git ssb

0+

Monero Pub / gitian.sigs



Commit 617f52db3e65d7c1760e4882521ec67f8ff7cfd2

Browse Files

Add script to make verifying the gitian signatures easy

TheCharlatan committed on 7/23/2019, 12:19:28 AM
Parent: 98054a43b2691ce66166837d8dfdb9d334c20dcb

Files changed

README.mdchanged
verify-merge.pyadded
README.mdView
@@ -21,4 +21,13 @@
2121 ```
2222 v0.14.1.0-linux/${GH_USERNAME}/monero-linux-v0.14.1.0-build.assert
2323 v0.14.1.0-linux/${GH_USERNAME}/monero-linux-v0.14.1.0-build.assert.sig
2424 ```
25+
26+If you are committing for the first time, add your pgp public key to the gitian-pubkeys directory in armored ASCII format and a filename of `username.asc`.
27+
28+## Verifying Gitian Signatures
29+
30+The `verify-merge.py` script can be used to verify existing gitian sigs. For example to verify all the signatures on the v0.14.1.0 assert files, run `./verify-merge.py v0.14.1.0`. More information on how to use the script can be found by running `./verify-merge.py --help`.
31+
32+It is also possible to use the script to check the signatures of open pull requests. For example for pull request id 12 on github: `./verify-merge.py --pull_id 12 v0.14.1.0`. Be aware that running this will change the content of your git tree by creating a new `$pull_id_head` and `$pull_id_base` branch. The script deletes these branches again on exit.
33+
verify-merge.pyView
@@ -1,0 +1,65 @@
1+#!/usr/bin/env python3
2+import argparse
3+import os
4+import subprocess
5+import glob
6+
7+GIT = os.getenv('GIT','git')
8+GPG = os.getenv('GPG','gpg')
9+
10+def verify():
11+ global args, workdir
12+ os.chdir('gitian-pubkeys')
13+ print('Importing pubkeys...')
14+ keys = [f for f in glob.glob("*.asc", recursive=True)]
15+ for key in keys:
16+ subprocess.check_call([GPG, '--import', key])
17+ print('Refreshing pubkeys...')
18+ subprocess.check_call([GPG, '--refresh'])
19+ os.chdir('../../gitian-builder')
20+ print('\nVerifying '+args.version+' Linux\n')
21+ subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-linux', '../monero/contrib/gitian/gitian-linux.yml'])
22+ print('\nVerifying '+args.version+' Windows\n')
23+ subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-win', '../monero/contrib/gitian/gitian-win.yml'])
24+ print('\nVerifying '+args.version+' MacOS\n')
25+ subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-osx', '../monero/contrib/gitian/gitian-osx.yml'])
26+ os.chdir(workdir)
27+
28+def main():
29+ host_repo = "git@github.com/monero-project/gitian.sigs"
30+ global args, workdir
31+ parser = argparse.ArgumentParser(usage='%(prog)s [options] version', description='Use this script before merging a pull request to the gitian.sigs repository and to verify the signature of existing gitian assert files and gitian assert files in specific pull requests')
32+ parser.add_argument('-p', '--pull_id', dest='pull_id', help='Github Pull request id to check')
33+ parser.add_argument('-r', '--remote', dest='remote', default='upstream', help='git remote repository')
34+ parser.add_argument('-t', '--target_branch', dest='target_branch', default='master', help='Remote repository merge into branch')
35+ parser.add_argument('-m', '--merge', action='store_true', dest='merge', help='Merge the given pull request id')
36+ parser.add_argument('-o', '--no-verify', action='store_true', dest='no_verify', help='Do not run any signature verification')
37+ parser.add_argument('-n', '--name', dest='name', help='username for pgp key verification')
38+ parser.add_argument('version', help='Version number, commit, or branch to build.')
39+
40+ args = parser.parse_args()
41+ workdir = os.getcwd()
42+ if args.pull_id != None:
43+ # Get branch from remote pull request and compare
44+ head_branch = args.pull_id+'_head'
45+
46+ subprocess.check_call([GIT, 'fetch', args.remote])
47+ subprocess.check_call([GIT, 'checkout', args.remote+'/'+args.target_branch])
48+ subprocess.check_call([GIT, 'fetch','-q', args.remote, 'pull/'+args.pull_id+'/head:'+head_branch])
49+ subprocess.check_call([GIT, 'checkout', '-f', head_branch])
50+ if args.merge:
51+ # Hard reset the target branch to the remote's state and merge the pull request's head branch into it
52+ subprocess.check_call([GIT, 'checkout', args.target_branch])
53+ subprocess.check_call([GIT, 'reset', '--hard', args.remote + '/' + args.target_branch])
54+ print('Merging and signing pull request #' + args.pull_id + ' , if you are using a smartcard, confirm the signature now.')
55+ subprocess.check_call([GIT, 'merge','-q', '--commit', '--no-edit', '-m', 'Merge pull request #'+args.pull_id+' into '+args.target_branch, '--no-ff', '--gpg-sign', head_branch])
56+ if not args.no_verify:
57+ verify()
58+ subprocess.check_call([GIT, 'checkout', 'master'])
59+ subprocess.check_call([GIT, 'branch', '-D', head_branch])
60+ else:
61+ verify()
62+
63+
64+if __name__ == '__main__':
65+ main()

Built with git-ssb-web