From fa61f1112c3676fba4e83b1830f31dae852206a7 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Mon, 16 Nov 2020 03:17:50 -0800 Subject: [PATCH] working git signature checking --- .sig/manifest.8E47A1EC35A1551D.asc | 26 +++++++-------- .sig/manifest.txt | 2 +- sig | 53 +++++++++++++++++++++--------- 3 files changed, 52 insertions(+), 29 deletions(-) diff --git a/.sig/manifest.8E47A1EC35A1551D.asc b/.sig/manifest.8E47A1EC35A1551D.asc index 8cc9be0..18a8949 100644 --- a/.sig/manifest.8E47A1EC35A1551D.asc +++ b/.sig/manifest.8E47A1EC35A1551D.asc @@ -1,16 +1,16 @@ -----BEGIN PGP SIGNATURE----- -iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yVvEACgkQjkeh7DWh -VR1qXA//Vy4EGUfGi4KkzWjQuJhuucFReok5h3uKjceqF6Axwf6DME9fB3BDITe2 -4m1MU+MzKpf69k/DEoG/6kANF9aRYjw/ZgczIPTTj6E07F9OEUQRbV58uSACr9OV -XXec8muyWP5LK4SfnbBHAdvQBwIZdeVTDeT/a5I5w11RvGPnw8SOx9vXhH86QasE -Wk2xQ93E5r39zfWxShtH+KPSBksWPkZYVaP2rQTmhg21/yxzRpqj96S3pkaC//8+ -nHmEH5DQHv/80+0zIYLiEJkTkse5FFYGgwpUBA6tTpFUJUQhR2ht958GcLftBkAG -0aY85m3QsCT2Rrq4ayqRcrU/uK7g0ekOAMpJpvBUJl7ksZwE9Fxo2J+h9ruBesc1 -nkAMlUzbvXCFSUX77MTuyfOr9vwURziKHdk699G5nf2H8V8ZcuJnocdX45Sj81SU -SWR6RcNDOcEdKVVvluUEzGYHzuG2uEpx5ja+vWzUW1fkrBnHems/uNTvdIoehm6Y -H5RKrgn6SXAhUtA8OfSUx9U+woWU1dCT7C4L8a6nM2u3QTI8hkTHiEVQzau7+d6B -Cu31iLamRXo+Kp7rmFSyrGouzhF1jRWAMwJZl80GpWcHjSYzvbEzpp4Zngb8Nm0S -qu3j61unUGcMZNUAjhF04adQQ2Wcp7U5xA/aMZGfN8aJEtDKMC4= -=9AUa +iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yX8YACgkQjkeh7DWh +VR0iXhAAjDDgwMPi0BnzqcqCewpqmvlbM8XnqE6sjRI1PSfyjV+D0oCwNdpjVZgY +rH8V/6g+aT0V8n3PprAzJPVZD2L7Infh4QkxX/LjHdV27U1YqDiwh/MuHmkmBlkL +E/2L11XfyoyiOq021sRO2jgVjfFYTHVd5z96EJFtMEwuehdMFxujJA5hYoPinjrc +iBNT2yP5a1gMVSV1XxXbLvGBmAByHY14lExo+eVEwnAmbxe9G9tGmE//suC3erjt +t9nsB7/9U61TT1tF+xgVDjwyekjmHQejh3eebCBzyle8RS1RANxElFwgWNC/GUHD +EYoaXWkR6DJjqFRXyNvowDdXBxgFedSsABc75mZaXXQ1wLeG9ZIALJAwL5jb8+sA +aSOnKkbUbE1s0Fiz64fIm19lFGqXIINWyW1zzSuun8Qy6smoOpmuoVhQsuT2MMiL +mm2BHJKzzyAQzK2a9V9foRI8Xsz/kruYkQtJTqpt33TKR4L0fpu97XuaqKkd4Mhy +pZLJvERK4PpQGXgldwFzGYEI5tHimXJfq46hovuKXwZag1tlqIPug8XY0BIKI7lO +MyKY0YXh2nIzSxsfKWpR2t4DjZp3eOkpYtdCE81xLDW3jJtHK60UHORYGDSqVwTs +VMaaZc7VePds657kjyy+Qxfje2aDK4kB2KPNgx32l0NA4WVKfdQ= +=L1Lc -----END PGP SIGNATURE----- diff --git a/.sig/manifest.txt b/.sig/manifest.txt index 9ab5447..cfe91b6 100644 --- a/.sig/manifest.txt +++ b/.sig/manifest.txt @@ -1,2 +1,2 @@ 64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore -592bb0c186797cc93e3e1eb4c58ceb420b9c36f72521f71da49a05c6452e95e6 sig +994f504acaa5d89c312494d45e8f1b66f32c749e58d42b15d58b44f217e912b9 sig diff --git a/sig b/sig index 093e03a..cb35868 100755 --- a/sig +++ b/sig @@ -110,6 +110,15 @@ get_files(){ fi } +get_signer(){ + local fingerprint="${1?}" + gpg \ + --list-keys \ + --with-colons "${fingerprint}" 2>&1 \ + | awk -F: '$1 == "uid" {print $10}' \ + | head -n1 +} + ### Verify a file has 0-N unique valid detached signatures ### Optionally verify all signatures belong to keys in gpg alias group verify_file() { @@ -140,13 +149,7 @@ verify_file() { | grep keyid \ | sed 's/.*keyid //g' ) - signer=$( \ - gpg \ - --list-keys \ - --with-colons "${fingerprint}" 2>&1 \ - | awk -F: '$1 == "uid" {print $10}' \ - | head -n1 \ - ) + signer=$( get_signer "${fingerprint}" ) [[ "${seen_fingerprints}" == *"${fingerprint}"* ]] \ && die "Duplicate signature: ${sig_filename}"; @@ -155,15 +158,13 @@ verify_file() { && [[ "${group_config}" != *"${fingerprint}"* ]] \ && die "Signature not in group \"${group}\": ${sig_filename}"; - echo "Verified signature by \"${signer}\"" + echo "Verified detached signature by \"${signer}\"" seen_fingerprints="${seen_fingerprints} ${fingerprint}" ((sig_count=sig_count+1)) done - [[ "$sig_count" -ge "$threshold" ]] || { - echo "Minimum number of signatures not met: ${sig_count}/${threshold}"; - exit 1; - } + [[ "$sig_count" -ge "$threshold" ]] || \ + die "Minimum detached signatures not found: ${sig_count}/${threshold}"; } ### Verify all commits in git repo have valid signatures @@ -173,9 +174,31 @@ verify_git(){ [ $# -eq 2 ] || die "Usage: verify_git " local threshold="${1}" local group="${2}" - #for commit in $(git log --format='%H%GP'); do - # echo "$commit" - #done + local sig_count=0 + local seen_fingerprints="" + local depth=0 + + while [[ $depth != "$(git rev-list --count HEAD)" ]]; do + ref=HEAD~${depth} + commit=$(git log --format="%H" "$ref") + fingerprint=$(git log --format="%GP" "$ref" -n1 ) + signer=$( get_signer "${fingerprint}" ) + + git verify-commit HEAD~${depth} >/dev/null 2>&1\ + || die "Unsigned commit: ${commit}" + + [[ "${seen_fingerprints}" != *"${fingerprint}"* ]] \ + && seen_fingerprints="${seen_fingerprints} ${fingerprint}" \ + && ((sig_count=sig_count+1)) \ + && echo "Verified git signature at depth ${depth} by \"${signer}\"" + + [[ "${sig_count}" -ge "${threshold}" ]] && break; + + ((depth=depth+1)) + done + + [[ "${sig_count}" -ge "${threshold}" ]] \ + || die "Minimum git signatures not found: ${sig_count}/${threshold}"; }