working git signature checking
This commit is contained in:
parent
8c19efd8c5
commit
fa61f1112c
|
@ -1,16 +1,16 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yVvEACgkQjkeh7DWh
|
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yX8YACgkQjkeh7DWh
|
||||||
VR1qXA//Vy4EGUfGi4KkzWjQuJhuucFReok5h3uKjceqF6Axwf6DME9fB3BDITe2
|
VR0iXhAAjDDgwMPi0BnzqcqCewpqmvlbM8XnqE6sjRI1PSfyjV+D0oCwNdpjVZgY
|
||||||
4m1MU+MzKpf69k/DEoG/6kANF9aRYjw/ZgczIPTTj6E07F9OEUQRbV58uSACr9OV
|
rH8V/6g+aT0V8n3PprAzJPVZD2L7Infh4QkxX/LjHdV27U1YqDiwh/MuHmkmBlkL
|
||||||
XXec8muyWP5LK4SfnbBHAdvQBwIZdeVTDeT/a5I5w11RvGPnw8SOx9vXhH86QasE
|
E/2L11XfyoyiOq021sRO2jgVjfFYTHVd5z96EJFtMEwuehdMFxujJA5hYoPinjrc
|
||||||
Wk2xQ93E5r39zfWxShtH+KPSBksWPkZYVaP2rQTmhg21/yxzRpqj96S3pkaC//8+
|
iBNT2yP5a1gMVSV1XxXbLvGBmAByHY14lExo+eVEwnAmbxe9G9tGmE//suC3erjt
|
||||||
nHmEH5DQHv/80+0zIYLiEJkTkse5FFYGgwpUBA6tTpFUJUQhR2ht958GcLftBkAG
|
t9nsB7/9U61TT1tF+xgVDjwyekjmHQejh3eebCBzyle8RS1RANxElFwgWNC/GUHD
|
||||||
0aY85m3QsCT2Rrq4ayqRcrU/uK7g0ekOAMpJpvBUJl7ksZwE9Fxo2J+h9ruBesc1
|
EYoaXWkR6DJjqFRXyNvowDdXBxgFedSsABc75mZaXXQ1wLeG9ZIALJAwL5jb8+sA
|
||||||
nkAMlUzbvXCFSUX77MTuyfOr9vwURziKHdk699G5nf2H8V8ZcuJnocdX45Sj81SU
|
aSOnKkbUbE1s0Fiz64fIm19lFGqXIINWyW1zzSuun8Qy6smoOpmuoVhQsuT2MMiL
|
||||||
SWR6RcNDOcEdKVVvluUEzGYHzuG2uEpx5ja+vWzUW1fkrBnHems/uNTvdIoehm6Y
|
mm2BHJKzzyAQzK2a9V9foRI8Xsz/kruYkQtJTqpt33TKR4L0fpu97XuaqKkd4Mhy
|
||||||
H5RKrgn6SXAhUtA8OfSUx9U+woWU1dCT7C4L8a6nM2u3QTI8hkTHiEVQzau7+d6B
|
pZLJvERK4PpQGXgldwFzGYEI5tHimXJfq46hovuKXwZag1tlqIPug8XY0BIKI7lO
|
||||||
Cu31iLamRXo+Kp7rmFSyrGouzhF1jRWAMwJZl80GpWcHjSYzvbEzpp4Zngb8Nm0S
|
MyKY0YXh2nIzSxsfKWpR2t4DjZp3eOkpYtdCE81xLDW3jJtHK60UHORYGDSqVwTs
|
||||||
qu3j61unUGcMZNUAjhF04adQQ2Wcp7U5xA/aMZGfN8aJEtDKMC4=
|
VMaaZc7VePds657kjyy+Qxfje2aDK4kB2KPNgx32l0NA4WVKfdQ=
|
||||||
=9AUa
|
=L1Lc
|
||||||
-----END PGP SIGNATURE-----
|
-----END PGP SIGNATURE-----
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
||||||
592bb0c186797cc93e3e1eb4c58ceb420b9c36f72521f71da49a05c6452e95e6 sig
|
994f504acaa5d89c312494d45e8f1b66f32c749e58d42b15d58b44f217e912b9 sig
|
||||||
|
|
53
sig
53
sig
|
@ -110,6 +110,15 @@ get_files(){
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
get_signer(){
|
||||||
|
local fingerprint="${1?}"
|
||||||
|
gpg \
|
||||||
|
--list-keys \
|
||||||
|
--with-colons "${fingerprint}" 2>&1 \
|
||||||
|
| awk -F: '$1 == "uid" {print $10}' \
|
||||||
|
| head -n1
|
||||||
|
}
|
||||||
|
|
||||||
### Verify a file has 0-N unique valid detached signatures
|
### Verify a file has 0-N unique valid detached signatures
|
||||||
### Optionally verify all signatures belong to keys in gpg alias group
|
### Optionally verify all signatures belong to keys in gpg alias group
|
||||||
verify_file() {
|
verify_file() {
|
||||||
|
@ -140,13 +149,7 @@ verify_file() {
|
||||||
| grep keyid \
|
| grep keyid \
|
||||||
| sed 's/.*keyid //g'
|
| sed 's/.*keyid //g'
|
||||||
)
|
)
|
||||||
signer=$( \
|
signer=$( get_signer "${fingerprint}" )
|
||||||
gpg \
|
|
||||||
--list-keys \
|
|
||||||
--with-colons "${fingerprint}" 2>&1 \
|
|
||||||
| awk -F: '$1 == "uid" {print $10}' \
|
|
||||||
| head -n1 \
|
|
||||||
)
|
|
||||||
|
|
||||||
[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] \
|
[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] \
|
||||||
&& die "Duplicate signature: ${sig_filename}";
|
&& die "Duplicate signature: ${sig_filename}";
|
||||||
|
@ -155,15 +158,13 @@ verify_file() {
|
||||||
&& [[ "${group_config}" != *"${fingerprint}"* ]] \
|
&& [[ "${group_config}" != *"${fingerprint}"* ]] \
|
||||||
&& die "Signature not in group \"${group}\": ${sig_filename}";
|
&& die "Signature not in group \"${group}\": ${sig_filename}";
|
||||||
|
|
||||||
echo "Verified signature by \"${signer}\""
|
echo "Verified detached signature by \"${signer}\""
|
||||||
|
|
||||||
seen_fingerprints="${seen_fingerprints} ${fingerprint}"
|
seen_fingerprints="${seen_fingerprints} ${fingerprint}"
|
||||||
((sig_count=sig_count+1))
|
((sig_count=sig_count+1))
|
||||||
done
|
done
|
||||||
[[ "$sig_count" -ge "$threshold" ]] || {
|
[[ "$sig_count" -ge "$threshold" ]] || \
|
||||||
echo "Minimum number of signatures not met: ${sig_count}/${threshold}";
|
die "Minimum detached signatures not found: ${sig_count}/${threshold}";
|
||||||
exit 1;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
### Verify all commits in git repo have valid signatures
|
### Verify all commits in git repo have valid signatures
|
||||||
|
@ -173,9 +174,31 @@ verify_git(){
|
||||||
[ $# -eq 2 ] || die "Usage: verify_git <threshold> <group>"
|
[ $# -eq 2 ] || die "Usage: verify_git <threshold> <group>"
|
||||||
local threshold="${1}"
|
local threshold="${1}"
|
||||||
local group="${2}"
|
local group="${2}"
|
||||||
#for commit in $(git log --format='%H%GP'); do
|
local sig_count=0
|
||||||
# echo "$commit"
|
local seen_fingerprints=""
|
||||||
#done
|
local depth=0
|
||||||
|
|
||||||
|
while [[ $depth != "$(git rev-list --count HEAD)" ]]; do
|
||||||
|
ref=HEAD~${depth}
|
||||||
|
commit=$(git log --format="%H" "$ref")
|
||||||
|
fingerprint=$(git log --format="%GP" "$ref" -n1 )
|
||||||
|
signer=$( get_signer "${fingerprint}" )
|
||||||
|
|
||||||
|
git verify-commit HEAD~${depth} >/dev/null 2>&1\
|
||||||
|
|| die "Unsigned commit: ${commit}"
|
||||||
|
|
||||||
|
[[ "${seen_fingerprints}" != *"${fingerprint}"* ]] \
|
||||||
|
&& seen_fingerprints="${seen_fingerprints} ${fingerprint}" \
|
||||||
|
&& ((sig_count=sig_count+1)) \
|
||||||
|
&& echo "Verified git signature at depth ${depth} by \"${signer}\""
|
||||||
|
|
||||||
|
[[ "${sig_count}" -ge "${threshold}" ]] && break;
|
||||||
|
|
||||||
|
((depth=depth+1))
|
||||||
|
done
|
||||||
|
|
||||||
|
[[ "${sig_count}" -ge "${threshold}" ]] \
|
||||||
|
|| die "Minimum git signatures not found: ${sig_count}/${threshold}";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue