diff --git a/.sig/manifest.8E47A1EC35A1551D.asc b/.sig/manifest.8E47A1EC35A1551D.asc index f1c3861..c86d8c3 100644 --- a/.sig/manifest.8E47A1EC35A1551D.asc +++ b/.sig/manifest.8E47A1EC35A1551D.asc @@ -1,16 +1,16 @@ -----BEGIN PGP SIGNATURE----- -iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+0X2UACgkQjkeh7DWh -VR0adA//T6GKxXV5fagaH/2rba/+/AzeRzPo4rKooT3kEC05LK95AMig3K83ztHo -D/cQengjdajSYXjJniVCY1IXXtfNAcCLIPgfYHQirGWLQy4hERSkFeVVeq0ZCMMd -7Pjag6wNCXukEZjLRCiZyyIfaYlN7IdEBS8fvRDoN3HWEvJldlOkHgaAkquKb+Ll -MPRvpB2pDeTi2o8PUKVDqUaqVPRRjYqudsKqqfl2kVxLH3wEd7ES0kBRjjlGHV8h -iV3lDM0qA1tVc50mw187qdN5ENxEDWp8OxNX9K0g3og2Z4/8ZUyrJOk2jfE5am1A -rocYoxw4xTyktWHsJWeYJcXeVS5p7vY3NHZD4Db/G/vRjAK4k6BGuYe1JaVh/p8h -OAwNVRbbMddsJXQXUCv+74zTKhvEtqWAh+gH349pkmrt72DblDNYSNrLlnt1CJmV -bGnfTVEgRqVzBMZyhHIj2GAHfHoa/8OOq3Ph135YZ9/ZhWGE86zqt8kIv7MuL9At -Yp0QW+3Ocsl8EDjBMnlVZ72pcuHsmRjijOMJahFFZHrML28WzQH34iMLwihQC1OC -pOJSu22UYkhKp5I2MJtFe93/feRl+KsrF2P8LpaZ1baecY2dhubminy4NBtpv9PL -oZHVIA42M/Ebk5Z/g9Iknx4hdiA/hQUMe8zJ/wP7/QvxXb4CNzY= -=Ah1n +iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+0YykACgkQjkeh7DWh +VR2UOhAAnjdxq5e17AGa+VRS3JOqiv8moPvLiYZMILnaxzJUFJwTcV4Fu4SEjBL/ +/BzZemxbwRQMnwcI9FiqRYfN6wB8SkoN6TakD6NDag9ARRdL6VDRLRE9w3xGRD+M +kcCD5fdR1d9MOx4bomvkNJzLEzStvyTjoH7LICZINCMIlzOM9jB3Rbw7/ZnsmGg8 +t9kOP/Nf7b+cOTTUaymeluZji4Xf3i9/GgK5QEByV+P0ggq71VBgVvRFaKC8Qk2/ +bK4iFpn/d3eRWlB/PIcPNFnrlVBoePbNdKuFuRKD7lvxoCN1tJVsWVXdexnRNN1j +OVBFluCHCumL+y3DgtmNqrA0PihbAlQyCl8D3RjQvbqwCxazfSnrtv2uOW8jUj/M +GMvbrJ/jGXqc6EYPQljxxgHPc5XhZLEHbJ0nPYo+dEjiUPF2JhMF/o7JHWFlVSrs +5RhvZfpxfQOrxpWlUOyJTOoQGGb/tT0hDB/xrRvedW31hLjpqrSzNPmPmCOpWABl +GCiY09MX284oN2gZOshoBPNWFphzzLb4aDEDzLjFuOa9X0HRohs13rG619nIzchB +2l0Q1UC+N8sRvr331yuFKlvQIoBbiS7GVRnpv47xoK+056FP4FxHFqhk+qN9S+uo +px2BFGmgCN5trQLaVcCBD4yPzWacSaIkLoguh3svGjz8yuUg/Ns= +=T6my -----END PGP SIGNATURE----- diff --git a/.sig/manifest.txt b/.sig/manifest.txt index 9507b12..6c8c102 100644 --- a/.sig/manifest.txt +++ b/.sig/manifest.txt @@ -1,3 +1,3 @@ 64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore -96bdf717daff77951303378d9abba4857a28bae1738fe8e2536680c6735819be README.md -e02b0ef74b361497249967dd13477c988c602a187d76d610c05f9193eaec6cb4 sig +a879b0beb9cf169a5af7b3b643609a84c0ec38b1627be6ebf6f4bbeb46e571b5 README.md +9188d59457ca4f71a6cb94ca1c3bd7ba5ac5515b1c06793b35f0482dca727de3 sig diff --git a/README.md b/README.md index 561afd8..53da2eb 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ This method verifies a git repo contains signed commits by one or more authors. If 'threshold' is specified, it searches history until enough unique signatures are found to satisify the threshold, ensuring all commits between are signed. -If 'group' is specified, all signatures must be by keys that belong to a +If 'group' is specified, all signatures must be from keys that belong to a defined gpg alias group. Note: this only proves the history had multiple participants, but not that @@ -128,8 +128,9 @@ sig add ### Why Bash? -Because it is easy to quickly verify at any time, has wide OS compatibility andthe majority of the needed operations are calling other programs already on -your system like gpg and openssl. +Because it is easy to quickly verify at any time, has wide OS compatibility and +the majority of the needed operations are calling other programs already on +most systems like gpg and openssl. If this were in another language it would be harder to audit on the fly, would require the user to have a specific language toolchain installed, and it would @@ -155,5 +156,5 @@ stable future. See: https://sequoia-pgp.org/ The only promising alternative to GnuPG for software signing that has hsm -support and the very attractive feature of expiring signatures is [The Update Framework](https://theupdateframework.io) which may be supported as an alternate -method in the future if m-of-n multisig is ever implemented. +support and the very attractive feature of expiring signatures is [The Update Framework](https://theupdateframework.io) which may be supported as an alternate method in the future +if m-of-n multisig is ever implemented. diff --git a/sig b/sig index 1714d84..ac27a21 100755 --- a/sig +++ b/sig @@ -159,8 +159,8 @@ group_add_fp(){ local group_names=() local member_lists=() local name member_list config i data + local -r config=$(group_get_config) - config=$(group_get_config) while IFS=' =' read -rd, name member_list; do group_names+=("${name:1}") member_lists+=("$member_list") @@ -194,8 +194,8 @@ group_get_fps(){ group_check_fp(){ local fp=${1?} local group_name=${2?} - local group_fps; group_fps=$( group_get_fps "${group_name}" ) - local uid; uid=$(get_uid "${fp}") + local -r group_fps=$( group_get_fps "${group_name}" ) + local -r uid=$(get_uid "${fp}") if [ -z "$group_fps" ] \ || [[ "${group_fps}" != *"${fp}"* ]]; then @@ -337,7 +337,7 @@ cmd_verify() { cmd_add(){ cmd_manifest gpg --armor --detach-sig ."${PROGRAM}"/manifest.txt >/dev/null 2>&1 - local fp; fp=$( \ + local -r fp=$( \ gpg --list-packets ."${PROGRAM}"/manifest.txt.asc \ | grep "issuer key ID" \ | sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \