diff options
| author | Malfurious <m@lfurio.us> | 2023-11-23 09:52:33 -0500 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2023-11-23 09:52:33 -0500 |
| commit | 48e68d4efeac35a96426e4e2de221d4b006d199e (patch) | |
| tree | 95e7b4575bc1a51c16580a27668d0f35ac8a28c2 /cychedelic-gpgverify-v0.2.0.patch | |
| parent | 43d5a920e71cc5270e22e8a33533448a6e3ac5e1 (diff) | |
| download | cychedelic-48e68d4efeac35a96426e4e2de221d4b006d199e.tar.gz cychedelic-48e68d4efeac35a96426e4e2de221d4b006d199e.zip | |
gpgverify v0.2.0
Signed-off-by: Malfurious <m@lfurio.us>
Diffstat (limited to 'cychedelic-gpgverify-v0.2.0.patch')
| -rw-r--r-- | cychedelic-gpgverify-v0.2.0.patch | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/cychedelic-gpgverify-v0.2.0.patch b/cychedelic-gpgverify-v0.2.0.patch new file mode 100644 index 0000000..5fee656 --- /dev/null +++ b/cychedelic-gpgverify-v0.2.0.patch @@ -0,0 +1,129 @@ +From ddcb46c0f06f1df6f4a48785bbb2751f72543de6 Mon Sep 17 00:00:00 2001 +From: Malfurious <m@lfurio.us> +Date: Thu, 23 Nov 2023 09:44:06 -0500 +Subject: [PATCH] patch: gpgverify + +Add a GPG signature verification step to the acid-source update stage. +Intended next versions are determined as normal, however any version +that either lacks a valid signature, or is signed by the incorrect key +fails the source stage and will not be built. + +This patch adds a new column to $CYCHE_SERVICES. Its value is the +fingerprint of the GPG key which must sign deployable versions of the +service. Leaving this field empty disables the signing requirement for +that service. + +All relevant public key files should be added to the `acid/gpgkeys/` +directory so they can be imported into ACID. The file +`acid/gpgkeys/.ownertrust.txt` should contain intended trust database +information (See documentation for `gpg --import-ownertrust` to learn +more). + +If a service <ref-pattern> matches a tag name, only that tag is +considered for a valid signature. Signatures present in the commit it +points to are ignored. Likewise, if <ref-pattern> matches a branch, +only the tip commit of that branch is considered, not any signed tags +that happen to point to it as well. +--- + acid/Dockerfile | 8 +++++++- + acid/acid | 2 +- + acid/acid-source | 23 +++++++++++++++++++++++ + acid/config.sh | 4 ++-- + acid/gpgkeys/.ownertrust.txt | 0 + 5 files changed, 33 insertions(+), 4 deletions(-) + create mode 100644 acid/gpgkeys/.ownertrust.txt + +diff --git a/acid/Dockerfile b/acid/Dockerfile +index 7eecebe..f44a4e5 100644 +--- a/acid/Dockerfile ++++ b/acid/Dockerfile +@@ -5,9 +5,15 @@ RUN apk --no-cache add \ + bash \ + docker-cli \ + docker-compose \ +- git ++ git \ ++ gpg \ ++ gpg-agent + + WORKDIR /app + ENV PATH="${PATH}:/app" + COPY . . ++RUN cat gpgkeys/* | gpg --import --quiet ++RUN gpg --import-ownertrust --quiet <gpgkeys/.ownertrust.txt ++RUN gpg --check-trustdb ++RUN rm -f /root/.gnupg/public-keys.d/pubring.db.lock + CMD ["acid"] +diff --git a/acid/acid b/acid/acid +index a134d34..c2d2f24 100755 +--- a/acid/acid ++++ b/acid/acid +@@ -47,7 +47,7 @@ update() { + + for line in "${CYCHE_SERVICES[@]}"; do + read -r -a arr <<< "$line" +- hash=$(acid-source ${arr[@]:0:3} 2>"$CYCHE_TMP_LOG") ++ hash=$(acid-source ${arr[@]:0:3} "${arr[4]}" 2>"$CYCHE_TMP_LOG") + res=$? + + if [ $res -ne 0 ] || [ "$1" == "$forceopt" ]; then +diff --git a/acid/acid-source b/acid/acid-source +index d03076f..913640f 100755 +--- a/acid/acid-source ++++ b/acid/acid-source +@@ -29,6 +29,25 @@ fail() { + exit 2 + } + ++gpgverify() { ++ obj=($(git for-each-ref \ ++ --count=1 \ ++ --format='%(objecttype) %(objectname)' \ ++ --sort='-creatordate' "$1")) ++ ++ echo Verifying ${obj[@]} >&2 ++ if [ "${obj[0]}" == "tag" ] && git verify-tag "${obj[1]}" >&2; then ++ fp=$(git verify-tag --raw "${obj[1]}" 2>&1 | awk '/VALIDSIG/{print $3}') ++ elif [ "${obj[0]}" == "commit" ] && git verify-commit "${obj[1]}" >&2; then ++ fp=$(git verify-commit --raw "${obj[1]}" 2>&1 | awk '/VALIDSIG/{print $3}') ++ fi ++ ++ if [ "$fp" != "$2" ]; then ++ echo "Failed GPG signing requirement (no valid signature, or wrong signature)" >&2 ++ fail ++ fi ++} ++ + cd "$CYCHE_SERVICE_DIR" + + # For <name>, limit to a-z, 0-9, -, _ +@@ -67,6 +86,10 @@ if [ -z "$next" ]; then + fail + fi + ++if [ -n "$4" ]; then ++ gpgverify "$3" "$4" ++fi ++ + echo "$next" + + if [ "$prev" != "$next" ]; then +diff --git a/acid/config.sh b/acid/config.sh +index a25531e..c66014e 100644 +--- a/acid/config.sh ++++ b/acid/config.sh +@@ -32,6 +32,6 @@ CYCHE_SERVICES=( + # in the list. As just mentioned, it can be named anything, but "cychedelic" + # is conventional. + +- # <name> <url> <ref-pattern> <compose-file> +- 'cychedelic https://your/cyche/source.git refs/remotes/origin/master docker-compose.yml' ++ # <name> <url> <ref-pattern> <compose-file> <gpg-id-fingerprint> ++ 'cychedelic https://your/cyche/source.git refs/remotes/origin/master docker-compose.yml 0000000000000000000000000000000000000000' + ) +diff --git a/acid/gpgkeys/.ownertrust.txt b/acid/gpgkeys/.ownertrust.txt +new file mode 100644 +index 0000000..e69de29 +-- +2.42.0 + |