Make verification script buildserver friendly

user · user · commit 1643a8fb9093 · 2022-06-03T16:52:56.000+02:00
Add better argument parsing for locked down files verification script
which accepts --whitelist &lt;commit&gt; and --import-gpg-keys arguments.
The default settings are supposed to work on the build server without
importing the gpg keys from the trusted_keys.pub file and running with a
hardcoded whitelist commit.

Make the CI workflow use these arguments as it is supposed to in
.github.
diff --git a/.github/workflows/verify-locked-down-signatures.yml b/.github/workflows/verify-locked-down-signatures.yml
@@ -20,4 +20,4 @@ jobs:
                     # Prepare enough depth for diffs with master
                     git fetch --depth="$(( commits + 1 ))" origin ${{ github.head_ref }} master
                 fi
-                ci/verify-locked-down-signatures.sh origin/master
+                ci/verify-locked-down-signatures.sh --import-gpg-keys --whitelist origin/master
diff --git a/ci/verify-locked-down-signatures.sh b/ci/verify-locked-down-signatures.sh
@@ -2,23 +2,49 @@
 set -eu
 shopt -s nullglob
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-# Import the trusted keys that we verify with
-GNUPGHOME=$(mktemp -d)
-gpg --import --armor $SCRIPT_DIR/trusted_keys.pub
-
+# In the CI environment we would like to import trusted public keys from a file, but not in our build environment
+import_gpg_keys="false"
 # The policy of enforcing lockfiles to be signed was not in place before this commit and as such some of the commits before are not signed
-# The whitelisted commit can be set in order to allow github actions to only check since origin/master
-WHITELIST_COMMIT=${1:-"origin/master"}
+# The whitelisted commit can be set in order to allow github actions to only check changes since origin/master
+whitelisted_commit="5d41b8a1d9745fbb3ff81ea6ea2eb8f202ca7ed0"
+
+while [ ! $# -eq 0 ]; do
+    case "$1" in
+        "--import-gpg-keys")
+            import_gpg_keys="true"
+            ;;
+        "--whitelist")
+            whitelisted_commit="$2"
+            shift
+            ;;
+        -*)
+            echo "Unknown option \"$1\"
+The options are --import-gpg-keys and --whitelist"
+            exit 1
+            ;;
+        *)
+            echo "Unknown argument
+The options are --import-gpg-keys and --whitelist"
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+if [[ "$import_gpg_keys" == "true" ]]; then
+    GNUPGHOME=$(mktemp -d)
+    gpg --import --armor $SCRIPT_DIR/trusted_keys.pub
+fi
 
 unsigned_commits_exist=0
 LOCKED_DOWN_FILES=$(cat $SCRIPT_DIR/locked_down_files.txt)
 for locked_file in $LOCKED_DOWN_FILES;
 do
-    locked_file_commit_hashes=$(git rev-list --oneline $WHITELIST_COMMIT..HEAD $SCRIPT_DIR/../$locked_file | awk '{print $1}')
+    locked_file_commit_hashes=$(git rev-list --oneline $whitelisted_commit..HEAD $SCRIPT_DIR/../$locked_file | awk '{print $1}')
     for commit in $locked_file_commit_hashes;
     do
         if ! $(git verify-commit $commit 2> /dev/null); then
-            echo Commit $commit changed $locked_file and is not signed.
+            echo Commit $commit which changed $locked_file is not signed.
             unsigned_commits_exist=1
         fi
     done
