git-sig/sig

569 lines
15 KiB
Plaintext
Raw Normal View History

2020-11-12 22:56:38 +00:00
#! /usr/bin/env bash
set -e
2020-11-20 07:41:53 +00:00
readonly MIN_BASH_VERSION=5
readonly MIN_GPG_VERSION=2.2
readonly MIN_OPENSSL_VERSION=1.1
readonly MIN_GETOPT_VERSION=2.33
2020-11-13 02:31:26 +00:00
## Private Functions
### Exit with error message
2020-11-12 22:56:38 +00:00
die() {
echo "$@" >&2
exit 1
}
### Bail and instruct user on missing package to install for their platform
2020-11-14 01:15:00 +00:00
die_pkg() {
local -r package=${1?}
local -r version=${2?}
2020-11-14 01:15:00 +00:00
local install_cmd
case "$OSTYPE" in
linux*)
if command -v "apt" >/dev/null; then
install_cmd="apt install ${package}"
elif command -v "yum" >/dev/null; then
install_cmd="yum install ${package}"
elif command -v "pacman" >/dev/null; then
install_cmd="pacman -Ss ${package}"
elif command -v "emerge" >/dev/null; then
install_cmd="emerge ${package}"
2020-11-14 01:15:00 +00:00
elif command -v "nix-env" >/dev/null; then
install_cmd="nix-env -i ${package}"
fi
;;
bsd*) install_cmd="pkg install ${package}" ;;
darwin*) install_cmd="port install ${package}" ;;
*) die "Error: Your operating system is not supported" ;;
esac
echo "Error: ${package} ${version}+ does not appear to be installed." >&2
2020-11-17 00:22:24 +00:00
[ ! -z "$install_cmd" ] && echo "Try: \`${install_cmd}\`" >&2
2020-11-14 01:15:00 +00:00
exit 1
}
### Ask user to make a binary decision
### If not an interactive terminal: auto-accept default
ask() {
local prompt default
while true; do
prompt=""
default=""
if [ "${2}" = "Y" ]; then
prompt="Y/n"
default=Y
elif [ "${2}" = "N" ]; then
prompt="y/N"
default=N
else
prompt="y/n"
default=
fi
printf "\\n%s [%s] " "$1" "$prompt"
read -r reply
[ -z "$reply" ] && reply=$default
case "$reply" in
Y*|y*) return 0 ;;
N*|n*) return 1 ;;
esac
done
}
### Check if actual binary version is >= minimum version
2020-11-13 02:31:26 +00:00
check_version(){
2020-11-14 01:15:00 +00:00
local pkg="${1?}"
local have="${2?}"
local need="${3?}"
2020-11-20 07:41:53 +00:00
local i ver1 ver2 IFS='.'
[[ "$have" == "$need" ]] && return 0
2020-11-20 07:41:53 +00:00
read -r -a ver1 <<< "$have"
read -r -a ver2 <<< "$need"
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++));
do ver1[i]=0;
done
for ((i=0; i<${#ver1[@]}; i++)); do
[[ -z ${ver2[i]} ]] && ver2[i]=0
((10#${ver1[i]} > 10#${ver2[i]})) && return 0
((10#${ver1[i]} < 10#${ver2[i]})) && die_pkg "${pkg}" "${need}"
done
2020-11-13 02:31:26 +00:00
}
### Check if required binaries are installed at appropriate versions
2020-11-13 02:31:26 +00:00
check_tools(){
2020-11-17 00:22:24 +00:00
if [ -z "${BASH_VERSINFO[0]}" ] \
|| [ "${BASH_VERSINFO[0]}" -lt "${MIN_BASH_VERSION}" ]; then
2020-11-14 01:15:00 +00:00
die_pkg "bash" "${MIN_BASH_VERSION}"
2020-11-13 02:31:26 +00:00
fi
2020-11-12 23:02:19 +00:00
for cmd in "$@"; do
2020-11-13 02:31:26 +00:00
command -v "$1" >/dev/null || die "Error: $cmd not found"
case $cmd in
gpg)
version=$(gpg --version | head -n1 | cut -d" " -f3)
2020-11-14 01:15:00 +00:00
check_version "gnupg" "${version}" "${MIN_GPG_VERSION}"
2020-11-13 02:31:26 +00:00
;;
openssl)
version=$(openssl version | cut -d" " -f2 | sed 's/[a-z]//g')
check_version "openssl" "${version}" "${MIN_OPENSSL_VERSION}"
;;
2020-11-14 01:15:00 +00:00
getopt)
version=$(getopt --version | cut -d" " -f4 | sed 's/[a-z]//g')
check_version "getopt" "${version}" "${MIN_GETOPT_VERSION}"
;;
2020-11-13 02:31:26 +00:00
esac
2020-11-12 23:02:19 +00:00
done
}
### Get files that will be added to the manifest for signing
### Use git if available, else fall back to find
2020-11-13 03:24:37 +00:00
get_files(){
2020-11-20 03:51:41 +00:00
if [ -d '.git' ] && command -v git >/dev/null; then
git ls-files \
--cached \
--others \
--exclude-standard \
| grep -v ".${PROGRAM}"
2020-11-13 03:24:37 +00:00
else
find . \
-type f \
-not -path "./.git/*" \
-not -path "./.${PROGRAM}/*"
fi
2020-11-12 22:56:38 +00:00
}
### Get primary UID for a given fingerprint
get_uid(){
local -r fp="${1?}"
gpg --list-keys --with-colons "${fp}" 2>&1 \
| awk -F: '$1 == "uid" {print $10}' \
| head -n1
}
### Get primary fingerprint for given search
get_primary_fp(){
local -r search="${1?}"
gpg --list-keys --with-colons "${search}" 2>&1 \
| awk -F: '$1 == "fpr" {print $10}' \
| head -n1
}
### Get fingerprint for a given pgp file
get_file_fp(){
local -r filename="${1?}"
gpg --list-packets "${filename}" \
| grep keyid \
| sed 's/.*keyid //g'
}
### Get raw gpgconf group config
group_get_config(){
local -r config=$(gpgconf --list-options gpg | grep ^group)
printf '%s' "${config##*:}"
}
### Add fingerprint to a given group
group_add_fp(){
local -r fp=${1?}
local -r group_name=${2?}
local -r config=$(group_get_config)
local group_names=()
local member_lists=()
local name member_list config i data
while IFS=' =' read -rd, name member_list; do
group_names+=("${name:1}")
member_lists+=("$member_list")
done <<< "$config,"
printf '%s\n' "${group_names[@]}" \
| grep -w "${group_name}" \
|| group_names+=("${group_name}")
for i in "${!group_names[@]}"; do
[ "${group_names[$i]}" == "${group_name}" ] \
&& member_lists[$i]="${member_lists[$i]} ${fp}"
data+=$(printf '"%s = %s,' "${group_names[$i]}" "${member_lists[$i]}")
done
echo "Adding key \"${fp}\" to group \"${group_name}\""
2020-11-20 09:11:09 +00:00
gpg --list-keys >/dev/null 2>&1
printf 'group:0:%s' "${data%?}" \
| gpgconf --change-options gpg >/dev/null 2>&1
2020-11-16 11:17:50 +00:00
}
### Get fingerprints for a given group
group_get_fps(){
local -r group_name=${1?}
2020-11-17 00:22:24 +00:00
gpg --with-colons --list-config group \
| grep -i "^cfg:group:${group_name}:" \
| cut -d ':' -f4
}
### Check if fingerprint belongs to a given group
### Give user option to add it if they wish
group_check_fp(){
local -r fp=${1?}
local -r group_name=${2?}
local -r group_fps=$(group_get_fps "${group_name}")
2020-11-17 23:56:39 +00:00
local -r uid=$(get_uid "${fp}")
if [ -z "$group_fps" ] \
|| [[ "${group_fps}" != *"${fp}"* ]]; then
cat <<-_EOF
The following key is not a member of group "${group_name}":
Fingerprint: ${fp}
Primary UID: ${uid}
_EOF
if ask "Add key to group \"${group_name}\" ?" "N"; then
group_add_fp "${fp}" "${group_name}"
else
return 1
fi
fi
2020-11-17 00:22:24 +00:00
}
### Verify a file has 0-N unique valid detached signatures
### Optionally verify all signatures belong to keys in gpg alias group
verify_detached() {
[ $# -eq 3 ] || die "Usage: verify_detached <threshold> <group> <file>"
local -r threshold="${1}"
local -r group="${2}"
local -r filename="${3}"
local fp uid sig_count=0 seen_fps=""
2020-11-13 22:40:49 +00:00
2020-11-12 22:56:38 +00:00
for sig_filename in "${filename%.*}".*.asc; do
gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
2020-11-19 21:40:38 +00:00
echo "Invalid detached signature: ${sig_filename}";
return 1;
2020-11-12 22:56:38 +00:00
}
file_fp=$( get_file_fp "${sig_filename}" )
fp=$( get_primary_fp "${file_fp}" )
uid=$( get_uid "${fp}" )
[[ "${seen_fps}" == *"${fp}"* ]] && {
echo "Duplicate signature: ${sig_filename}";
return 1;
}
2020-11-13 22:40:49 +00:00
echo "Verified detached signature by \"${uid}\""
2020-11-13 22:40:49 +00:00
if [ ! -z "${group}" ]; then
group_check_fp "${fp}" "${group}" || {
echo "Detached signing key not in group \"${group}\": ${fp}";
return 1;
}
fi
2020-11-13 22:40:49 +00:00
seen_fps="${seen_fps} ${fp}"
2020-11-12 22:56:38 +00:00
((sig_count=sig_count+1))
done
[[ "${sig_count}" -ge "${threshold}" ]] || {
echo "Minimum detached signatures not found: ${sig_count}/${threshold}";
return 1;
}
2020-11-12 22:56:38 +00:00
}
### Verify head commit is signed
### Optionally verify unique signed git tags to meet a threshold
### Optionally verify all signatures belong to keys in gpg alias group
verify_git(){
[ $# -eq 2 ] || die "Usage: verify_git <threshold> <group>"
local -r threshold="${1}"
local -r group="${2}"
2020-12-08 05:23:40 +00:00
local seen_fps="" sig_count=0 ref commit git_fp fp uid
2020-11-16 11:17:50 +00:00
git verify-commit HEAD >/dev/null 2>&1 \
|| die "HEAD commit not signed"
2020-12-08 05:23:40 +00:00
git_fp=$(git log --format="%GP" HEAD -n1 )
fp=$(get_primary_fp "$git_fp")
seen_fps="${fp}"
sig_count=1
uid=$( get_uid "${fp}" )
echo "Verified signed git commit by \"${uid}\""
for tag in $(git tag --points-at HEAD); do
git tag --verify "$tag" >/dev/null 2>&1 && {
2020-12-08 05:23:40 +00:00
git_fp=$( \
git verify-tag --raw "$tag" 2>&1 \
| grep VALIDSIG \
| awk '{print $3}' \
)
2020-12-08 05:23:40 +00:00
fp=$(get_primary_fp "$git_fp")
uid=$( get_uid "${fp}" )
if [[ "${seen_fps}" != *"${fp}"* ]]; then
seen_fps="${seen_fps} ${fp}"
echo "Verified signed git tag by \"${uid}\""
((sig_count=sig_count+1))
fi
}
2020-11-16 11:17:50 +00:00
done
[[ "${sig_count}" -ge "${threshold}" ]] || {
echo "Minimum git signatures not found: ${sig_count}/${threshold}";
return 1;
}
if [ ! -z "$group" ]; then
for seen_fp in ${seen_fps}; do
group_check_fp "${seen_fp}" "${group}" || {
echo "Git signing key not in group \"${group}\": ${fp}";
return 1;
}
done
fi
2020-12-08 05:23:40 +00:00
if [[ $(git diff --stat) != '' ]]; then
die "Error: git tree is dirty"
fi
}
2020-12-03 10:32:11 +00:00
## Get temporary dir reliably across different mktemp implementations
get_temp(){
mktemp \
--quiet \
--directory \
-t "$(basename "$0").XXXXXX" 2>/dev/null \
|| mktemp \
--quiet \
--directory
}
2020-12-03 10:32:11 +00:00
## Verify specified branch and show diff between that and current HEAD
verify_git_diff(){
[ $# -eq 4 ] \
|| die "Usage: verify_git_diff <ref> <threshold> <group> <method>"
command -v git >/dev/null 2>&1 \
|| die "Error: verify diff requires 'git' which is not installed"
local -r diff_ref=${1}
local -r threshold=${2}
local -r group=${3}
local -r method=${4}
local -r temp_repo=$(get_temp)
local -r git_root=$(git rev-parse --show-toplevel)
local -r curr_ref=$(git rev-parse HEAD)
cp -a "${git_root}/." "${temp_repo}/"
cd "${temp_repo}"
git reset --hard "${diff_ref}" >/dev/null 2>&1
if verify "${threshold}" "${group}" "${method}"; then
git --no-pager diff "${diff_ref}" "${curr_ref}"
else
echo "Verification of specifed diff ref failed: ${ref}"
fi
}
2020-12-03 10:32:11 +00:00
## Verify current folder/repo with specified signing rules
verify(){
[ $# -eq 3 ] || die "Usage: verify <threshold> <group> <method>"
local -r threshold=${1}
local -r group=${2}
local -r method=${3}
if [ -z "$method" ] || [ "$method" == "git" ]; then
if [ "$method" == "git" ]; then
command -v git >/dev/null 2>&1 \
2020-12-08 05:23:40 +00:00
|| die "Error: method 'git' specified and git is not installed"
[ -d .git ] \
|| die "Error: This folder is not a git repository"
fi
if command -v git >/dev/null 2>&1 \
&& ( [ -d .git ] || git rev-parse --git-dir > /dev/null 2>&1 );
then
verify_git "${threshold}" "${group}" || return 1
fi
fi
if [ -z "$method" ] || [ "$method" == "detached" ]; then
( [ -d ".${PROGRAM}" ] && ls ."${PROGRAM}"/*.asc >/dev/null 2>&1 ) || {
echo "Error: No signatures";
return 1;
}
cmd_manifest || return 1
verify_detached "${threshold}" "${group}" ."${PROGRAM}"/manifest.txt \
|| return 1
fi
}
2020-12-03 10:32:11 +00:00
## Add detached signature for contents of this folder
sign_detached(){
cmd_manifest
gpg --armor --detach-sig ."${PROGRAM}"/manifest.txt >/dev/null 2>&1
local -r fp=$( \
gpg --list-packets ."${PROGRAM}"/manifest.txt.asc \
| grep "issuer key ID" \
| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
)
mv ."${PROGRAM}"/manifest.{"txt.asc","${fp}.asc"}
}
## Add signed tag pointing at this commit.
## Optionally push to origin.
sign_tag(){
[ -d '.git' ] \
|| die "Not a git repository"
command -v git >/dev/null \
|| die "Git not installed"
git config --get user.signingKey >/dev/null \
|| die "Git user.signingKey not set"
local -r push="${1}"
local -r commit=$(git rev-parse --short HEAD)
local -r fp=$( \
2020-12-03 10:32:11 +00:00
git config --get user.signingKey \
| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
)
local -r name="sig-${commit}-${fp}"
2020-12-03 10:32:11 +00:00
git tag -fsm "$name" "$name"
[[ $push -eq 0 ]] || git push --tags
2020-12-03 10:32:11 +00:00
}
## Public Commands
2020-11-14 01:15:00 +00:00
cmd_manifest() {
mkdir -p ".${PROGRAM}"
2020-11-17 00:22:24 +00:00
printf "%s" "$(get_files | xargs openssl sha256 -r)" \
| sed -e 's/ \*/ /g' -e 's/ \.\// /g' \
| LC_ALL=C sort -k2 \
> ".${PROGRAM}/manifest.txt"
2020-11-14 01:15:00 +00:00
}
2020-11-12 22:56:38 +00:00
cmd_verify() {
local opts threshold=1 group="" method="" diff=""
opts="$(getopt -o t:g:m:d: -l threshold:,group:,method:,diff: -n "$PROGRAM" -- "$@")"
2020-11-13 22:40:49 +00:00
eval set -- "$opts"
while true; do case $1 in
-t|--threshold) threshold="$2"; shift 2 ;;
2020-11-13 22:40:49 +00:00
-g|--group) group="$2"; shift 2 ;;
-m|--method) method="$2"; shift 2 ;;
-d|--diff) diff="$2"; shift 2 ;;
2020-11-13 22:40:49 +00:00
--) shift; break ;;
esac done
if verify "$threshold" "$group" "$method"; then
return 0
elif [ ! -z "$diff" ]; then
echo "Verification failed."
echo "Attempting verified diff against git ref ${diff} ..."
verify_git_diff "$diff" "$threshold" "$group" "$method"
fi
return 1
2020-11-12 22:56:38 +00:00
}
2020-11-20 09:11:09 +00:00
cmd_fetch() {
local opts group="" group_fps=""
opts="$(getopt -o g: -l group: -n "$PROGRAM" -- "$@")"
eval set -- "$opts"
while true; do case $1 in
-g|--group) group="${2:-1}"; shift 2 ;;
--) shift; break ;;
esac done
[ $# -eq 1 ] || \
die "Usage: $PROGRAM fetch <fingerprint> [-g,--group=<group>]"
local -r fingerprint=${1}
if [ ! -z "$group" ]; then
group_fps=$(group_get_fps "${group_name}")
if [[ "${group_fps}" == *"${fingerprint}"* ]]; then
echo "Key \"${fingerprint}\" is already in group \"${group}\""
else
group_add_fp "${fingerprint}" "${group}"
fi
fi
gpg --list-keys "${fingerprint}" > /dev/null 2>&1 \
&& echo "Key \"${fingerprint}\" is already in local keychain" \
&& return 0
echo "Requested key is not in keyring. Trying keyservers..."
for server in \
ha.pool.sks-keyservers.net \
hkp://keyserver.ubuntu.com:80 \
hkp://p80.pool.sks-keyservers.net:80 \
pgp.mit.edu \
2020-11-20 09:26:01 +00:00
; do
echo "Fetching key \"${fingerprint}\" from \"${server}\"";
2020-11-20 09:11:09 +00:00
gpg \
--recv-key \
--keyserver "$server" \
--keyserver-options timeout=10 \
--recv-keys "${fingerprint}" \
2020-11-20 09:26:01 +00:00
&& break
2020-11-20 09:11:09 +00:00
done
}
cmd_add(){
local opts method="" push=0
opts="$(getopt -o m:p:: -l method:push:: -n "$PROGRAM" -- "$@")"
eval set -- "$opts"
while true; do case $1 in
-m|--method) method="$2"; shift 2 ;;
-p|--push) push="1"; shift 2 ;;
--) shift; break ;;
esac done
case $method in
detached) sign_detached ;;
git) sign_tag "$push" ;;
*)
[ ! -z "$push" ] || cmd_usage
if [ -d '.git' ]; then
sign_tag "$push"
else
sign_detached
fi
;;
esac
}
2020-11-12 22:56:38 +00:00
cmd_version() {
cat <<-_EOF
2020-11-13 22:40:49 +00:00
==========================================
= sig: simple multisig trust toolchain =
= =
= v0.0.1 =
= =
= https://gitlab.com/pchq/sig =
==========================================
2020-11-12 22:56:38 +00:00
_EOF
}
cmd_usage() {
cmd_version
cat <<-_EOF
Usage:
$PROGRAM add [-m,--method=<git|detached>] [-p,--push]
2020-11-12 22:56:38 +00:00
Add signature to manifest for this directory
$PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ] [d,--diff=<branch>]
Verify m-of-n signatures by given group are present for directory.
2020-11-20 09:11:09 +00:00
$PROGRAM fetch [-g,--group=<group>]
Fetch key by fingerprint. Optionally add to group.
2020-11-13 02:31:26 +00:00
$PROGRAM manifest
Generate hash manifest for this directory
2020-11-12 22:56:38 +00:00
$PROGRAM help
Show this text.
$PROGRAM version
Show version information.
_EOF
}
# Verify all tools in this list are installed at needed versions
2020-11-14 01:15:00 +00:00
check_tools head cut find sort sed getopt gpg openssl
2020-11-13 02:47:11 +00:00
# Allow entire script to be namespaced based on filename
readonly PROGRAM="${0##*/}"
# Export public sub-commands
2020-11-12 22:56:38 +00:00
case "$1" in
2020-11-14 01:15:00 +00:00
verify) shift; cmd_verify "$@" ;;
add) shift; cmd_add "$@" ;;
manifest) shift; cmd_manifest "$@" ;;
2020-11-20 09:11:09 +00:00
fetch) shift; cmd_fetch "$@" ;;
2020-11-14 01:15:00 +00:00
version|--version) shift; cmd_version "$@" ;;
help|--help) shift; cmd_usage "$@" ;;
*) cmd_usage "$@" ;;
2020-11-12 22:56:38 +00:00
esac