Browse Source

Allow to whitelist commits signed with a revoked key

(cherry picked from commit 1d94b72019)
pull/118/head
Matt Corallo 5 years ago
parent
commit
fe83a6df80

+ 0
- 0
contrib/verify-commits/allow-revsig-commits View File


+ 20
- 2
contrib/verify-commits/gpg.sh View File

@@ -1,15 +1,33 @@
#!/bin/sh
INPUT=$(</dev/stdin)
VALID=false
REVSIG=false
IFS=$'\n'
for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
case "$LINE" in "[GNUPG:] VALIDSIG"*)
case "$LINE" in
"[GNUPG:] VALIDSIG "*)
while read KEY; do
case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac
done < ./contrib/verify-commits/trusted-keys
;;
"[GNUPG:] REVKEYSIG "*)
[ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
while read KEY; do
case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY:24:40} "*)
REVSIG=true
GOODREVSIG="[GNUPG:] GOODSIG ${KEY:24:40} "
;;
esac
done < ./contrib/verify-commits/trusted-keys
;;
esac
done
if ! $VALID; then
exit 1
fi
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
if $VALID && $REVSIG; then
echo "$INPUT" | gpg --trust-model always "$@" | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null
echo "$GOODREVSIG"
else
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
fi

+ 12
- 0
contrib/verify-commits/verify-commits.sh View File

@@ -7,11 +7,23 @@ git log "$DIR"

VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")

IS_REVSIG_ALLOWED () {
while read LINE; do
[ "$LINE" = "$1" ] && return 0
done < "${DIR}/allow-revsig-commits"
return 1
}

HAVE_FAILED=false
IS_SIGNED () {
if [ $1 = $VERIFIED_ROOT ]; then
return 0;
fi
if IS_REVSIG_ALLOWED "$1"; then
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
else
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
fi
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
return 1;
fi

Loading…
Cancel
Save