working git signature checking
This commit is contained in:
parent
8c19efd8c5
commit
fa61f1112c
GPG Key ID:
8E47A1EC35A1551D
|
|
@ -1,16 +1,16 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yVvEACgkQjkeh7DWh
|
||||
VR1qXA//Vy4EGUfGi4KkzWjQuJhuucFReok5h3uKjceqF6Axwf6DME9fB3BDITe2
|
||||
4m1MU+MzKpf69k/DEoG/6kANF9aRYjw/ZgczIPTTj6E07F9OEUQRbV58uSACr9OV
|
||||
XXec8muyWP5LK4SfnbBHAdvQBwIZdeVTDeT/a5I5w11RvGPnw8SOx9vXhH86QasE
|
||||
Wk2xQ93E5r39zfWxShtH+KPSBksWPkZYVaP2rQTmhg21/yxzRpqj96S3pkaC//8+
|
||||
nHmEH5DQHv/80+0zIYLiEJkTkse5FFYGgwpUBA6tTpFUJUQhR2ht958GcLftBkAG
|
||||
0aY85m3QsCT2Rrq4ayqRcrU/uK7g0ekOAMpJpvBUJl7ksZwE9Fxo2J+h9ruBesc1
|
||||
nkAMlUzbvXCFSUX77MTuyfOr9vwURziKHdk699G5nf2H8V8ZcuJnocdX45Sj81SU
|
||||
SWR6RcNDOcEdKVVvluUEzGYHzuG2uEpx5ja+vWzUW1fkrBnHems/uNTvdIoehm6Y
|
||||
H5RKrgn6SXAhUtA8OfSUx9U+woWU1dCT7C4L8a6nM2u3QTI8hkTHiEVQzau7+d6B
|
||||
Cu31iLamRXo+Kp7rmFSyrGouzhF1jRWAMwJZl80GpWcHjSYzvbEzpp4Zngb8Nm0S
|
||||
qu3j61unUGcMZNUAjhF04adQQ2Wcp7U5xA/aMZGfN8aJEtDKMC4=
|
||||
=9AUa
|
||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yX8YACgkQjkeh7DWh
|
||||
VR0iXhAAjDDgwMPi0BnzqcqCewpqmvlbM8XnqE6sjRI1PSfyjV+D0oCwNdpjVZgY
|
||||
rH8V/6g+aT0V8n3PprAzJPVZD2L7Infh4QkxX/LjHdV27U1YqDiwh/MuHmkmBlkL
|
||||
E/2L11XfyoyiOq021sRO2jgVjfFYTHVd5z96EJFtMEwuehdMFxujJA5hYoPinjrc
|
||||
iBNT2yP5a1gMVSV1XxXbLvGBmAByHY14lExo+eVEwnAmbxe9G9tGmE//suC3erjt
|
||||
t9nsB7/9U61TT1tF+xgVDjwyekjmHQejh3eebCBzyle8RS1RANxElFwgWNC/GUHD
|
||||
EYoaXWkR6DJjqFRXyNvowDdXBxgFedSsABc75mZaXXQ1wLeG9ZIALJAwL5jb8+sA
|
||||
aSOnKkbUbE1s0Fiz64fIm19lFGqXIINWyW1zzSuun8Qy6smoOpmuoVhQsuT2MMiL
|
||||
mm2BHJKzzyAQzK2a9V9foRI8Xsz/kruYkQtJTqpt33TKR4L0fpu97XuaqKkd4Mhy
|
||||
pZLJvERK4PpQGXgldwFzGYEI5tHimXJfq46hovuKXwZag1tlqIPug8XY0BIKI7lO
|
||||
MyKY0YXh2nIzSxsfKWpR2t4DjZp3eOkpYtdCE81xLDW3jJtHK60UHORYGDSqVwTs
|
||||
VMaaZc7VePds657kjyy+Qxfje2aDK4kB2KPNgx32l0NA4WVKfdQ=
|
||||
=L1Lc
|
||||
-----END PGP SIGNATURE-----
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
||||
592bb0c186797cc93e3e1eb4c58ceb420b9c36f72521f71da49a05c6452e95e6 sig
|
||||
994f504acaa5d89c312494d45e8f1b66f32c749e58d42b15d58b44f217e912b9 sig
|
||||
|
|
|
|||
53
sig
53
sig
|
|
@ -110,6 +110,15 @@ get_files(){
|
|||
fi
|
||||
}
|
||||
|
||||
get_signer(){
|
||||
local fingerprint="${1?}"
|
||||
gpg \
|
||||
--list-keys \
|
||||
--with-colons "${fingerprint}" 2>&1 \
|
||||
| awk -F: '$1 == "uid" {print $10}' \
|
||||
| head -n1
|
||||
}
|
||||
|
||||
### Verify a file has 0-N unique valid detached signatures
|
||||
### Optionally verify all signatures belong to keys in gpg alias group
|
||||
verify_file() {
|
||||
|
|
@ -140,13 +149,7 @@ verify_file() {
|
|||
| grep keyid \
|
||||
| sed 's/.*keyid //g'
|
||||
)
|
||||
signer=$( \
|
||||
gpg \
|
||||
--list-keys \
|
||||
--with-colons "${fingerprint}" 2>&1 \
|
||||
| awk -F: '$1 == "uid" {print $10}' \
|
||||
| head -n1 \
|
||||
)
|
||||
signer=$( get_signer "${fingerprint}" )
|
||||
|
||||
[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] \
|
||||
&& die "Duplicate signature: ${sig_filename}";
|
||||
|
|
@ -155,15 +158,13 @@ verify_file() {
|
|||
&& [[ "${group_config}" != *"${fingerprint}"* ]] \
|
||||
&& die "Signature not in group \"${group}\": ${sig_filename}";
|
||||
|
||||
echo "Verified signature by \"${signer}\""
|
||||
echo "Verified detached signature by \"${signer}\""
|
||||
|
||||
seen_fingerprints="${seen_fingerprints} ${fingerprint}"
|
||||
((sig_count=sig_count+1))
|
||||
done
|
||||
[[ "$sig_count" -ge "$threshold" ]] || {
|
||||
echo "Minimum number of signatures not met: ${sig_count}/${threshold}";
|
||||
exit 1;
|
||||
}
|
||||
[[ "$sig_count" -ge "$threshold" ]] || \
|
||||
die "Minimum detached signatures not found: ${sig_count}/${threshold}";
|
||||
}
|
||||
|
||||
### Verify all commits in git repo have valid signatures
|
||||
|
|
@ -173,9 +174,31 @@ verify_git(){
|
|||
[ $# -eq 2 ] || die "Usage: verify_git <threshold> <group>"
|
||||
local threshold="${1}"
|
||||
local group="${2}"
|
||||
#for commit in $(git log --format='%H%GP'); do
|
||||
# echo "$commit"
|
||||
#done
|
||||
local sig_count=0
|
||||
local seen_fingerprints=""
|
||||
local depth=0
|
||||
|
||||
while [[ $depth != "$(git rev-list --count HEAD)" ]]; do
|
||||
ref=HEAD~${depth}
|
||||
commit=$(git log --format="%H" "$ref")
|
||||
fingerprint=$(git log --format="%GP" "$ref" -n1 )
|
||||
signer=$( get_signer "${fingerprint}" )
|
||||
|
||||
git verify-commit HEAD~${depth} >/dev/null 2>&1\
|
||||
|| die "Unsigned commit: ${commit}"
|
||||
|
||||
[[ "${seen_fingerprints}" != *"${fingerprint}"* ]] \
|
||||
&& seen_fingerprints="${seen_fingerprints} ${fingerprint}" \
|
||||
&& ((sig_count=sig_count+1)) \
|
||||
&& echo "Verified git signature at depth ${depth} by \"${signer}\""
|
||||
|
||||
[[ "${sig_count}" -ge "${threshold}" ]] && break;
|
||||
|
||||
((depth=depth+1))
|
||||
done
|
||||
|
||||
[[ "${sig_count}" -ge "${threshold}" ]] \
|
||||
|| die "Minimum git signatures not found: ${sig_count}/${threshold}";
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue