working group handling. initial git stubbing

This commit is contained in:
Lance Vick 2020-11-16 02:40:04 -08:00
parent 427a13fd32
commit 8c19efd8c5
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
3 changed files with 59 additions and 25 deletions

View File

@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+vL3cACgkQjkeh7DWh iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yVvEACgkQjkeh7DWh
VR3pXg//edF6tpvIaIcVhe72Wg/NOnz277brPdFnpnZTi9kZOanrPilyMJ5ahTVP VR1qXA//Vy4EGUfGi4KkzWjQuJhuucFReok5h3uKjceqF6Axwf6DME9fB3BDITe2
Au+Z/3LX470ewUTpN9DP1ou5yEMyHYE6nq2UDVhmrmxz5WnydqfibuTX1gmIj1RP 4m1MU+MzKpf69k/DEoG/6kANF9aRYjw/ZgczIPTTj6E07F9OEUQRbV58uSACr9OV
xctTus0Q9KIA2YOyEa5LQ30DyKzNb3uMbhEbu/Px1FciuvQTP2kzusUEgLI2HBPJ XXec8muyWP5LK4SfnbBHAdvQBwIZdeVTDeT/a5I5w11RvGPnw8SOx9vXhH86QasE
fH05M6W2ppYslHZDRf3lc1D6z72f4IpwedkHHq/8ilbIWwmasayYDqr1Smddnz7i Wk2xQ93E5r39zfWxShtH+KPSBksWPkZYVaP2rQTmhg21/yxzRpqj96S3pkaC//8+
e/ysFhDq3C3/tljS0IxS1U7r3O7NqL49bBixTg/fPo2iTH/3GgnBuYQoDxxMXlRV nHmEH5DQHv/80+0zIYLiEJkTkse5FFYGgwpUBA6tTpFUJUQhR2ht958GcLftBkAG
fTT7xhlAfK3PewYwIjPBx14TCe+omU95okhbwBWVw5Zh8KxRlWdjS0X0zrZW21JQ 0aY85m3QsCT2Rrq4ayqRcrU/uK7g0ekOAMpJpvBUJl7ksZwE9Fxo2J+h9ruBesc1
RJeCEmH0QJKur9CzD86AXkDj9GSIQDdaVaD4w5f+BRaboroxRF+n3yhRaDYdVbYf nkAMlUzbvXCFSUX77MTuyfOr9vwURziKHdk699G5nf2H8V8ZcuJnocdX45Sj81SU
Uqwn09NyNV8GrGjQMTBaDaMiXvdrvScPRQcJkL54gwzCsrzpl8Bvj8eX9ESH5tw6 SWR6RcNDOcEdKVVvluUEzGYHzuG2uEpx5ja+vWzUW1fkrBnHems/uNTvdIoehm6Y
b8xCY6YMn8SwivC2DlDXB6q9DU7i41xinupMoivyBLkR7G69tZL/n7pc0syjj9UH H5RKrgn6SXAhUtA8OfSUx9U+woWU1dCT7C4L8a6nM2u3QTI8hkTHiEVQzau7+d6B
v1HyyGG6sski1/8cTvi3Q+Oo6kx7OGLZ8K3rpmORYkT+m3SxTYQgFwLHoubO4c7Q Cu31iLamRXo+Kp7rmFSyrGouzhF1jRWAMwJZl80GpWcHjSYzvbEzpp4Zngb8Nm0S
J5rlMmWM3n8E1fcx4Cri0jI+1IZGS7FSFQxzo7x4U3s3yGbLmPI= qu3j61unUGcMZNUAjhF04adQQ2Wcp7U5xA/aMZGfN8aJEtDKMC4=
=n932 =9AUa
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

View File

@ -1,2 +1,2 @@
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore 64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
e008111dff82be23ab7999b0938e9fffb2fd4826d99f87ed5d0a70256fd43908 sig 592bb0c186797cc93e3e1eb4c58ceb420b9c36f72521f71da49a05c6452e95e6 sig

44
sig
View File

@ -6,11 +6,15 @@ MIN_GPG_VERSION=2.2
MIN_OPENSSL_VERSION=1.1 MIN_OPENSSL_VERSION=1.1
MIN_GETOPT_VERSION=2.33 MIN_GETOPT_VERSION=2.33
## Private Functions
### Bail with error message
die() { die() {
echo "$@" >&2 echo "$@" >&2
exit 1 exit 1
} }
### Bail and instruct user on missing package to install for their platform
die_pkg() { die_pkg() {
local package=${1?} local package=${1?}
local version=${2?} local version=${2?}
@ -36,6 +40,7 @@ die_pkg() {
exit 1 exit 1
} }
### Check if actual binary version is >= minimum version
check_version(){ check_version(){
local pkg="${1?}" local pkg="${1?}"
local have="${2?}" local have="${2?}"
@ -53,6 +58,7 @@ check_version(){
done done
} }
### Check if required binaries are installed at appropriate versions
check_tools(){ check_tools(){
if [ -z "${BASH_VERSINFO}" ] \ if [ -z "${BASH_VERSINFO}" ] \
|| [ -z "${BASH_VERSINFO[0]}" ] \ || [ -z "${BASH_VERSINFO[0]}" ] \
@ -78,6 +84,7 @@ check_tools(){
done done
} }
### Handle different implementations of mktemp across platforms
get_temp(){ get_temp(){
echo "$( echo "$(
mktemp \ mktemp \
@ -90,6 +97,8 @@ get_temp(){
)" )"
} }
### Get files that will be added to the manifest for signing
### Use git if available, else fall back to find
get_files(){ get_files(){
if command -v git >/dev/null; then if command -v git >/dev/null; then
git ls-files | grep -v ".${PROGRAM}" git ls-files | grep -v ".${PROGRAM}"
@ -101,6 +110,8 @@ get_files(){
fi fi
} }
### Verify a file has 0-N unique valid detached signatures
### Optionally verify all signatures belong to keys in gpg alias group
verify_file() { verify_file() {
[ $# -eq 3 ] || die "Usage: verify_file <threshold> <group> <file>" [ $# -eq 3 ] || die "Usage: verify_file <threshold> <group> <file>"
local threshold="${1}" local threshold="${1}"
@ -112,10 +123,12 @@ verify_file() {
local fingerprint local fingerprint
local signer local signer
[ ! -z "$group" ] && group_config="$( \ if [ ! -z "$group" ]; then
group_config="$( \
gpg --with-colons --list-config group \ gpg --with-colons --list-config group \
| grep -i "^cfg:group:${group}:" \ | grep -i "^cfg:group:${group}:" \
)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf" )" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"
fi
for sig_filename in "${filename%.*}".*.asc; do for sig_filename in "${filename%.*}".*.asc; do
gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || { gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
@ -153,6 +166,21 @@ verify_file() {
} }
} }
### Verify all commits in git repo have valid signatures
### Optionally verify a minimum number of valid unique signatures
### Optionally verify all signatures belong to keys in gpg alias group
verify_git(){
[ $# -eq 2 ] || die "Usage: verify_git <threshold> <group>"
local threshold="${1}"
local group="${2}"
#for commit in $(git log --format='%H%GP'); do
# echo "$commit"
#done
}
## Public Commands
cmd_manifest() { cmd_manifest() {
mkdir -p ".${PROGRAM}" mkdir -p ".${PROGRAM}"
printf "$(get_files | xargs openssl sha256 -r)" \ printf "$(get_files | xargs openssl sha256 -r)" \
@ -162,9 +190,8 @@ cmd_manifest() {
} }
cmd_verify() { cmd_verify() {
local opts selected_line min=1 group="" local opts min=1 group=""
opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")" opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"
local err=$?
eval set -- "$opts" eval set -- "$opts"
while true; do case $1 in while true; do case $1 in
-m|--min) min="$2"; shift 2 ;; -m|--min) min="$2"; shift 2 ;;
@ -172,7 +199,10 @@ cmd_verify() {
--) shift; break ;; --) shift; break ;;
esac done esac done
#TODO: if git: show git signature status to aid in trust building command -v git >/dev/null 2>&1 \
&& ( [ -d .git ] || git rev-parse --git-dir > /dev/null 2>&1 ) \
&& verify_git "${min}" "${group}"
#TODO: if git and if invalid: show diff against last valid version #TODO: if git and if invalid: show diff against last valid version
( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \ ( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
|| die "Error: No signatures" || die "Error: No signatures"
@ -208,7 +238,7 @@ cmd_usage() {
cat <<-_EOF cat <<-_EOF
Usage: Usage:
$PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>] $PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]
Verify all signing policies for this directory are met Verify m-of-n signatures by given group are present for directory
$PROGRAM add $PROGRAM add
Add signature to manifest for this directory Add signature to manifest for this directory
$PROGRAM manifest $PROGRAM manifest
@ -220,9 +250,13 @@ cmd_usage() {
_EOF _EOF
} }
# Verify all tools in this list are installed at needed versions
check_tools head cut find sort sed getopt gpg openssl check_tools head cut find sort sed getopt gpg openssl
# Allow entire script to be namespaced based on filename
PROGRAM="${0##*/}" PROGRAM="${0##*/}"
# Export public sub-commands
case "$1" in case "$1" in
verify) shift; cmd_verify "$@" ;; verify) shift; cmd_verify "$@" ;;
add) shift; cmd_add "$@" ;; add) shift; cmd_add "$@" ;;