Commit b601e7410de00ca90bcf909a4c4a3a361a6764df
Merge pull request #41 into master
TheCharlatan committed on 12/9/2019, 11:16:38 PMParent: c9ce46a603053f352c4bb9967f0d1f3c7d23cabf
Parent: c65a594d3bff70d0a78e88d673e94b3c03276d51
Files changed
| verify-merge.py | changed |
| verify-merge.py | ||
|---|---|---|
| @@ -14,10 +14,15 @@ | ||
| 14 | 14 | if args.import_keys: |
| 15 | 15 | import_gpg_keys() |
| 16 | 16 | if args.refresh_keys: |
| 17 | 17 | refresh_gpg_keys() |
| 18 | - assert_files = get_assert_file_list() | |
| 19 | - verify_gpg_sigs(assert_files) | |
| 18 | + # Shell glob pattern for specific version or all builds: | |
| 19 | + ver_pattern = args.version if args.version else 'v0*' | |
| 20 | + sig_file_paths = set(glob.glob(ver_pattern + '-*/*/*.assert.sig')) | |
| 21 | + assert_files = get_assert_file_list(ver_pattern) | |
| 22 | + user_names = get_user_names_from_keys() | |
| 23 | + verify_file_path_naming(assert_files, sig_file_paths, user_names) | |
| 24 | + verify_gpg_sigs(sig_file_paths) | |
| 20 | 25 | verify_checksums(assert_files) |
| 21 | 26 | print('All checks passed.') |
| 22 | 27 | os.chdir(workdir) |
| 23 | 28 | |
| @@ -67,35 +72,33 @@ | ||
| 67 | 72 | |
| 68 | 73 | def import_gpg_keys(): |
| 69 | 74 | os.chdir(GITIAN_PUBKEYS_DIR) |
| 70 | 75 | print('Importing gpg pubkeys...') |
| 71 | - keys = [f for f in glob.glob('*.asc', recursive=False)] | |
| 76 | + keys = glob.glob('*.asc') | |
| 72 | 77 | for key in keys: |
| 73 | 78 | subprocess.check_call([GPG, '--import', key]) |
| 74 | 79 | os.chdir('../') |
| 75 | 80 | |
| 76 | -def get_assert_file_list(): | |
| 77 | - global args | |
| 78 | - # Shell glob pattern for specific version or all builds: | |
| 79 | - ver_pattern = args.version if args.version else 'v0*' | |
| 81 | +def get_assert_file_list(ver_pattern): | |
| 80 | 82 | assert_files = [] |
| 81 | 83 | for assert_file in sorted(glob.glob(ver_pattern + '-*/*/*.assert')): |
| 82 | 84 | pieces = assert_file.split('/') |
| 83 | 85 | release_full = pieces[0] # eg v0.15.0.1-linux |
| 84 | 86 | release_num, platform = release_full.split('-') |
| 87 | + version_major = release_num.split('.')[1] | |
| 85 | 88 | assert_files.append({ |
| 86 | 89 | 'release_full': release_full, |
| 87 | 90 | 'release_num': release_num, |
| 88 | 91 | 'platform': platform, |
| 89 | 92 | 'path': assert_file, |
| 90 | - 'user': pieces[1]}) | |
| 93 | + 'user': pieces[1], | |
| 94 | + 'version_major': version_major}) | |
| 91 | 95 | return assert_files |
| 92 | 96 | |
| 93 | -def verify_gpg_sigs(assert_files): | |
| 97 | +def verify_gpg_sigs(sig_file_paths): | |
| 94 | 98 | print('Verifying signatures:') |
| 95 | 99 | is_verification_error = False |
| 96 | - for assert_file in assert_files: | |
| 97 | - sig_file = assert_file['path'] + '.sig' | |
| 100 | + for sig_file in sig_file_paths: | |
| 98 | 101 | print(' - ' + '{message: <{fill}}'.format(message=sig_file, fill='72'), end='') |
| 99 | 102 | result = verify_gpg_sig(sig_file) |
| 100 | 103 | if result.returncode != 0: |
| 101 | 104 | is_verification_error = True |
| @@ -107,9 +110,44 @@ | ||
| 107 | 110 | sys.stderr.write('ERROR: One or more signatures failed verification.\n') |
| 108 | 111 | exit(1) |
| 109 | 112 | print('All signatures verified correctly.\n') |
| 110 | 113 | |
| 114 | +def verify_file_path_naming(assert_files, sig_file_paths, user_names): | |
| 115 | + path_pattern = '{release_num}-{platform}/{user}/monero-{platform}-0.{version_major}-build.assert' | |
| 116 | + print('Verifying file path naming...') | |
| 117 | + # Check that every sig has an assert: | |
| 118 | + if len(sig_file_paths) > len(assert_files): | |
| 119 | + sys.stderr.write("ERROR: One or more sig files doesn't have a matching assert file:\n") | |
| 120 | + assert_file_paths = [a['path'] for a in assert_files] | |
| 121 | + extra_sigs = [s for s in sig_file_paths if os.path.splitext(s)[0] not in assert_file_paths] | |
| 122 | + for extra_sig in extra_sigs: | |
| 123 | + sys.stderr.write(" - {0}\n".format(extra_sig)) | |
| 124 | + exit(1) | |
| 125 | + for assert_file in assert_files: | |
| 126 | + # Check assert file has a sig file: | |
| 127 | + if (assert_file['path'] + '.sig') not in sig_file_paths: | |
| 128 | + sys.stderr.write('ERROR: Assert file found without corresponding sig file:\n' + assert_file['path'] + '\n') | |
| 129 | + exit(1) | |
| 130 | + # Check assert user corresponds with a known GPG pubkey: | |
| 131 | + if assert_file['user'] not in user_names: | |
| 132 | + sys.stderr.write("ERROR: User '{user}' doesn't have a matching PGP key. Expected {folder}/{user}.asc\n".format(user=assert_file['user'], folder=GITIAN_PUBKEYS_DIR)) | |
| 133 | + sys.stderr.write(" * Found in path: {path}\n".format(path=assert_file['path'])) | |
| 134 | + exit(1) | |
| 135 | + # Check overall format of path (version num, platform, folder and file names): | |
| 136 | + expected_path = path_pattern.format(**assert_file) | |
| 137 | + if expected_path != assert_file['path']: | |
| 138 | + sys.stderr.write('ERROR: File path appears to be incorrect:\n{actual}\nExpected:\n{expected}\n'.format(actual=assert_file['path'], expected=expected_path)) | |
| 139 | + exit(1) | |
| 140 | + print('All file paths seem to be correct.\n') | |
| 141 | + | |
| 142 | +def get_user_names_from_keys(): | |
| 143 | + os.chdir(GITIAN_PUBKEYS_DIR) | |
| 144 | + user_names = [os.path.splitext(key)[0] for key in glob.glob('*.asc')] | |
| 145 | + os.chdir('../') | |
| 146 | + return user_names | |
| 147 | + | |
| 111 | 148 | def verify_gpg_sig(sig_file): |
| 149 | + # TODO: Verify correct user created the signature. | |
| 112 | 150 | return subprocess.run([GPG, '--verify', sig_file], capture_output=True, encoding='utf-8') |
| 113 | 151 | |
| 114 | 152 | def verify_checksums(assert_files): |
| 115 | 153 | print('Beginning binary checksum comparison...\n') |
Built with git-ssb-web