almost fully working group/min support
This commit is contained in:
parent
916af39691
commit
993934ea2e
GPG Key ID:
8E47A1EC35A1551D
|
|
@ -1,16 +1,16 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+t+2oACgkQjkeh7DWh
|
||||
VR2IXhAAjmTd0B6opCTpBLztUvFugGMTQ9RoTxJnK3tubVyr0iM5qwMeg4odVvew
|
||||
6pDtOG5prIqaj1cx97ehwN/zs76HCRUYOguZ4y7RTnOW+tvrz1DOmqT61AyJK1Lz
|
||||
8lPhtR6HsomPznrBRQBz91JC8BPsVKnmXAtJyQlhY6kk6uRIyUVCvuHcz8i2H/Ao
|
||||
GmPlbP6B0uDwiXhK0zF0v3wccoIIIylMsOW2hUHdJ1FKIn6DX795MmDK8SfPqFkE
|
||||
t0UfHiAraG98+2rwF3Hppu3+8DkqfdKJzAwKKjT+WUJz4XHNVQi7eVDBkH8MEegp
|
||||
ntFFaIACZ0kNSctD9OGPofkCgrh/r+RviTD1lCxYLWfSVEAceOwTSBC8nRPNZysq
|
||||
60/WHumYuOkQqaN+LCLNHie4HryP5DBq2O9nmVglRzj9IDvcXronC0ug7VLEcfMZ
|
||||
crId3FQUU/rgZE/VbwvfWxflSyj32QHMRpd1yFadeOWBt08cRkj0zMF0rUeeoJJy
|
||||
JGXbhEV9Irtga2iss2FDijBzHMJIVu/Rfq9boV4YAip5dE0jKZyy6X+pLxFpxUlz
|
||||
Etbsrzn9W0Z55srHDOCeYDyGm4p6rNDQTOTJFswLUXmW1A7M/Vx9ZuMR2tT0vv9D
|
||||
WeJkGX764VHEgHABfsdRsvSm1xOPy+Du10gUkPyGT/HHcAdhwww=
|
||||
=MuI6
|
||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+vC2EACgkQjkeh7DWh
|
||||
VR3B2BAAsJ8v5t+9jzTljECYmpkvepZB2zquAX+U9e9OhPOTuSueI8vOI/1Ywu6I
|
||||
Vsix5eXWUozEU4Dc4KldX1Eryqbb5euI/JHrLYpiQrtfoudnbQNZLP+vWadiepBG
|
||||
Q9VFBWlZRVvcJ5elJk/1Qk1+Ufxu2grp7pWCU9616ii79f3f0lHknMexcvnbGr/s
|
||||
WSCtdhFDApRqcFfwpBX1wvpamClOAwAj+6MoG7CqCxHeMLmOVeKlMGiCLiwor9K9
|
||||
eAj1D2tovdMBBYT8gvwLVSnRZS5Yl1cEE6ewVxA2Pqnhc4M71SRKa2gEaKVT+LyL
|
||||
hJ8JOYiKrX+sxdvf9N3IewgxgDgAViMSBitQ+EguEiJTCwtGZKmAp1LRMqzC16pW
|
||||
Ike+uMTj1LWhe7zGWlsqG1kLR7mDrqXWYraj70A/siAghkPB1Bj7MINI4v8K8dN/
|
||||
z3oPJYYme2qno5vWtoPFVBY+P/n/MbQRJl3Va9VVU6vkHn3xz32F2Td60TA4Fkqg
|
||||
irmK+WNWDwtksAcI9pAlegCi60k2fH1AJppC2vPGSS9fqw6lm/+zBKkBJpOiOxAj
|
||||
nb1jq16lIugVus7eMmoJ/DNpSlSBCcUwKou9Ns4EuXTdXWKfklLKzcfD3y+UMAm7
|
||||
I84Ns0GkCmdQQg4uqoBIRX8Q7Wi6tx3hL9y4q3GFvOSJBPd8jzs=
|
||||
=3lXa
|
||||
-----END PGP SIGNATURE-----
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
||||
9c0292898230fb016b00b0f4c72e79b839bb5395f299feb97222e3035e05c6eb sig
|
||||
e659c0fc9b60694b31b13939d2dd36b97be56dc1d781ba8b352c466456e57a21 sig
|
||||
|
|
|
|||
61
sig
61
sig
|
|
@ -78,14 +78,22 @@ cmd_manifest() {
|
|||
}
|
||||
|
||||
verify_file() {
|
||||
[ $# -eq 2 ] || die \
|
||||
"Usage: verify_file <threshold> <file>"
|
||||
[ $# -eq 3 ] || die \
|
||||
"Usage: verify_file <threshold> <group> <file>"
|
||||
local threshold="${1}"
|
||||
local filename="${2}"
|
||||
local group="${2}"
|
||||
local filename="${3}"
|
||||
local group_config=""
|
||||
local sig_count=0
|
||||
local seen_fingerprints=""
|
||||
local fingerprint
|
||||
local signer
|
||||
|
||||
[ ! -z "$group" ] && group_config="$( \
|
||||
gpg --with-colons --list-config group \
|
||||
| grep -i "^cfg:group:${group}:" \
|
||||
)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"
|
||||
|
||||
for sig_filename in "${filename%.*}".*.asc; do
|
||||
gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
|
||||
echo "Invalid signature: ${sig_filename}";
|
||||
|
|
@ -103,11 +111,16 @@ verify_file() {
|
|||
| awk -F: '$1 == "uid" {print $10}' \
|
||||
| head -n1 \
|
||||
)
|
||||
[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] && {
|
||||
echo "Duplicate signature: ${sig_filename}";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] \
|
||||
&& die "Duplicate signature: ${sig_filename}";
|
||||
|
||||
[ ! -z "$group_config" ] \
|
||||
&& [[ "${group_config}" != *"${fingerprint}"* ]] \
|
||||
&& die "Signature not in group \"${group}\": ${sig_filename}";
|
||||
|
||||
echo "Verified signature by \"${signer}\""
|
||||
|
||||
seen_fingerprints="${seen_fingerprints} ${fingerprint}"
|
||||
((sig_count=sig_count+1))
|
||||
done
|
||||
|
|
@ -118,16 +131,22 @@ verify_file() {
|
|||
}
|
||||
|
||||
cmd_verify() {
|
||||
#TODO: support --min to override the default minimum of 3
|
||||
local min=3
|
||||
#TODO: support --group for a gpg-group
|
||||
local group=""
|
||||
local opts selected_line min=1 group=""
|
||||
opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"
|
||||
local err=$?
|
||||
eval set -- "$opts"
|
||||
while true; do case $1 in
|
||||
-m|--min) min="$2"; shift 2 ;;
|
||||
-g|--group) group="$2"; shift 2 ;;
|
||||
--) shift; break ;;
|
||||
esac done
|
||||
|
||||
#TODO: if git: show git signature status to aid in trust building
|
||||
#TODO: if git and if invalid: show diff against last valid version
|
||||
( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
|
||||
|| die "Error: No signatures"
|
||||
cmd_manifest
|
||||
verify_file "${min}" .${PROGRAM}/manifest.txt
|
||||
verify_file "${min}" "${group}" .${PROGRAM}/manifest.txt
|
||||
}
|
||||
|
||||
cmd_add(){
|
||||
|
|
@ -143,13 +162,13 @@ cmd_add(){
|
|||
|
||||
cmd_version() {
|
||||
cat <<-_EOF
|
||||
============================================
|
||||
= sig: simple multisig trust toolchain =
|
||||
= =
|
||||
= v0.0.1 =
|
||||
= =
|
||||
= https://gitlab.com/pchq/sig =
|
||||
============================================
|
||||
==========================================
|
||||
= sig: simple multisig trust toolchain =
|
||||
= =
|
||||
= v0.0.1 =
|
||||
= =
|
||||
= https://gitlab.com/pchq/sig =
|
||||
==========================================
|
||||
_EOF
|
||||
}
|
||||
|
||||
|
|
@ -157,7 +176,7 @@ cmd_usage() {
|
|||
cmd_version
|
||||
cat <<-_EOF
|
||||
Usage:
|
||||
$PROGRAM verify
|
||||
$PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]
|
||||
Verify all signing policies for this directory are met
|
||||
$PROGRAM add
|
||||
Add signature to manifest for this directory
|
||||
|
|
@ -170,7 +189,7 @@ cmd_usage() {
|
|||
_EOF
|
||||
}
|
||||
|
||||
check_tools head cut find sort sed gpg openssl
|
||||
check_tools head cut find sort sed gpg openssl getopt
|
||||
|
||||
PROGRAM="${0##*/}"
|
||||
COMMAND="$1"
|
||||
|
|
|
|||
Loading…
Reference in New Issue