From ecb7bb745cc88bb2b54f499dca48089a5ae27fdf Mon Sep 17 00:00:00 2001 From: Malfurious Date: Thu, 23 Nov 2023 09:44:06 -0500 Subject: [PATCH] patch: gpgverify Add a GPG signature verification step to the acid-source update stage. Intended next versions are determined as normal, however any version that either lacks a valid signature, or is signed by the incorrect key fails the source stage and will not be built. This patch adds a new column to $CYCHE_SERVICES. Its value is the fingerprint of the GPG key which must sign deployable versions of the service. Leaving this field empty disables the signing requirement for that service. All relevant public key files should be added to the `acid/gpgkeys/` directory so they can be imported into ACID. The file `acid/gpgkeys/.ownertrust.txt` should contain intended trust database information (See documentation for `gpg --import-ownertrust` to learn more). If a service matches a tag name, only that tag is considered for a valid signature. Signatures present in the commit it points to are ignored. Likewise, if matches a branch, only the tip commit of that branch is considered, not any signed tags that happen to point to it as well. --- acid/Dockerfile | 8 +++++++- acid/acid | 2 +- acid/acid-source | 23 +++++++++++++++++++++++ acid/config.sh | 4 ++-- acid/gpgkeys/.ownertrust.txt | 0 5 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 acid/gpgkeys/.ownertrust.txt diff --git a/acid/Dockerfile b/acid/Dockerfile index 7eecebe..da68873 100644 --- a/acid/Dockerfile +++ b/acid/Dockerfile @@ -5,9 +5,15 @@ RUN apk --no-cache add \ bash \ docker-cli \ docker-compose \ - git + git \ + gpg \ + gpg-agent WORKDIR /app ENV PATH="${PATH}:/app" COPY . . +RUN cat gpgkeys/* | gpg --import --quiet \ + && gpg --import-ownertrust --quiet "$CYCHE_TMP_LOG") + hash=$(acid-source ${arr[@]:0:3} "${arr[4]}" 2>"$CYCHE_TMP_LOG") res=$? if [ $res -ne 0 ] || [ "$1" == "$forceopt" ]; then diff --git a/acid/acid-source b/acid/acid-source index d03076f..913640f 100755 --- a/acid/acid-source +++ b/acid/acid-source @@ -29,6 +29,25 @@ fail() { exit 2 } +gpgverify() { + obj=($(git for-each-ref \ + --count=1 \ + --format='%(objecttype) %(objectname)' \ + --sort='-creatordate' "$1")) + + echo Verifying ${obj[@]} >&2 + if [ "${obj[0]}" == "tag" ] && git verify-tag "${obj[1]}" >&2; then + fp=$(git verify-tag --raw "${obj[1]}" 2>&1 | awk '/VALIDSIG/{print $3}') + elif [ "${obj[0]}" == "commit" ] && git verify-commit "${obj[1]}" >&2; then + fp=$(git verify-commit --raw "${obj[1]}" 2>&1 | awk '/VALIDSIG/{print $3}') + fi + + if [ "$fp" != "$2" ]; then + echo "Failed GPG signing requirement (no valid signature, or wrong signature)" >&2 + fail + fi +} + cd "$CYCHE_SERVICE_DIR" # For , limit to a-z, 0-9, -, _ @@ -67,6 +86,10 @@ if [ -z "$next" ]; then fail fi +if [ -n "$4" ]; then + gpgverify "$3" "$4" +fi + echo "$next" if [ "$prev" != "$next" ]; then diff --git a/acid/config.sh b/acid/config.sh index a25531e..c66014e 100644 --- a/acid/config.sh +++ b/acid/config.sh @@ -32,6 +32,6 @@ CYCHE_SERVICES=( # in the list. As just mentioned, it can be named anything, but "cychedelic" # is conventional. - # - 'cychedelic https://your/cyche/source.git refs/remotes/origin/master docker-compose.yml' + # + 'cychedelic https://your/cyche/source.git refs/remotes/origin/master docker-compose.yml 0000000000000000000000000000000000000000' ) diff --git a/acid/gpgkeys/.ownertrust.txt b/acid/gpgkeys/.ownertrust.txt new file mode 100644 index 0000000..e69de29 -- 2.44.0