Commit c65a594d3bff70d0a78e88d673e94b3c03276d51
verify-merge.py : detailed file path / folder name checking.
Jonathan Cross committed on 12/9/2019, 9:38:17 PMParent: 6eadfcbb362c72d4100b0a5e3000807c1bdd24b6
Files changed
verify-merge.py | changed |
verify-merge.py | ||
---|---|---|
@@ -14,10 +14,15 @@ | ||
14 | 14 | if args.import_keys: |
15 | 15 | import_gpg_keys() |
16 | 16 | if args.refresh_keys: |
17 | 17 | refresh_gpg_keys() |
18 | - assert_files = get_assert_file_list() | |
19 | - verify_gpg_sigs(assert_files) | |
18 | + # Shell glob pattern for specific version or all builds: | |
19 | + ver_pattern = args.version if args.version else 'v0*' | |
20 | + sig_file_paths = set(glob.glob(ver_pattern + '-*/*/*.assert.sig')) | |
21 | + assert_files = get_assert_file_list(ver_pattern) | |
22 | + user_names = get_user_names_from_keys() | |
23 | + verify_file_path_naming(assert_files, sig_file_paths, user_names) | |
24 | + verify_gpg_sigs(sig_file_paths) | |
20 | 25 | verify_checksums(assert_files) |
21 | 26 | print('All checks passed.') |
22 | 27 | os.chdir(workdir) |
23 | 28 | |
@@ -67,35 +72,33 @@ | ||
67 | 72 | |
68 | 73 | def import_gpg_keys(): |
69 | 74 | os.chdir(GITIAN_PUBKEYS_DIR) |
70 | 75 | print('Importing gpg pubkeys...') |
71 | - keys = [f for f in glob.glob('*.asc', recursive=False)] | |
76 | + keys = glob.glob('*.asc') | |
72 | 77 | for key in keys: |
73 | 78 | subprocess.check_call([GPG, '--import', key]) |
74 | 79 | os.chdir('../') |
75 | 80 | |
76 | -def get_assert_file_list(): | |
77 | - global args | |
78 | - # Shell glob pattern for specific version or all builds: | |
79 | - ver_pattern = args.version if args.version else 'v0*' | |
81 | +def get_assert_file_list(ver_pattern): | |
80 | 82 | assert_files = [] |
81 | 83 | for assert_file in sorted(glob.glob(ver_pattern + '-*/*/*.assert')): |
82 | 84 | pieces = assert_file.split('/') |
83 | 85 | release_full = pieces[0] # eg v0.15.0.1-linux |
84 | 86 | release_num, platform = release_full.split('-') |
87 | + version_major = release_num.split('.')[1] | |
85 | 88 | assert_files.append({ |
86 | 89 | 'release_full': release_full, |
87 | 90 | 'release_num': release_num, |
88 | 91 | 'platform': platform, |
89 | 92 | 'path': assert_file, |
90 | - 'user': pieces[1]}) | |
93 | + 'user': pieces[1], | |
94 | + 'version_major': version_major}) | |
91 | 95 | return assert_files |
92 | 96 | |
93 | -def verify_gpg_sigs(assert_files): | |
97 | +def verify_gpg_sigs(sig_file_paths): | |
94 | 98 | print('Verifying signatures:') |
95 | 99 | is_verification_error = False |
96 | - for assert_file in assert_files: | |
97 | - sig_file = assert_file['path'] + '.sig' | |
100 | + for sig_file in sig_file_paths: | |
98 | 101 | print(' - ' + '{message: <{fill}}'.format(message=sig_file, fill='72'), end='') |
99 | 102 | result = verify_gpg_sig(sig_file) |
100 | 103 | if result.returncode != 0: |
101 | 104 | is_verification_error = True |
@@ -107,9 +110,44 @@ | ||
107 | 110 | sys.stderr.write('ERROR: One or more signatures failed verification.\n') |
108 | 111 | exit(1) |
109 | 112 | print('All signatures verified correctly.\n') |
110 | 113 | |
114 | +def verify_file_path_naming(assert_files, sig_file_paths, user_names): | |
115 | + path_pattern = '{release_num}-{platform}/{user}/monero-{platform}-0.{version_major}-build.assert' | |
116 | + print('Verifying file path naming...') | |
117 | + # Check that every sig has an assert: | |
118 | + if len(sig_file_paths) > len(assert_files): | |
119 | + sys.stderr.write("ERROR: One or more sig files doesn't have a matching assert file:\n") | |
120 | + assert_file_paths = [a['path'] for a in assert_files] | |
121 | + extra_sigs = [s for s in sig_file_paths if os.path.splitext(s)[0] not in assert_file_paths] | |
122 | + for extra_sig in extra_sigs: | |
123 | + sys.stderr.write(" - {0}\n".format(extra_sig)) | |
124 | + exit(1) | |
125 | + for assert_file in assert_files: | |
126 | + # Check assert file has a sig file: | |
127 | + if (assert_file['path'] + '.sig') not in sig_file_paths: | |
128 | + sys.stderr.write('ERROR: Assert file found without corresponding sig file:\n' + assert_file['path'] + '\n') | |
129 | + exit(1) | |
130 | + # Check assert user corresponds with a known GPG pubkey: | |
131 | + if assert_file['user'] not in user_names: | |
132 | + sys.stderr.write("ERROR: User '{user}' doesn't have a matching PGP key. Expected {folder}/{user}.asc\n".format(user=assert_file['user'], folder=GITIAN_PUBKEYS_DIR)) | |
133 | + sys.stderr.write(" * Found in path: {path}\n".format(path=assert_file['path'])) | |
134 | + exit(1) | |
135 | + # Check overall format of path (version num, platform, folder and file names): | |
136 | + expected_path = path_pattern.format(**assert_file) | |
137 | + if expected_path != assert_file['path']: | |
138 | + sys.stderr.write('ERROR: File path appears to be incorrect:\n{actual}\nExpected:\n{expected}\n'.format(actual=assert_file['path'], expected=expected_path)) | |
139 | + exit(1) | |
140 | + print('All file paths seem to be correct.\n') | |
141 | + | |
142 | +def get_user_names_from_keys(): | |
143 | + os.chdir(GITIAN_PUBKEYS_DIR) | |
144 | + user_names = [os.path.splitext(key)[0] for key in glob.glob('*.asc')] | |
145 | + os.chdir('../') | |
146 | + return user_names | |
147 | + | |
111 | 148 | def verify_gpg_sig(sig_file): |
149 | + # TODO: Verify correct user created the signature. | |
112 | 150 | return subprocess.run([GPG, '--verify', sig_file], capture_output=True, encoding='utf-8') |
113 | 151 | |
114 | 152 | def verify_checksums(assert_files): |
115 | 153 | print('Beginning binary checksum comparison...\n') |
Built with git-ssb-web