gitlab verify attempt 8
This commit is contained in:
parent
ccf02f583c
commit
672d1f0f65
|
@ -4,12 +4,10 @@ services:
|
||||||
- docker:dind
|
- docker:dind
|
||||||
|
|
||||||
before_script:
|
before_script:
|
||||||
- apk add make git gnupg openssl bash util-linux
|
- apk add make
|
||||||
|
|
||||||
test:
|
test:
|
||||||
script:
|
script:
|
||||||
- make lint
|
- make lint
|
||||||
- make test
|
- make test
|
||||||
- mkdir -p ~/.gnupg/
|
- make verify
|
||||||
- echo "group maintainers = 154E6BB21AA3ADAA1AE8E4C3B11B4A3F97FE0C65 D37EA2C705C8125024932FF3008DDBA577B40593 000BB588C6908039A1E7B033552ECE18615AA0CF 0993C738D2D0B3B4B70E4CEBB62C48C8CAFFFC09 E68A304BC1806237B05CD2A21667D82C2BF9F3E1 6B61ECD76088748C70590D55E90A401336C8AAA9" >> ~/.gnupg/gpg.conf
|
|
||||||
- ./sig verify --threshold 3 --group maintainers
|
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+3PS0ACgkQjkeh7DWh
|
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+3iCAACgkQjkeh7DWh
|
||||||
VR0WVg/+N03hml7HngM0DbJBhKuSrEzjOIe+Bzx96VVqo322oDtHielnHD9bSbJj
|
VR2PVA/9GWiy+hLXmTnXDhIrvl/joTvk0JwU4AlxMw55PlCPh3wlejUDKKx6xFMy
|
||||||
HhKhjaLZeYVDaRWwloMtypF0JEWgbuwKmWp8tqqoOM4ySkgvkpphIaaQUvU56eTW
|
a4oaU59/6mPyVlNKPLNXFHCwJhS4beDYhAjP6gA4Esr469K5jVZFQtbD6GuQ7mDi
|
||||||
8daPwOC1d/A/SuSuAK7Do0S7XOuTY5uMyu/ALxXO5kV/tMmfAufcN1j+3FL48Dk3
|
62HNjWZyQqaVQMR2/kH74XY7mm2Dw0NpmqA9EM5EUZBRYwt1p3YycX37AfSTdof9
|
||||||
iHHZnVKTBN2zH3hEsuwpVIpSUVZcxNumjYegyuGYkesKVCvd4xhdqMSJXhC+XAeQ
|
VlDSXU6cNo8E+K70Salw8q/Ds58dOCeu4bGfL6eXHPDCOzCOSth141yaJcTN+fIN
|
||||||
uHtO8Uh6S854gmrPwCBcicq35HAhaMBJJ9Rb3ubigQMjFpXnylThDo4gdgSBZyXE
|
UXxK62aGzci1G7M8Wfl8rWo0gz55+ydYiIyCEzhkU2zVMNJDiO2s7as3pjyT5LWD
|
||||||
VsBTmQS665v9k2OfJgtKhljiWfwCpGv1pLk35bkDcJqSRbZc5kNZRuxL0GRWHPdM
|
yWv8dpa0d8OZjt9hKCTUgxsOogt18ermbP9jFteuUwKTkIsjiJWZoPN1lHiNtNud
|
||||||
XK42dJOq9IdrW+RCVB9cUTXURhs6YC529iFnPcmSqW2Iv0sbSBhIbrYO/PuVuAcX
|
wIUGDnB+lyytrA2Rc3YgbN2VzS4UKqBU/iCLxqtNgkJnunLPcnNHqrYlX9cKWMFO
|
||||||
9ZlV2DHRlhnDEJNRW1vp5GANBW99WiC1IcC1hRTa+5Ak06AdJsTGe2X0AxVq+ZNF
|
pL1pcr/CZsBk28iJmeQr8UQjdchO4RNNagk+yQocscdljUw1LLY7n5+9P2/fhkK1
|
||||||
C6Ix/oJuQyb6oaSbpaBc6YmjAkvaTItyx4WlLck7KgQUttlEzUPuS3XTqfeeHuO6
|
VT6kRQY/sxibkZsE7cP4HkfkOm0XpWfI1NGpG3iRh9ACVlnleOBskPxovVJ0q5VO
|
||||||
e/YqAqypVIQt20AH72zC0aCH+/v7tENIKNd3am2zYxW7jNANLqtX+h5Zud6abK3G
|
CFlvOMMLZ/MhxdC7LrC6AcTyPiXz6W34/PBJMAsxl04Rmlx7YyoZL07d7Q0kaRKu
|
||||||
iBPjJp+BPrXsqzsd7hRUSoZeeSM7VQNVqQMI+q7E4hKzyvplXL4=
|
4DHdb3j190tx/vcJC7YVY5XkuyYGD4ZYKGDaXhAS1TcUHNFe5xU=
|
||||||
=SKg/
|
=Qxxm
|
||||||
-----END PGP SIGNATURE-----
|
-----END PGP SIGNATURE-----
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
||||||
66a3b8bfb76f689fc4ab7bd95907b29c17c704c075c00c6cc6382e424dccd6bb .gitlab-ci.yml
|
67377eee89dfc4411665474ac0bee0f9a19ea7e594bcc8606b0bc3ace69f0aa1 .gitlab-ci.yml
|
||||||
373cb178010e75bdccd5c792c43429c8274a615c8b69b5d57f4c2ec0263f802b Makefile
|
e272f7b4b6240dfc3499a3a977b94746903cece41481916e22868f7017da2a52 Makefile
|
||||||
f19d267e4aa6bf82d5416891697a2a81a574efdddecf5c54e3a8a77c207013fa README.md
|
f19d267e4aa6bf82d5416891697a2a81a574efdddecf5c54e3a8a77c207013fa README.md
|
||||||
eb12fb7ea33eafb138fa89020d6bfeb57595e0ffa30634aca764fd34417853d2 sig
|
1ef7edc22f4f6b949b708d0e7a72e32aeab33b9a5fcdd4306193fa8629f5f622 sig
|
||||||
655df07f3827e7055d0c6aa21a0a4907957a34a2b8a1e9131225c537e448e2e3 test/Dockerfile
|
655df07f3827e7055d0c6aa21a0a4907957a34a2b8a1e9131225c537e448e2e3 test/Dockerfile
|
||||||
55250be3c8f25dcbe68a73e8de8c8a94d8ceb0354c7f955519373d9c963903dd test/test.bats
|
55250be3c8f25dcbe68a73e8de8c8a94d8ceb0354c7f955519373d9c963903dd test/test.bats
|
||||||
c95e072f0917531257c069516fc1bf08fd98e5c5f3958f5353a219cb5b70fd38 test/test_helper.bash
|
c95e072f0917531257c069516fc1bf08fd98e5c5f3958f5353a219cb5b70fd38 test/test_helper.bash
|
||||||
|
|
14
Makefile
14
Makefile
|
@ -16,6 +16,20 @@ lint: test-image
|
||||||
local/sig-test \
|
local/sig-test \
|
||||||
shellcheck sig/sig
|
shellcheck sig/sig
|
||||||
|
|
||||||
|
.PHONY: verify
|
||||||
|
verify: test-image
|
||||||
|
docker run \
|
||||||
|
--rm \
|
||||||
|
--interactive \
|
||||||
|
--volume $(PWD)/:/home/test/sig \
|
||||||
|
local/sig-test /bin/bash -c " \
|
||||||
|
cp -R sig /tmp/sig; \
|
||||||
|
cd /tmp/sig; \
|
||||||
|
./sig fetch --group maintainers 6B61ECD76088748C70590D55E90A401336C8AAA9; \
|
||||||
|
./sig verify --threshold 1 --method=git --group maintainers; \
|
||||||
|
./sig verify --threshold 3 --method=detached --group maintainers; \
|
||||||
|
"
|
||||||
|
|
||||||
.PHONY: test-image
|
.PHONY: test-image
|
||||||
test-image:
|
test-image:
|
||||||
docker build \
|
docker build \
|
||||||
|
|
50
sig
50
sig
|
@ -178,6 +178,7 @@ group_add_fp(){
|
||||||
done
|
done
|
||||||
|
|
||||||
echo "Adding key \"${fp}\" to group \"${group_name}\""
|
echo "Adding key \"${fp}\" to group \"${group_name}\""
|
||||||
|
gpg --list-keys >/dev/null 2>&1
|
||||||
printf 'group:0:%s' "${data%?}" \
|
printf 'group:0:%s' "${data%?}" \
|
||||||
| gpgconf --change-options gpg >/dev/null 2>&1
|
| gpgconf --change-options gpg >/dev/null 2>&1
|
||||||
}
|
}
|
||||||
|
@ -330,6 +331,48 @@ cmd_verify() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cmd_fetch() {
|
||||||
|
local opts group="" group_fps=""
|
||||||
|
opts="$(getopt -o g: -l group: -n "$PROGRAM" -- "$@")"
|
||||||
|
eval set -- "$opts"
|
||||||
|
while true; do case $1 in
|
||||||
|
-g|--group) group="${2:-1}"; shift 2 ;;
|
||||||
|
--) shift; break ;;
|
||||||
|
esac done
|
||||||
|
[ $# -eq 1 ] || \
|
||||||
|
die "Usage: $PROGRAM fetch <fingerprint> [-g,--group=<group>]"
|
||||||
|
local -r fingerprint=${1}
|
||||||
|
|
||||||
|
if [ ! -z "$group" ]; then
|
||||||
|
group_fps=$(group_get_fps "${group_name}")
|
||||||
|
if [[ "${group_fps}" == *"${fingerprint}"* ]]; then
|
||||||
|
echo "Key \"${fingerprint}\" is already in group \"${group}\""
|
||||||
|
else
|
||||||
|
group_add_fp "${fingerprint}" "${group}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
gpg --list-keys "${fingerprint}" > /dev/null 2>&1 \
|
||||||
|
&& echo "Key \"${fingerprint}\" is already in local keychain" \
|
||||||
|
&& return 0
|
||||||
|
|
||||||
|
echo "Requested key is not in keyring. Trying keyservers..."
|
||||||
|
for server in \
|
||||||
|
ha.pool.sks-keyservers.net \
|
||||||
|
hkp://keyserver.ubuntu.com:80 \
|
||||||
|
hkp://p80.pool.sks-keyservers.net:80 \
|
||||||
|
pgp.mit.edu \
|
||||||
|
; do \
|
||||||
|
echo "Fetching key "${fingerprint}" from ${server}"; \
|
||||||
|
gpg \
|
||||||
|
--recv-key \
|
||||||
|
--keyserver "$server" \
|
||||||
|
--keyserver-options timeout=10 \
|
||||||
|
--recv-keys "${fingerprint}" \
|
||||||
|
&& break; \
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
cmd_add(){
|
cmd_add(){
|
||||||
cmd_manifest
|
cmd_manifest
|
||||||
gpg --armor --detach-sig ."${PROGRAM}"/manifest.txt >/dev/null 2>&1
|
gpg --armor --detach-sig ."${PROGRAM}"/manifest.txt >/dev/null 2>&1
|
||||||
|
@ -357,10 +400,12 @@ cmd_usage() {
|
||||||
cmd_version
|
cmd_version
|
||||||
cat <<-_EOF
|
cat <<-_EOF
|
||||||
Usage:
|
Usage:
|
||||||
$PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ]
|
|
||||||
Verify m-of-n signatures by given group are present for directory
|
|
||||||
$PROGRAM add
|
$PROGRAM add
|
||||||
Add signature to manifest for this directory
|
Add signature to manifest for this directory
|
||||||
|
$PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ]
|
||||||
|
Verify m-of-n signatures by given group are present for directory
|
||||||
|
$PROGRAM fetch [-g,--group=<group>]
|
||||||
|
Fetch key by fingerprint. Optionally add to group.
|
||||||
$PROGRAM manifest
|
$PROGRAM manifest
|
||||||
Generate hash manifest for this directory
|
Generate hash manifest for this directory
|
||||||
$PROGRAM help
|
$PROGRAM help
|
||||||
|
@ -381,6 +426,7 @@ case "$1" in
|
||||||
verify) shift; cmd_verify "$@" ;;
|
verify) shift; cmd_verify "$@" ;;
|
||||||
add) shift; cmd_add "$@" ;;
|
add) shift; cmd_add "$@" ;;
|
||||||
manifest) shift; cmd_manifest "$@" ;;
|
manifest) shift; cmd_manifest "$@" ;;
|
||||||
|
fetch) shift; cmd_fetch "$@" ;;
|
||||||
version|--version) shift; cmd_version "$@" ;;
|
version|--version) shift; cmd_version "$@" ;;
|
||||||
help|--help) shift; cmd_usage "$@" ;;
|
help|--help) shift; cmd_usage "$@" ;;
|
||||||
*) cmd_usage "$@" ;;
|
*) cmd_usage "$@" ;;
|
||||||
|
|
Loading…
Reference in New Issue