|
3 | 3 | shopt -s nullglob |
4 | 4 |
|
5 | 5 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" |
| 6 | +readonly SCRIPT_DIR |
6 | 7 |
|
7 | 8 | # In the CI environment we would like to import trusted public keys from a file, |
8 | 9 | # but not in our build environment |
|
34 | 35 |
|
35 | 36 | if [[ "$import_gpg_keys" == "true" ]]; then |
36 | 37 | GNUPGHOME=$(mktemp -d) |
37 | | - for key in $SCRIPT_DIR/keys/*; do |
38 | | - gpg --import $key |
| 38 | + export GNUPGHOME |
| 39 | + for key in "$SCRIPT_DIR"/keys/*; do |
| 40 | + gpg --import "$key" |
39 | 41 | done |
40 | 42 | fi |
41 | 43 |
|
|
47 | 49 | # that follows the `paths` key. |
48 | 50 | # It uses `tr` in order to turn the multi-lined file into a single-line that sed can parse |
49 | 51 | # correctly. This is done by replacing all new-lines with a `;` |
50 | | -SEPARATOR=';' |
51 | | -locked_down_files=$(cat $SCRIPT_DIR/../.github/workflows/verify-locked-down-signatures.yml \ |
52 | | - | tr '\n' $SEPARATOR \ |
| 52 | +readonly SEPARATOR=';' |
| 53 | +locked_down_paths=$(\ |
| 54 | + < "$SCRIPT_DIR/../.github/workflows/verify-locked-down-signatures.yml" tr '\n' $SEPARATOR \ |
53 | 55 | | sed "s/.*paths:$SEPARATOR\(\(\s*-\s[a-zA-Z\/\.-]*$SEPARATOR\)*\).*/\1/" \ |
54 | 56 | | tr $SEPARATOR '\n' \ |
55 | 57 | | awk '{print $2}') |
| 58 | +readonly locked_down_paths |
56 | 59 |
|
57 | 60 | unsigned_commits_exist=0 |
58 | | -for locked_file in $locked_down_files; do |
| 61 | +for locked_path in $locked_down_paths; |
| 62 | +do |
| 63 | + locked_path_commit_hashes=$(git rev-list --oneline "$whitelisted_commit"..HEAD \ |
| 64 | + "$SCRIPT_DIR/../$locked_path" | awk '{print $1}') |
59 | 65 |
|
60 | | - locked_file_commit_hashes=$(git rev-list --oneline $whitelisted_commit..HEAD \ |
61 | | - $SCRIPT_DIR/../$locked_file | awk '{print $1}') |
62 | | - |
63 | | - for commit in $locked_file_commit_hashes; |
| 66 | + for commit in $locked_path_commit_hashes; |
64 | 67 | do |
65 | | - if ! $(git verify-commit $commit 2> /dev/null); then |
66 | | - echo Commit $commit which changed $locked_file is not signed. |
| 68 | + if ! git verify-commit "$commit" 2> /dev/null; then |
| 69 | + echo "Commit $commit which changed $locked_path is not signed." |
67 | 70 | unsigned_commits_exist=1 |
68 | 71 | fi |
69 | 72 | done |
|
0 commit comments