public
/
git-sig
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gitlab verify attempt 8

This commit is contained in:
Lance Vick 2020-11-20 01:11:09 -08:00
parent ccf02f583c
commit 672d1f0f65
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
5 changed files with 80 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitlab-ci.yml
View File

@ -4,12 +4,10 @@ services:
- docker:dind - docker:dind
before_script: before_script:
- apk add make git gnupg openssl bash util-linux - apk add make
test: test:
script: script:
- make lint - make lint
- make test - make test
- mkdir -p ~/.gnupg/ - make verify
- echo "group maintainers = 154E6BB21AA3ADAA1AE8E4C3B11B4A3F97FE0C65 D37EA2C705C8125024932FF3008DDBA577B40593 000BB588C6908039A1E7B033552ECE18615AA0CF 0993C738D2D0B3B4B70E4CEBB62C48C8CAFFFC09 E68A304BC1806237B05CD2A21667D82C2BF9F3E1 6B61ECD76088748C70590D55E90A401336C8AAA9" >> ~/.gnupg/gpg.conf
- ./sig verify --threshold 3 --group maintainers

26
.sig/manifest.8E47A1EC35A1551D.asc
View File

@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+3PS0ACgkQjkeh7DWh iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+3iCAACgkQjkeh7DWh
VR0WVg/+N03hml7HngM0DbJBhKuSrEzjOIe+Bzx96VVqo322oDtHielnHD9bSbJj VR2PVA/9GWiy+hLXmTnXDhIrvl/joTvk0JwU4AlxMw55PlCPh3wlejUDKKx6xFMy
HhKhjaLZeYVDaRWwloMtypF0JEWgbuwKmWp8tqqoOM4ySkgvkpphIaaQUvU56eTW a4oaU59/6mPyVlNKPLNXFHCwJhS4beDYhAjP6gA4Esr469K5jVZFQtbD6GuQ7mDi
8daPwOC1d/A/SuSuAK7Do0S7XOuTY5uMyu/ALxXO5kV/tMmfAufcN1j+3FL48Dk3 62HNjWZyQqaVQMR2/kH74XY7mm2Dw0NpmqA9EM5EUZBRYwt1p3YycX37AfSTdof9
iHHZnVKTBN2zH3hEsuwpVIpSUVZcxNumjYegyuGYkesKVCvd4xhdqMSJXhC+XAeQ VlDSXU6cNo8E+K70Salw8q/Ds58dOCeu4bGfL6eXHPDCOzCOSth141yaJcTN+fIN
uHtO8Uh6S854gmrPwCBcicq35HAhaMBJJ9Rb3ubigQMjFpXnylThDo4gdgSBZyXE UXxK62aGzci1G7M8Wfl8rWo0gz55+ydYiIyCEzhkU2zVMNJDiO2s7as3pjyT5LWD
VsBTmQS665v9k2OfJgtKhljiWfwCpGv1pLk35bkDcJqSRbZc5kNZRuxL0GRWHPdM yWv8dpa0d8OZjt9hKCTUgxsOogt18ermbP9jFteuUwKTkIsjiJWZoPN1lHiNtNud
XK42dJOq9IdrW+RCVB9cUTXURhs6YC529iFnPcmSqW2Iv0sbSBhIbrYO/PuVuAcX wIUGDnB+lyytrA2Rc3YgbN2VzS4UKqBU/iCLxqtNgkJnunLPcnNHqrYlX9cKWMFO
9ZlV2DHRlhnDEJNRW1vp5GANBW99WiC1IcC1hRTa+5Ak06AdJsTGe2X0AxVq+ZNF pL1pcr/CZsBk28iJmeQr8UQjdchO4RNNagk+yQocscdljUw1LLY7n5+9P2/fhkK1
C6Ix/oJuQyb6oaSbpaBc6YmjAkvaTItyx4WlLck7KgQUttlEzUPuS3XTqfeeHuO6 VT6kRQY/sxibkZsE7cP4HkfkOm0XpWfI1NGpG3iRh9ACVlnleOBskPxovVJ0q5VO
e/YqAqypVIQt20AH72zC0aCH+/v7tENIKNd3am2zYxW7jNANLqtX+h5Zud6abK3G CFlvOMMLZ/MhxdC7LrC6AcTyPiXz6W34/PBJMAsxl04Rmlx7YyoZL07d7Q0kaRKu
iBPjJp+BPrXsqzsd7hRUSoZeeSM7VQNVqQMI+q7E4hKzyvplXL4= 4DHdb3j190tx/vcJC7YVY5XkuyYGD4ZYKGDaXhAS1TcUHNFe5xU=
=SKg/ =Qxxm
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

6
.sig/manifest.txt
View File

@ -1,8 +1,8 @@
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore 64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
66a3b8bfb76f689fc4ab7bd95907b29c17c704c075c00c6cc6382e424dccd6bb .gitlab-ci.yml 67377eee89dfc4411665474ac0bee0f9a19ea7e594bcc8606b0bc3ace69f0aa1 .gitlab-ci.yml
373cb178010e75bdccd5c792c43429c8274a615c8b69b5d57f4c2ec0263f802b Makefile e272f7b4b6240dfc3499a3a977b94746903cece41481916e22868f7017da2a52 Makefile
f19d267e4aa6bf82d5416891697a2a81a574efdddecf5c54e3a8a77c207013fa README.md f19d267e4aa6bf82d5416891697a2a81a574efdddecf5c54e3a8a77c207013fa README.md
eb12fb7ea33eafb138fa89020d6bfeb57595e0ffa30634aca764fd34417853d2 sig 1ef7edc22f4f6b949b708d0e7a72e32aeab33b9a5fcdd4306193fa8629f5f622 sig
655df07f3827e7055d0c6aa21a0a4907957a34a2b8a1e9131225c537e448e2e3 test/Dockerfile 655df07f3827e7055d0c6aa21a0a4907957a34a2b8a1e9131225c537e448e2e3 test/Dockerfile
55250be3c8f25dcbe68a73e8de8c8a94d8ceb0354c7f955519373d9c963903dd test/test.bats 55250be3c8f25dcbe68a73e8de8c8a94d8ceb0354c7f955519373d9c963903dd test/test.bats
c95e072f0917531257c069516fc1bf08fd98e5c5f3958f5353a219cb5b70fd38 test/test_helper.bash c95e072f0917531257c069516fc1bf08fd98e5c5f3958f5353a219cb5b70fd38 test/test_helper.bash

14
Makefile
View File

@ -16,6 +16,20 @@ lint: test-image
local/sig-test \ local/sig-test \
shellcheck sig/sig shellcheck sig/sig
.PHONY: verify
verify: test-image
docker run \
--rm \
--interactive \
--volume $(PWD)/:/home/test/sig \
local/sig-test /bin/bash -c " \
cp -R sig /tmp/sig; \
cd /tmp/sig; \
./sig fetch --group maintainers 6B61ECD76088748C70590D55E90A401336C8AAA9; \
./sig verify --threshold 1 --method=git --group maintainers; \
./sig verify --threshold 3 --method=detached --group maintainers; \
"
.PHONY: test-image .PHONY: test-image
test-image: test-image:
docker build \ docker build \

50
sig
View File

@ -178,6 +178,7 @@ group_add_fp(){
done done
echo "Adding key \"${fp}\" to group \"${group_name}\"" echo "Adding key \"${fp}\" to group \"${group_name}\""
gpg --list-keys >/dev/null 2>&1
printf 'group:0:%s' "${data%?}" \ printf 'group:0:%s' "${data%?}" \
| gpgconf --change-options gpg >/dev/null 2>&1 | gpgconf --change-options gpg >/dev/null 2>&1
} }
@ -330,6 +331,48 @@ cmd_verify() {
fi fi
} }
cmd_fetch() {
local opts group="" group_fps=""
opts="$(getopt -o g: -l group: -n "$PROGRAM" -- "$@")"
eval set -- "$opts"
while true; do case $1 in
-g|--group) group="${2:-1}"; shift 2 ;;
--) shift; break ;;
esac done
[ $# -eq 1 ] || \
die "Usage: $PROGRAM fetch <fingerprint> [-g,--group=<group>]"
local -r fingerprint=${1}
if [ ! -z "$group" ]; then
group_fps=$(group_get_fps "${group_name}")
if [[ "${group_fps}" == *"${fingerprint}"* ]]; then
echo "Key \"${fingerprint}\" is already in group \"${group}\""
else
group_add_fp "${fingerprint}" "${group}"
fi
fi
gpg --list-keys "${fingerprint}" > /dev/null 2>&1 \
&& echo "Key \"${fingerprint}\" is already in local keychain" \
&& return 0
echo "Requested key is not in keyring. Trying keyservers..."
for server in \
ha.pool.sks-keyservers.net \
hkp://keyserver.ubuntu.com:80 \
hkp://p80.pool.sks-keyservers.net:80 \
pgp.mit.edu \
; do \
echo "Fetching key "${fingerprint}" from ${server}"; \
gpg \
--recv-key \
--keyserver "$server" \
--keyserver-options timeout=10 \
--recv-keys "${fingerprint}" \
&& break; \
done
}
cmd_add(){ cmd_add(){
cmd_manifest cmd_manifest
gpg --armor --detach-sig ."${PROGRAM}"/manifest.txt >/dev/null 2>&1 gpg --armor --detach-sig ."${PROGRAM}"/manifest.txt >/dev/null 2>&1
@ -357,10 +400,12 @@ cmd_usage() {
cmd_version cmd_version
cat <<-_EOF cat <<-_EOF
Usage: Usage:
$PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ]
Verify m-of-n signatures by given group are present for directory
$PROGRAM add $PROGRAM add
Add signature to manifest for this directory Add signature to manifest for this directory
$PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ]
Verify m-of-n signatures by given group are present for directory
$PROGRAM fetch [-g,--group=<group>]
Fetch key by fingerprint. Optionally add to group.
$PROGRAM manifest $PROGRAM manifest
Generate hash manifest for this directory Generate hash manifest for this directory
$PROGRAM help $PROGRAM help
@ -381,6 +426,7 @@ case "$1" in
verify) shift; cmd_verify "$@" ;; verify) shift; cmd_verify "$@" ;;
add) shift; cmd_add "$@" ;; add) shift; cmd_add "$@" ;;
manifest) shift; cmd_manifest "$@" ;; manifest) shift; cmd_manifest "$@" ;;
fetch) shift; cmd_fetch "$@" ;;
version|--version) shift; cmd_version "$@" ;; version|--version) shift; cmd_version "$@" ;;
help|--help) shift; cmd_usage "$@" ;; help|--help) shift; cmd_usage "$@" ;;
*) cmd_usage "$@" ;; *) cmd_usage "$@" ;;