Merge #7713: Fixes for verify-commits script

1e9aab0 Remove sipa's old revoked key from verify-commits (Peter Todd)
966151e Add README for verify-commits (Peter Todd)
11164ec Remove keys that are no longer used for merging (Peter Todd)
22421fa Remove pointless warning (Peter Todd)
9523e8a Make verify-commits path-independent (Matt Corallo)
f7d4a25 Make verify-commits POSIX-compliant (Matt Corallo)
This commit is contained in:
Wladimir J. van der Laan 2016-06-20 14:33:26 +02:00 committed by Alexander Block
parent d2c3b7efef
commit 573d9314e8
6 changed files with 39 additions and 24 deletions

View File

@ -0,0 +1,26 @@
Tooling for verification of PGP signed commits
----------------------------------------------
This is an incomplete work in progress, but currently includes a pre-push hook
script (`pre-push-hook.sh`) for maintainers to ensure that their own commits
are PGP signed (nearly always merge commits), as well as a script to verify
commits against a trusted keys list.
Using verify-commits.sh safely
------------------------------
Remember that you can't use an untrusted script to verify itself. This means
that checking out code, then running `verify-commits.sh` against `HEAD` is
_not_ safe, because the version of `verify-commits.sh` that you just ran could
be backdoored. Instead, you need to use a trusted version of verify-commits
prior to checkout to make sure you're checking out only code signed by trusted
keys:
git fetch origin && \
./contrib/verify-commits/verify-commits.sh origin/master && \
git checkout origin/master
Note that the above isn't a good UI/UX yet, and needs significant improvements
to make it more convenient and reduce the chance of errors; pull-reqs
improving this process would be much appreciated.

View File

@ -1,2 +0,0 @@
586a29253dabec3ca0f1ccba9091daabd16b8411
eddaba7b5692288087a926da5733e86b47274e4e

View File

@ -1,8 +1,9 @@
#!/bin/sh
INPUT=$(</dev/stdin)
INPUT=$(cat /dev/stdin)
VALID=false
REVSIG=false
IFS=$'\n'
IFS='
'
for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
case "$LINE" in
"[GNUPG:] VALIDSIG "*)
@ -13,10 +14,9 @@ for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
"[GNUPG:] REVKEYSIG "*)
[ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
while read KEY; do
case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY:24:40} "*)
case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY#????????????????????????} "*)
REVSIG=true
GOODREVSIG="[GNUPG:] GOODSIG ${KEY:24:40} "
;;
GOODREVSIG="[GNUPG:] GOODSIG ${KEY#????????????????????????} "
esac
done < ./contrib/verify-commits/trusted-keys
;;

View File

@ -1 +1 @@
165e323d851cc87213c7673c6f278e87a6f2e752
82bcf405f6db1d55b684a1f63a4aabad376cdad7

View File

@ -1,7 +1,3 @@
71A3B16735405025D447E8F274810B012346C9A6
1F4410F6A89268CE3197A84C57896D2FF8F0B657
01CDF4627A3B88AAE4A571C87588242FBE38D3A8
AF8BE07C7049F3A26B239D5325B3083201782B2F
81291FA67D2C379A006A053FEAB5AF94D9E9ABE7
3F1888C6DCA92A6499C4911FDBA1A67379A1A931
32EE5C4C3FA15CCADB46ABE529D4BCB6416F53EC

View File

@ -1,25 +1,19 @@
#!/bin/sh
# Not technically POSIX-compliant due to use of "local", but almost every
# shell anyone uses today supports it, so its probably fine
DIR=$(dirname "$0")
echo "Please verify all commits in the following list are not evil:"
git log "$DIR"
[ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0")
VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
IS_REVSIG_ALLOWED () {
while read LINE; do
[ "$LINE" = "$1" ] && return 0
done < "${DIR}/allow-revsig-commits"
return 1
}
REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits")
HAVE_FAILED=false
IS_SIGNED () {
if [ $1 = $VERIFIED_ROOT ]; then
return 0;
fi
if IS_REVSIG_ALLOWED "$1"; then
if [ "${REVSIG_ALLOWED#*$1}" != "$REVSIG_ALLOWED" ]; then
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
else
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
@ -27,7 +21,8 @@ IS_SIGNED () {
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
return 1;
fi
local PARENTS=$(git show -s --format=format:%P $1)
local PARENTS
PARENTS=$(git show -s --format=format:%P $1)
for PARENT in $PARENTS; do
if IS_SIGNED $PARENT > /dev/null; then
return 0;