1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
#!/bin/bash
# SPDX-License-Identifier: Apache-2.0
# Copyright (C) 2023-2025 SUSE LLC.
# Copyright (C) 2023 Open Containers Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -Eeuo pipefail
project="umoci"
root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
function log() {
echo "[*]" "$@" >&2
}
function bail() {
log "$@"
exit 1
}
# Temporary GPG keyring for messing around with.
tmp_gpgdir="$(mktemp -d --tmpdir "$project-validate-tmpkeyring.XXXXXX")"
trap 'rm -r "$tmp_gpgdir"' EXIT
function gpg_user() {
local user=$1
shift
gpg --homedir="$tmp_gpgdir" --no-default-keyring --keyring="$user.keyring" "$@"
}
# Get the set of MAINTAINERS.
readarray -t maintainers < <(sed -E 's|.* <.*> \(@?(.*)\)$|\1|' <"$root/MAINTAINERS")
echo "------------------------------------------------------------"
echo "$project maintainers:"
printf " * %s\n" "${maintainers[@]}"
echo "------------------------------------------------------------"
# Create a dummy gpg keyring from the set of MAINTAINERS.
while IFS="" read -r username || [ -n "$username" ]; do
curl -sSL "https://github.com/$username.gpg" | gpg_user "$username" --import
done < <(printf '%s\n' "${maintainers[@]}")
# Make sure all of the keys in the keyring have a github=... comment.
awk <"$root/$project.keyring" '
/^-----BEGIN PGP PUBLIC KEY BLOCK-----$/ { key_idx++; in_pgp=1; has_comment=0; }
# PGP comments are never broken up over several lines, and we only have one
# comment entry in our keyring file anyway.
in_pgp && /^Comment:.* github=\w+.*/ { has_comment=1 }
/^-----END PGP PUBLIC KEY BLOCK-----$/ {
if (!has_comment) {
print "[!] Key", key_idx, "in '$project'.keyring is missing a github= comment."
exit 1
}
}
'
echo "------------------------------------------------------------"
echo "$project release managers:"
sed -En "s|^Comment:.* github=(\w+).*| * \1|p" <"$root/$project.keyring" | sort -u
echo "------------------------------------------------------------"
gpg --show-keys <"$root/$project.keyring"
echo "------------------------------------------------------------"
# Check that each entry in the keyring is actually a maintainer's key.
while IFS="" read -d $'\0' -r block || [ -n "$block" ]; do
username="$(sed -En "s|^Comment:.* github=(\w+).*|\1|p" <<<"$block")"
# FIXME: This is to work around codespell thinking that f-p-r is a
# misspelling of some other word, and the lack of support for inline
# ignores in codespell.
fprfield="f""p""r"
# Check the username is actually a maintainer. This is just a sanity check,
# since you can put whatever you like in the Comment field.
[ -f "$tmp_gpgdir/$username.keyring" ] || bail "User $username in $project.keyring is not a maintainer!"
grep "(@$username)$" "$root/MAINTAINERS" >/dev/null || bail "User $username in $project.keyring is not a maintainer!"
# Check that the key in the block actually matches a known key for that
# maintainer. Note that a block can contain multiple keys, so we need to
# check all of them. Since we have to handle multiple keys anyway, we'll
# also verify all of the subkeys (this is simpler to implement anyway since
# the --with-colons format outputs fingerprints for both primary and
# subkeys in the same way).
#
# Fingerprints have a field 1 of $fprfield and field 10 containing the
# fingerprint. See <https://github.com/gpg/gnupg/blob/master/doc/DETAILS>
# for more details.
while IFS="" read -r key || [ -n "$key" ]; do
gpg_user "$username" --list-keys --with-colons | grep "$fprfield:::::::::$key:" >/dev/null ||
bail "(Sub?)Key $key in $project.keyring is NOT actually one of $username's keys!"
log "Successfully verified $username's (sub?)key $key is legitimate."
done < <(gpg --show-keys --with-colons <<<"$block" |
grep "^$fprfield:" | cut -d: -f10)
done < <(awk <"$root/$project.keyring" '
/^-----BEGIN PGP PUBLIC KEY BLOCK-----$/ { in_block=1 }
in_block { print }
/^-----END PGP PUBLIC KEY BLOCK-----$/ { in_block=0; printf("\0"); }
')
|
