almost fully working group/min support
This commit is contained in:
parent
916af39691
commit
993934ea2e
GPG Key ID:
8E47A1EC35A1551D
|
|
@ -1,16 +1,16 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+t+2oACgkQjkeh7DWh
|
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+vC2EACgkQjkeh7DWh
|
||||||
VR2IXhAAjmTd0B6opCTpBLztUvFugGMTQ9RoTxJnK3tubVyr0iM5qwMeg4odVvew
|
VR3B2BAAsJ8v5t+9jzTljECYmpkvepZB2zquAX+U9e9OhPOTuSueI8vOI/1Ywu6I
|
||||||
6pDtOG5prIqaj1cx97ehwN/zs76HCRUYOguZ4y7RTnOW+tvrz1DOmqT61AyJK1Lz
|
Vsix5eXWUozEU4Dc4KldX1Eryqbb5euI/JHrLYpiQrtfoudnbQNZLP+vWadiepBG
|
||||||
8lPhtR6HsomPznrBRQBz91JC8BPsVKnmXAtJyQlhY6kk6uRIyUVCvuHcz8i2H/Ao
|
Q9VFBWlZRVvcJ5elJk/1Qk1+Ufxu2grp7pWCU9616ii79f3f0lHknMexcvnbGr/s
|
||||||
GmPlbP6B0uDwiXhK0zF0v3wccoIIIylMsOW2hUHdJ1FKIn6DX795MmDK8SfPqFkE
|
WSCtdhFDApRqcFfwpBX1wvpamClOAwAj+6MoG7CqCxHeMLmOVeKlMGiCLiwor9K9
|
||||||
t0UfHiAraG98+2rwF3Hppu3+8DkqfdKJzAwKKjT+WUJz4XHNVQi7eVDBkH8MEegp
|
eAj1D2tovdMBBYT8gvwLVSnRZS5Yl1cEE6ewVxA2Pqnhc4M71SRKa2gEaKVT+LyL
|
||||||
ntFFaIACZ0kNSctD9OGPofkCgrh/r+RviTD1lCxYLWfSVEAceOwTSBC8nRPNZysq
|
hJ8JOYiKrX+sxdvf9N3IewgxgDgAViMSBitQ+EguEiJTCwtGZKmAp1LRMqzC16pW
|
||||||
60/WHumYuOkQqaN+LCLNHie4HryP5DBq2O9nmVglRzj9IDvcXronC0ug7VLEcfMZ
|
Ike+uMTj1LWhe7zGWlsqG1kLR7mDrqXWYraj70A/siAghkPB1Bj7MINI4v8K8dN/
|
||||||
crId3FQUU/rgZE/VbwvfWxflSyj32QHMRpd1yFadeOWBt08cRkj0zMF0rUeeoJJy
|
z3oPJYYme2qno5vWtoPFVBY+P/n/MbQRJl3Va9VVU6vkHn3xz32F2Td60TA4Fkqg
|
||||||
JGXbhEV9Irtga2iss2FDijBzHMJIVu/Rfq9boV4YAip5dE0jKZyy6X+pLxFpxUlz
|
irmK+WNWDwtksAcI9pAlegCi60k2fH1AJppC2vPGSS9fqw6lm/+zBKkBJpOiOxAj
|
||||||
Etbsrzn9W0Z55srHDOCeYDyGm4p6rNDQTOTJFswLUXmW1A7M/Vx9ZuMR2tT0vv9D
|
nb1jq16lIugVus7eMmoJ/DNpSlSBCcUwKou9Ns4EuXTdXWKfklLKzcfD3y+UMAm7
|
||||||
WeJkGX764VHEgHABfsdRsvSm1xOPy+Du10gUkPyGT/HHcAdhwww=
|
I84Ns0GkCmdQQg4uqoBIRX8Q7Wi6tx3hL9y4q3GFvOSJBPd8jzs=
|
||||||
=MuI6
|
=3lXa
|
||||||
-----END PGP SIGNATURE-----
|
-----END PGP SIGNATURE-----
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,2 @@
|
||||||
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
||||||
9c0292898230fb016b00b0f4c72e79b839bb5395f299feb97222e3035e05c6eb sig
|
e659c0fc9b60694b31b13939d2dd36b97be56dc1d781ba8b352c466456e57a21 sig
|
||||||
|
|
|
||||||
61
sig
61
sig
|
|
@ -78,14 +78,22 @@ cmd_manifest() {
|
||||||
}
|
}
|
||||||
|
|
||||||
verify_file() {
|
verify_file() {
|
||||||
[ $# -eq 2 ] || die \
|
[ $# -eq 3 ] || die \
|
||||||
"Usage: verify_file <threshold> <file>"
|
"Usage: verify_file <threshold> <group> <file>"
|
||||||
local threshold="${1}"
|
local threshold="${1}"
|
||||||
local filename="${2}"
|
local group="${2}"
|
||||||
|
local filename="${3}"
|
||||||
|
local group_config=""
|
||||||
local sig_count=0
|
local sig_count=0
|
||||||
local seen_fingerprints=""
|
local seen_fingerprints=""
|
||||||
local fingerprint
|
local fingerprint
|
||||||
local signer
|
local signer
|
||||||
|
|
||||||
|
[ ! -z "$group" ] && group_config="$( \
|
||||||
|
gpg --with-colons --list-config group \
|
||||||
|
| grep -i "^cfg:group:${group}:" \
|
||||||
|
)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"
|
||||||
|
|
||||||
for sig_filename in "${filename%.*}".*.asc; do
|
for sig_filename in "${filename%.*}".*.asc; do
|
||||||
gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
|
gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
|
||||||
echo "Invalid signature: ${sig_filename}";
|
echo "Invalid signature: ${sig_filename}";
|
||||||
|
|
@ -103,11 +111,16 @@ verify_file() {
|
||||||
| awk -F: '$1 == "uid" {print $10}' \
|
| awk -F: '$1 == "uid" {print $10}' \
|
||||||
| head -n1 \
|
| head -n1 \
|
||||||
)
|
)
|
||||||
[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] && {
|
|
||||||
echo "Duplicate signature: ${sig_filename}";
|
[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] \
|
||||||
exit 1;
|
&& die "Duplicate signature: ${sig_filename}";
|
||||||
}
|
|
||||||
|
[ ! -z "$group_config" ] \
|
||||||
|
&& [[ "${group_config}" != *"${fingerprint}"* ]] \
|
||||||
|
&& die "Signature not in group \"${group}\": ${sig_filename}";
|
||||||
|
|
||||||
echo "Verified signature by \"${signer}\""
|
echo "Verified signature by \"${signer}\""
|
||||||
|
|
||||||
seen_fingerprints="${seen_fingerprints} ${fingerprint}"
|
seen_fingerprints="${seen_fingerprints} ${fingerprint}"
|
||||||
((sig_count=sig_count+1))
|
((sig_count=sig_count+1))
|
||||||
done
|
done
|
||||||
|
|
@ -118,16 +131,22 @@ verify_file() {
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd_verify() {
|
cmd_verify() {
|
||||||
#TODO: support --min to override the default minimum of 3
|
local opts selected_line min=1 group=""
|
||||||
local min=3
|
opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"
|
||||||
#TODO: support --group for a gpg-group
|
local err=$?
|
||||||
local group=""
|
eval set -- "$opts"
|
||||||
|
while true; do case $1 in
|
||||||
|
-m|--min) min="$2"; shift 2 ;;
|
||||||
|
-g|--group) group="$2"; shift 2 ;;
|
||||||
|
--) shift; break ;;
|
||||||
|
esac done
|
||||||
|
|
||||||
#TODO: if git: show git signature status to aid in trust building
|
#TODO: if git: show git signature status to aid in trust building
|
||||||
#TODO: if git and if invalid: show diff against last valid version
|
#TODO: if git and if invalid: show diff against last valid version
|
||||||
( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
|
( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
|
||||||
|| die "Error: No signatures"
|
|| die "Error: No signatures"
|
||||||
cmd_manifest
|
cmd_manifest
|
||||||
verify_file "${min}" .${PROGRAM}/manifest.txt
|
verify_file "${min}" "${group}" .${PROGRAM}/manifest.txt
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd_add(){
|
cmd_add(){
|
||||||
|
|
@ -143,13 +162,13 @@ cmd_add(){
|
||||||
|
|
||||||
cmd_version() {
|
cmd_version() {
|
||||||
cat <<-_EOF
|
cat <<-_EOF
|
||||||
============================================
|
==========================================
|
||||||
= sig: simple multisig trust toolchain =
|
= sig: simple multisig trust toolchain =
|
||||||
= =
|
= =
|
||||||
= v0.0.1 =
|
= v0.0.1 =
|
||||||
= =
|
= =
|
||||||
= https://gitlab.com/pchq/sig =
|
= https://gitlab.com/pchq/sig =
|
||||||
============================================
|
==========================================
|
||||||
_EOF
|
_EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -157,7 +176,7 @@ cmd_usage() {
|
||||||
cmd_version
|
cmd_version
|
||||||
cat <<-_EOF
|
cat <<-_EOF
|
||||||
Usage:
|
Usage:
|
||||||
$PROGRAM verify
|
$PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]
|
||||||
Verify all signing policies for this directory are met
|
Verify all signing policies for this directory are met
|
||||||
$PROGRAM add
|
$PROGRAM add
|
||||||
Add signature to manifest for this directory
|
Add signature to manifest for this directory
|
||||||
|
|
@ -170,7 +189,7 @@ cmd_usage() {
|
||||||
_EOF
|
_EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
check_tools head cut find sort sed gpg openssl
|
check_tools head cut find sort sed gpg openssl getopt
|
||||||
|
|
||||||
PROGRAM="${0##*/}"
|
PROGRAM="${0##*/}"
|
||||||
COMMAND="$1"
|
COMMAND="$1"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue