Skip to content

Commit

Permalink
Merge pull request #4189 from kolyshkin/fix-gpg-validate
Browse files Browse the repository at this point in the history
script/*: fix gpg usage wrt keyboxd
  • Loading branch information
lifubang authored Jun 8, 2024
2 parents a4b0857 + 760105a commit a35a4c6
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 10 deletions.
18 changes: 10 additions & 8 deletions script/keyring_validate.sh
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@ function bail() {
tmp_gpgdir="$(mktemp -d --tmpdir "$project-validate-tmpkeyring.XXXXXX")"
trap 'rm -r "$tmp_gpgdir"' EXIT

function gpg_user() {
local user=$1
shift
gpg --homedir="$tmp_gpgdir" --no-default-keyring --keyring="$user.keyring" "$@"
}

# Get the set of MAINTAINERS.
readarray -t maintainers < <(sed -E 's|.* <.*> \(@?(.*)\)$|\1|' <"$root/MAINTAINERS")
echo "------------------------------------------------------------"
Expand All @@ -41,8 +47,7 @@ echo "------------------------------------------------------------"

# Create a dummy gpg keyring from the set of MAINTAINERS.
while IFS="" read -r username || [ -n "$username" ]; do
curl -sSL "https://github.com/$username.gpg" |
gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" --import
curl -sSL "https://github.com/$username.gpg" | gpg_user "$username" --import
done < <(printf '%s\n' "${maintainers[@]}")

# Make sure all of the keys in the keyring have a github=... comment.
Expand All @@ -65,8 +70,7 @@ echo "------------------------------------------------------------"
echo "$project release managers:"
sed -En "s|^Comment:.* github=(\w+).*| * \1|p" <"$root/$project.keyring" | sort -u
echo "------------------------------------------------------------"
gpg --no-default-keyring --keyring="$tmp_gpgdir/keyring" \
--import --import-options=show-only <"$root/$project.keyring"
gpg --show-keys <"$root/$project.keyring"
echo "------------------------------------------------------------"

# Check that each entry in the kering is actually a maintainer's key.
Expand Down Expand Up @@ -94,12 +98,10 @@ while IFS="" read -d $'\0' -r block || [ -n "$block" ]; do
# fingerprint. See <https://github.com/gpg/gnupg/blob/master/doc/DETAILS>
# for more details.
while IFS="" read -r key || [ -n "$key" ]; do
gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" \
--list-keys --with-colons | grep "$fprfield:::::::::$key:" >/dev/null ||
gpg_user "$username" --list-keys --with-colons | grep "$fprfield:::::::::$key:" >/dev/null ||
bail "(Sub?)Key $key in $project.keyring is NOT actually one of $username's keys!"
log "Successfully verified $username's (sub?)key $key is legitimate."
done < <(gpg --no-default-keyring \
--import --import-options=show-only --with-colons <<<"$block" |
done < <(gpg --show-keys --with-colons <<<"$block" |
grep "^$fprfield:" | cut -d: -f10)
done < <(awk <"$root/$project.keyring" '
/^-----BEGIN PGP PUBLIC KEY BLOCK-----$/ { in_block=1 }
Expand Down
4 changes: 2 additions & 2 deletions script/release_sign.sh
Original file line number Diff line number Diff line change
Expand Up @@ -105,10 +105,10 @@ set -x
tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")"
trap 'rm -r "$tmp_gpgdir"' EXIT

tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring")
tmp_runc_gpgflags=("--homedir=$tmp_gpgdir" "--no-default-keyring" "--keyring=$project.keyring")
gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring"

tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring")
tmp_seccomp_gpgflags=("--homedir=$tmp_gpgdir" "--no-default-keyring" "--keyring=seccomp.keyring")
gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A

Expand Down

0 comments on commit a35a4c6

Please sign in to comment.