working group handling. initial git stubbing
This commit is contained in:
parent
427a13fd32
commit
8c19efd8c5
|
@ -1,16 +1,16 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+vL3cACgkQjkeh7DWh
|
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yVvEACgkQjkeh7DWh
|
||||||
VR3pXg//edF6tpvIaIcVhe72Wg/NOnz277brPdFnpnZTi9kZOanrPilyMJ5ahTVP
|
VR1qXA//Vy4EGUfGi4KkzWjQuJhuucFReok5h3uKjceqF6Axwf6DME9fB3BDITe2
|
||||||
Au+Z/3LX470ewUTpN9DP1ou5yEMyHYE6nq2UDVhmrmxz5WnydqfibuTX1gmIj1RP
|
4m1MU+MzKpf69k/DEoG/6kANF9aRYjw/ZgczIPTTj6E07F9OEUQRbV58uSACr9OV
|
||||||
xctTus0Q9KIA2YOyEa5LQ30DyKzNb3uMbhEbu/Px1FciuvQTP2kzusUEgLI2HBPJ
|
XXec8muyWP5LK4SfnbBHAdvQBwIZdeVTDeT/a5I5w11RvGPnw8SOx9vXhH86QasE
|
||||||
fH05M6W2ppYslHZDRf3lc1D6z72f4IpwedkHHq/8ilbIWwmasayYDqr1Smddnz7i
|
Wk2xQ93E5r39zfWxShtH+KPSBksWPkZYVaP2rQTmhg21/yxzRpqj96S3pkaC//8+
|
||||||
e/ysFhDq3C3/tljS0IxS1U7r3O7NqL49bBixTg/fPo2iTH/3GgnBuYQoDxxMXlRV
|
nHmEH5DQHv/80+0zIYLiEJkTkse5FFYGgwpUBA6tTpFUJUQhR2ht958GcLftBkAG
|
||||||
fTT7xhlAfK3PewYwIjPBx14TCe+omU95okhbwBWVw5Zh8KxRlWdjS0X0zrZW21JQ
|
0aY85m3QsCT2Rrq4ayqRcrU/uK7g0ekOAMpJpvBUJl7ksZwE9Fxo2J+h9ruBesc1
|
||||||
RJeCEmH0QJKur9CzD86AXkDj9GSIQDdaVaD4w5f+BRaboroxRF+n3yhRaDYdVbYf
|
nkAMlUzbvXCFSUX77MTuyfOr9vwURziKHdk699G5nf2H8V8ZcuJnocdX45Sj81SU
|
||||||
Uqwn09NyNV8GrGjQMTBaDaMiXvdrvScPRQcJkL54gwzCsrzpl8Bvj8eX9ESH5tw6
|
SWR6RcNDOcEdKVVvluUEzGYHzuG2uEpx5ja+vWzUW1fkrBnHems/uNTvdIoehm6Y
|
||||||
b8xCY6YMn8SwivC2DlDXB6q9DU7i41xinupMoivyBLkR7G69tZL/n7pc0syjj9UH
|
H5RKrgn6SXAhUtA8OfSUx9U+woWU1dCT7C4L8a6nM2u3QTI8hkTHiEVQzau7+d6B
|
||||||
v1HyyGG6sski1/8cTvi3Q+Oo6kx7OGLZ8K3rpmORYkT+m3SxTYQgFwLHoubO4c7Q
|
Cu31iLamRXo+Kp7rmFSyrGouzhF1jRWAMwJZl80GpWcHjSYzvbEzpp4Zngb8Nm0S
|
||||||
J5rlMmWM3n8E1fcx4Cri0jI+1IZGS7FSFQxzo7x4U3s3yGbLmPI=
|
qu3j61unUGcMZNUAjhF04adQQ2Wcp7U5xA/aMZGfN8aJEtDKMC4=
|
||||||
=n932
|
=9AUa
|
||||||
-----END PGP SIGNATURE-----
|
-----END PGP SIGNATURE-----
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
||||||
e008111dff82be23ab7999b0938e9fffb2fd4826d99f87ed5d0a70256fd43908 sig
|
592bb0c186797cc93e3e1eb4c58ceb420b9c36f72521f71da49a05c6452e95e6 sig
|
||||||
|
|
44
sig
44
sig
|
@ -6,11 +6,15 @@ MIN_GPG_VERSION=2.2
|
||||||
MIN_OPENSSL_VERSION=1.1
|
MIN_OPENSSL_VERSION=1.1
|
||||||
MIN_GETOPT_VERSION=2.33
|
MIN_GETOPT_VERSION=2.33
|
||||||
|
|
||||||
|
## Private Functions
|
||||||
|
|
||||||
|
### Bail with error message
|
||||||
die() {
|
die() {
|
||||||
echo "$@" >&2
|
echo "$@" >&2
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
### Bail and instruct user on missing package to install for their platform
|
||||||
die_pkg() {
|
die_pkg() {
|
||||||
local package=${1?}
|
local package=${1?}
|
||||||
local version=${2?}
|
local version=${2?}
|
||||||
|
@ -36,6 +40,7 @@ die_pkg() {
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
### Check if actual binary version is >= minimum version
|
||||||
check_version(){
|
check_version(){
|
||||||
local pkg="${1?}"
|
local pkg="${1?}"
|
||||||
local have="${2?}"
|
local have="${2?}"
|
||||||
|
@ -53,6 +58,7 @@ check_version(){
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
### Check if required binaries are installed at appropriate versions
|
||||||
check_tools(){
|
check_tools(){
|
||||||
if [ -z "${BASH_VERSINFO}" ] \
|
if [ -z "${BASH_VERSINFO}" ] \
|
||||||
|| [ -z "${BASH_VERSINFO[0]}" ] \
|
|| [ -z "${BASH_VERSINFO[0]}" ] \
|
||||||
|
@ -78,6 +84,7 @@ check_tools(){
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
### Handle different implementations of mktemp across platforms
|
||||||
get_temp(){
|
get_temp(){
|
||||||
echo "$(
|
echo "$(
|
||||||
mktemp \
|
mktemp \
|
||||||
|
@ -90,6 +97,8 @@ get_temp(){
|
||||||
)"
|
)"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
### Get files that will be added to the manifest for signing
|
||||||
|
### Use git if available, else fall back to find
|
||||||
get_files(){
|
get_files(){
|
||||||
if command -v git >/dev/null; then
|
if command -v git >/dev/null; then
|
||||||
git ls-files | grep -v ".${PROGRAM}"
|
git ls-files | grep -v ".${PROGRAM}"
|
||||||
|
@ -101,6 +110,8 @@ get_files(){
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
### Verify a file has 0-N unique valid detached signatures
|
||||||
|
### Optionally verify all signatures belong to keys in gpg alias group
|
||||||
verify_file() {
|
verify_file() {
|
||||||
[ $# -eq 3 ] || die "Usage: verify_file <threshold> <group> <file>"
|
[ $# -eq 3 ] || die "Usage: verify_file <threshold> <group> <file>"
|
||||||
local threshold="${1}"
|
local threshold="${1}"
|
||||||
|
@ -112,10 +123,12 @@ verify_file() {
|
||||||
local fingerprint
|
local fingerprint
|
||||||
local signer
|
local signer
|
||||||
|
|
||||||
[ ! -z "$group" ] && group_config="$( \
|
if [ ! -z "$group" ]; then
|
||||||
|
group_config="$( \
|
||||||
gpg --with-colons --list-config group \
|
gpg --with-colons --list-config group \
|
||||||
| grep -i "^cfg:group:${group}:" \
|
| grep -i "^cfg:group:${group}:" \
|
||||||
)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"
|
)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"
|
||||||
|
fi
|
||||||
|
|
||||||
for sig_filename in "${filename%.*}".*.asc; do
|
for sig_filename in "${filename%.*}".*.asc; do
|
||||||
gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
|
gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
|
||||||
|
@ -153,6 +166,21 @@ verify_file() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
### Verify all commits in git repo have valid signatures
|
||||||
|
### Optionally verify a minimum number of valid unique signatures
|
||||||
|
### Optionally verify all signatures belong to keys in gpg alias group
|
||||||
|
verify_git(){
|
||||||
|
[ $# -eq 2 ] || die "Usage: verify_git <threshold> <group>"
|
||||||
|
local threshold="${1}"
|
||||||
|
local group="${2}"
|
||||||
|
#for commit in $(git log --format='%H%GP'); do
|
||||||
|
# echo "$commit"
|
||||||
|
#done
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## Public Commands
|
||||||
|
|
||||||
cmd_manifest() {
|
cmd_manifest() {
|
||||||
mkdir -p ".${PROGRAM}"
|
mkdir -p ".${PROGRAM}"
|
||||||
printf "$(get_files | xargs openssl sha256 -r)" \
|
printf "$(get_files | xargs openssl sha256 -r)" \
|
||||||
|
@ -162,9 +190,8 @@ cmd_manifest() {
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd_verify() {
|
cmd_verify() {
|
||||||
local opts selected_line min=1 group=""
|
local opts min=1 group=""
|
||||||
opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"
|
opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"
|
||||||
local err=$?
|
|
||||||
eval set -- "$opts"
|
eval set -- "$opts"
|
||||||
while true; do case $1 in
|
while true; do case $1 in
|
||||||
-m|--min) min="$2"; shift 2 ;;
|
-m|--min) min="$2"; shift 2 ;;
|
||||||
|
@ -172,7 +199,10 @@ cmd_verify() {
|
||||||
--) shift; break ;;
|
--) shift; break ;;
|
||||||
esac done
|
esac done
|
||||||
|
|
||||||
#TODO: if git: show git signature status to aid in trust building
|
command -v git >/dev/null 2>&1 \
|
||||||
|
&& ( [ -d .git ] || git rev-parse --git-dir > /dev/null 2>&1 ) \
|
||||||
|
&& verify_git "${min}" "${group}"
|
||||||
|
|
||||||
#TODO: if git and if invalid: show diff against last valid version
|
#TODO: if git and if invalid: show diff against last valid version
|
||||||
( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
|
( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
|
||||||
|| die "Error: No signatures"
|
|| die "Error: No signatures"
|
||||||
|
@ -208,7 +238,7 @@ cmd_usage() {
|
||||||
cat <<-_EOF
|
cat <<-_EOF
|
||||||
Usage:
|
Usage:
|
||||||
$PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]
|
$PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]
|
||||||
Verify all signing policies for this directory are met
|
Verify m-of-n signatures by given group are present for directory
|
||||||
$PROGRAM add
|
$PROGRAM add
|
||||||
Add signature to manifest for this directory
|
Add signature to manifest for this directory
|
||||||
$PROGRAM manifest
|
$PROGRAM manifest
|
||||||
|
@ -220,9 +250,13 @@ cmd_usage() {
|
||||||
_EOF
|
_EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Verify all tools in this list are installed at needed versions
|
||||||
check_tools head cut find sort sed getopt gpg openssl
|
check_tools head cut find sort sed getopt gpg openssl
|
||||||
|
|
||||||
|
# Allow entire script to be namespaced based on filename
|
||||||
PROGRAM="${0##*/}"
|
PROGRAM="${0##*/}"
|
||||||
|
|
||||||
|
# Export public sub-commands
|
||||||
case "$1" in
|
case "$1" in
|
||||||
verify) shift; cmd_verify "$@" ;;
|
verify) shift; cmd_verify "$@" ;;
|
||||||
add) shift; cmd_add "$@" ;;
|
add) shift; cmd_add "$@" ;;
|
||||||
|
|
Loading…
Reference in New Issue