working group handling. initial git stubbing

.sig/manifest.8E47A1EC35A1551D.asc

@@ -1,16 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+vL3cACgkQjkeh7DWh
+iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yVvEACgkQjkeh7DWh
-VR3pXg//edF6tpvIaIcVhe72Wg/NOnz277brPdFnpnZTi9kZOanrPilyMJ5ahTVP
+VR1qXA//Vy4EGUfGi4KkzWjQuJhuucFReok5h3uKjceqF6Axwf6DME9fB3BDITe2
-Au+Z/3LX470ewUTpN9DP1ou5yEMyHYE6nq2UDVhmrmxz5WnydqfibuTX1gmIj1RP
+4m1MU+MzKpf69k/DEoG/6kANF9aRYjw/ZgczIPTTj6E07F9OEUQRbV58uSACr9OV
-xctTus0Q9KIA2YOyEa5LQ30DyKzNb3uMbhEbu/Px1FciuvQTP2kzusUEgLI2HBPJ
+XXec8muyWP5LK4SfnbBHAdvQBwIZdeVTDeT/a5I5w11RvGPnw8SOx9vXhH86QasE
-fH05M6W2ppYslHZDRf3lc1D6z72f4IpwedkHHq/8ilbIWwmasayYDqr1Smddnz7i
+Wk2xQ93E5r39zfWxShtH+KPSBksWPkZYVaP2rQTmhg21/yxzRpqj96S3pkaC//8+
-e/ysFhDq3C3/tljS0IxS1U7r3O7NqL49bBixTg/fPo2iTH/3GgnBuYQoDxxMXlRV
+nHmEH5DQHv/80+0zIYLiEJkTkse5FFYGgwpUBA6tTpFUJUQhR2ht958GcLftBkAG
-fTT7xhlAfK3PewYwIjPBx14TCe+omU95okhbwBWVw5Zh8KxRlWdjS0X0zrZW21JQ
+0aY85m3QsCT2Rrq4ayqRcrU/uK7g0ekOAMpJpvBUJl7ksZwE9Fxo2J+h9ruBesc1
-RJeCEmH0QJKur9CzD86AXkDj9GSIQDdaVaD4w5f+BRaboroxRF+n3yhRaDYdVbYf
+nkAMlUzbvXCFSUX77MTuyfOr9vwURziKHdk699G5nf2H8V8ZcuJnocdX45Sj81SU
-Uqwn09NyNV8GrGjQMTBaDaMiXvdrvScPRQcJkL54gwzCsrzpl8Bvj8eX9ESH5tw6
+SWR6RcNDOcEdKVVvluUEzGYHzuG2uEpx5ja+vWzUW1fkrBnHems/uNTvdIoehm6Y
-b8xCY6YMn8SwivC2DlDXB6q9DU7i41xinupMoivyBLkR7G69tZL/n7pc0syjj9UH
+H5RKrgn6SXAhUtA8OfSUx9U+woWU1dCT7C4L8a6nM2u3QTI8hkTHiEVQzau7+d6B
-v1HyyGG6sski1/8cTvi3Q+Oo6kx7OGLZ8K3rpmORYkT+m3SxTYQgFwLHoubO4c7Q
+Cu31iLamRXo+Kp7rmFSyrGouzhF1jRWAMwJZl80GpWcHjSYzvbEzpp4Zngb8Nm0S
-J5rlMmWM3n8E1fcx4Cri0jI+1IZGS7FSFQxzo7x4U3s3yGbLmPI=
+qu3j61unUGcMZNUAjhF04adQQ2Wcp7U5xA/aMZGfN8aJEtDKMC4=
-=n932
+=9AUa
 -----END PGP SIGNATURE-----

.sig/manifest.txt

@@ -1,2 +1,2 @@
 64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
-e008111dff82be23ab7999b0938e9fffb2fd4826d99f87ed5d0a70256fd43908 sig
+592bb0c186797cc93e3e1eb4c58ceb420b9c36f72521f71da49a05c6452e95e6 sig

sig

@@ -6,11 +6,15 @@ MIN_GPG_VERSION=2.2
 MIN_OPENSSL_VERSION=1.1
 MIN_GETOPT_VERSION=2.33
 
+## Private Functions
+
+### Bail with error message
 die() {
 	echo "$@" >&2
 	exit 1
 }
 
+### Bail and instruct user on missing package to install for their platform
 die_pkg() {
 	local package=${1?}
 	local version=${2?}
@@ -36,6 +40,7 @@ die_pkg() {
 	exit 1
 }
 
+### Check if actual binary version is >= minimum version
 check_version(){
 	local pkg="${1?}"
 	local have="${2?}"
@@ -53,6 +58,7 @@ check_version(){
     done
 }
 
+### Check if required binaries are installed at appropriate versions
 check_tools(){
 	if [ -z "${BASH_VERSINFO}" ] \
 	|| [ -z "${BASH_VERSINFO[0]}" ] \
@@ -78,6 +84,7 @@ check_tools(){
 	done
 }
 
+### Handle different implementations of mktemp across platforms
 get_temp(){
 	echo "$(
 		mktemp \
@@ -90,6 +97,8 @@ get_temp(){
 	)"
 }
 
+### Get files that will be added to the manifest for signing
+### Use git if available, else fall back to find
 get_files(){
 	if command -v git >/dev/null; then
 		git ls-files | grep -v ".${PROGRAM}"
@@ -101,6 +110,8 @@ get_files(){
 	fi
 }
 
+### Verify a file has 0-N unique valid detached signatures
+### Optionally verify all signatures belong to keys in gpg alias group
 verify_file() {
 	[ $# -eq 3 ] || die "Usage: verify_file <threshold> <group> <file>"
 	local threshold="${1}"
@@ -112,10 +123,12 @@ verify_file() {
 	local fingerprint
 	local signer
 
-	[ ! -z "$group" ] && group_config="$( \
+	if [ ! -z "$group" ]; then
-		gpg --with-colons --list-config group \
+		group_config="$( \
-		| grep -i "^cfg:group:${group}:" \
+			gpg --with-colons --list-config group \
-	)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"
+				| grep -i "^cfg:group:${group}:" \
+		)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"
+	fi
 
 	for sig_filename in "${filename%.*}".*.asc; do
 		gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
@@ -153,18 +166,32 @@ verify_file() {
 	}
 }
 
+### Verify all commits in git repo have valid signatures
+### Optionally verify a minimum number of valid unique signatures
+### Optionally verify all signatures belong to keys in gpg alias group
+verify_git(){
+	[ $# -eq 2 ] || die "Usage: verify_git <threshold> <group>"
+	local threshold="${1}"
+	local group="${2}"
+	#for commit in $(git log --format='%H%GP'); do
+	#	echo "$commit"
+  	#done
+}
+
+
+## Public Commands
+
 cmd_manifest() {
 	mkdir -p ".${PROGRAM}"
 	printf "$(get_files | xargs openssl sha256 -r)" \
-	| sed -e 's/ \*/ /g' -e 's/ \.\// /g' \
+		| sed -e 's/ \*/ /g' -e 's/ \.\// /g' \
-	| LC_ALL=C sort -k2 \
+		| LC_ALL=C sort -k2 \
-	> ".${PROGRAM}/manifest.txt"
+		> ".${PROGRAM}/manifest.txt"
 }
 
 cmd_verify() {
-	local opts selected_line min=1 group=""
+	local opts min=1 group=""
 	opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"
-	local err=$?
 	eval set -- "$opts"
 	while true; do case $1 in
 		-m|--min) min="$2"; shift 2 ;;
@@ -172,7 +199,10 @@ cmd_verify() {
 		--) shift; break ;;
 	esac done
 
-	#TODO: if git: show git signature status to aid in trust building
+	command -v git >/dev/null 2>&1 \
+		&& ( [ -d .git ] || git rev-parse --git-dir > /dev/null 2>&1 ) \
+		&& verify_git "${min}" "${group}"
+
 	#TODO: if git and if invalid: show diff against last valid version
 	( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
 		|| die "Error: No signatures"
@@ -208,7 +238,7 @@ cmd_usage() {
 	cat <<-_EOF
 	Usage:
 	    $PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]
-	        Verify all signing policies for this directory are met
+	        Verify m-of-n signatures by given group are present for directory
 	    $PROGRAM add
 	        Add signature to manifest for this directory
 	    $PROGRAM manifest
@@ -220,9 +250,13 @@ cmd_usage() {
 	_EOF
 }
 
+# Verify all tools in this list are installed at needed versions
 check_tools head cut find sort sed getopt gpg openssl
 
+# Allow entire script to be namespaced based on filename
 PROGRAM="${0##*/}"
+
+# Export public sub-commands
 case "$1" in
 	verify)            shift; cmd_verify   "$@" ;;
 	add)               shift; cmd_add      "$@" ;;