cychedelic-gpgverify-v0.2.0.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

From ddcb46c0f06f1df6f4a48785bbb2751f72543de6 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Thu, 23 Nov 2023 09:44:06 -0500
Subject: [PATCH] patch: gpgverify

Add a GPG signature verification step to the acid-source update stage.
Intended next versions are determined as normal, however any version
that either lacks a valid signature, or is signed by the incorrect key
fails the source stage and will not be built.

This patch adds a new column to $CYCHE_SERVICES.  Its value is the
fingerprint of the GPG key which must sign deployable versions of the
service.  Leaving this field empty disables the signing requirement for
that service.

All relevant public key files should be added to the `acid/gpgkeys/`
directory so they can be imported into ACID.  The file
`acid/gpgkeys/.ownertrust.txt` should contain intended trust database
information (See documentation for `gpg --import-ownertrust` to learn
more).

If a service <ref-pattern> matches a tag name, only that tag is
considered for a valid signature.  Signatures present in the commit it
points to are ignored.  Likewise, if <ref-pattern> matches a branch,
only the tip commit of that branch is considered, not any signed tags
that happen to point to it as well.
---
 acid/Dockerfile              |  8 +++++++-
 acid/acid                    |  2 +-
 acid/acid-source             | 23 +++++++++++++++++++++++
 acid/config.sh               |  4 ++--
 acid/gpgkeys/.ownertrust.txt |  0
 5 files changed, 33 insertions(+), 4 deletions(-)
 create mode 100644 acid/gpgkeys/.ownertrust.txt

diff --git a/acid/Dockerfile b/acid/Dockerfile
index 7eecebe..f44a4e5 100644
--- a/acid/Dockerfile
+++ b/acid/Dockerfile
@@ -5,9 +5,15 @@ RUN apk --no-cache add \
     bash \
     docker-cli \
     docker-compose \
-    git
+    git \
+    gpg \
+    gpg-agent
 
 WORKDIR /app
 ENV PATH="${PATH}:/app"
 COPY . .
+RUN cat gpgkeys/* | gpg --import --quiet
+RUN gpg --import-ownertrust --quiet <gpgkeys/.ownertrust.txt
+RUN gpg --check-trustdb
+RUN rm -f /root/.gnupg/public-keys.d/pubring.db.lock
 CMD ["acid"]
diff --git a/acid/acid b/acid/acid
index a134d34..c2d2f24 100755
--- a/acid/acid
+++ b/acid/acid
@@ -47,7 +47,7 @@ update() {
 
     for line in "${CYCHE_SERVICES[@]}"; do
         read -r -a arr <<< "$line"
-        hash=$(acid-source ${arr[@]:0:3} 2>"$CYCHE_TMP_LOG")
+        hash=$(acid-source ${arr[@]:0:3} "${arr[4]}" 2>"$CYCHE_TMP_LOG")
         res=$?
 
         if [ $res -ne 0 ] || [ "$1" == "$forceopt" ]; then
diff --git a/acid/acid-source b/acid/acid-source
index d03076f..913640f 100755
--- a/acid/acid-source
+++ b/acid/acid-source
@@ -29,6 +29,25 @@ fail() {
     exit 2
 }
 
+gpgverify() {
+    obj=($(git for-each-ref \
+        --count=1 \
+        --format='%(objecttype) %(objectname)' \
+        --sort='-creatordate' "$1"))
+
+    echo Verifying ${obj[@]} >&2
+    if [ "${obj[0]}" == "tag" ] && git verify-tag "${obj[1]}" >&2; then
+        fp=$(git verify-tag --raw "${obj[1]}" 2>&1 | awk '/VALIDSIG/{print $3}')
+    elif [ "${obj[0]}" == "commit" ] && git verify-commit "${obj[1]}" >&2; then
+        fp=$(git verify-commit --raw "${obj[1]}" 2>&1 | awk '/VALIDSIG/{print $3}')
+    fi
+
+    if [ "$fp" != "$2" ]; then
+        echo "Failed GPG signing requirement (no valid signature, or wrong signature)" >&2
+        fail
+    fi
+}
+
 cd "$CYCHE_SERVICE_DIR"
 
 # For <name>, limit to a-z, 0-9, -, _
@@ -67,6 +86,10 @@ if [ -z "$next" ]; then
     fail
 fi
 
+if [ -n "$4" ]; then
+    gpgverify "$3" "$4"
+fi
+
 echo "$next"
 
 if [ "$prev" != "$next" ]; then
diff --git a/acid/config.sh b/acid/config.sh
index a25531e..c66014e 100644
--- a/acid/config.sh
+++ b/acid/config.sh
@@ -32,6 +32,6 @@ CYCHE_SERVICES=(
     # in the list.  As just mentioned, it can be named anything, but "cychedelic"
     # is conventional.
 
-    # <name>            <url>                                                       <ref-pattern>                               <compose-file>
-    'cychedelic         https://your/cyche/source.git                               refs/remotes/origin/master                  docker-compose.yml'
+    # <name>            <url>                                                       <ref-pattern>                               <compose-file>                  <gpg-id-fingerprint>
+    'cychedelic         https://your/cyche/source.git                               refs/remotes/origin/master                  docker-compose.yml              0000000000000000000000000000000000000000'
 )
diff --git a/acid/gpgkeys/.ownertrust.txt b/acid/gpgkeys/.ownertrust.txt
new file mode 100644
index 0000000..e69de29
-- 
2.42.0