break
|
2020-11-20 09:11:09 +00:00
|
|
|
done
|
|
|
|
}
|
|
|
|
|
2020-12-03 10:24:18 +00:00
|
|
|
cmd_add(){
|
2023-01-12 23:10:04 +00:00
|
|
|
local opts method="" push="0"
|
|
|
|
opts="$(getopt -o m:p:: -l method:,push:: -n "$PROGRAM" -- "$@")"
|
2020-12-03 10:24:18 +00:00
|
|
|
eval set -- "$opts"
|
|
|
|
while true; do case $1 in
|
|
|
|
-m|--method) method="$2"; shift 2 ;;
|
|
|
|
-p|--push) push="1"; shift 2 ;;
|
|
|
|
--) shift; break ;;
|
|
|
|
esac done
|
|
|
|
case $method in
|
2023-01-19 01:18:02 +00:00
|
|
|
git) sign_note "$push" ;;
|
|
|
|
*) sign_note "$push" ;;
|
2020-12-03 10:24:18 +00:00
|
|
|
esac
|
|
|
|
}
|
|
|
|
|
2023-01-19 01:18:02 +00:00
|
|
|
cmd_push() {
|
|
|
|
[ "$#" -eq 0 ] || { usage push; exit 1; }
|
|
|
|
git push --tags origin refs/notes/signatures
|
|
|
|
}
|
|
|
|
|
2020-11-12 22:56:38 +00:00
|
|
|
cmd_version() {
|
|
|
|
cat <<-_EOF
|
2023-01-12 23:10:04 +00:00
|
|
|
==============================================
|
|
|
|
= sig: simple multisig trust toolchain =
|
|
|
|
= =
|
2023-01-19 01:18:02 +00:00
|
|
|
= v0.2 =
|
2023-01-12 23:10:04 +00:00
|
|
|
= =
|
|
|
|
= https://github.com/distrust-foundation/sig =
|
|
|
|
==============================================
|
2020-11-12 22:56:38 +00:00
|
|
|
_EOF
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd_usage() {
|
|
|
|
cmd_version
|
|
|
|
cat <<-_EOF
|
|
|
|
Usage:
|
2023-01-19 01:18:02 +00:00
|
|
|
$PROGRAM add [-m,--method=<note|tag>] [-p,--push]
|
|
|
|
Add signature for this repository
|
|
|
|
$PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
|
2020-11-25 02:16:50 +00:00
|
|
|
Verify m-of-n signatures by given group are present for directory.
|
2020-11-20 09:11:09 +00:00
|
|
|
$PROGRAM fetch [-g,--group=<group>]
|
|
|
|
Fetch key by fingerprint. Optionally add to group.
|
2020-11-12 22:56:38 +00:00
|
|
|
$PROGRAM help
|
|
|
|
Show this text.
|
|
|
|
$PROGRAM version
|
|
|
|
Show version information.
|
|
|
|
_EOF
|
|
|
|
}
|
|
|
|
|
2020-11-16 10:40:04 +00:00
|
|
|
# Verify all tools in this list are installed at needed versions
|
2023-01-19 01:18:02 +00:00
|
|
|
check_tools git head cut find sort sed getopt gpg openssl
|
2020-11-13 02:47:11 +00:00
|
|
|
|
2020-11-16 10:40:04 +00:00
|
|
|
# Allow entire script to be namespaced based on filename
|
2020-11-18 18:06:28 +00:00
|
|
|
readonly PROGRAM="${0##*/}"
|
2020-11-16 10:40:04 +00:00
|
|
|
|
|
|
|
# Export public sub-commands
|
2020-11-12 22:56:38 +00:00
|
|
|
case "$1" in
|
2020-11-14 01:15:00 +00:00
|
|
|
verify) shift; cmd_verify "$@" ;;
|
|
|
|
add) shift; cmd_add "$@" ;;
|
|
|
|
manifest) shift; cmd_manifest "$@" ;;
|
2020-11-20 09:11:09 +00:00
|
|
|
fetch) shift; cmd_fetch "$@" ;;
|
2023-01-19 01:18:02 +00:00
|
|
|
push) shift; cmd_push "$@" ;;
|
2020-11-14 01:15:00 +00:00
|
|
|
version|--version) shift; cmd_version "$@" ;;
|
|
|
|
help|--help) shift; cmd_usage "$@" ;;
|
|
|
|
*) cmd_usage "$@" ;;
|
2020-11-12 22:56:38 +00:00
|
|
|
esac
|