2020-07-16 18:51:46 -04:00
|
|
|
#!/bin/bash
|
|
|
|
set -eo pipefail
|
|
|
|
|
|
|
|
# Git reference
|
|
|
|
ref="${1:-HEAD}"
|
|
|
|
|
|
|
|
# Number of required signatures
|
|
|
|
required="${2:-"1"}"
|
|
|
|
|
|
|
|
# Options passed to git
|
|
|
|
git_options="${*:3}"
|
|
|
|
|
|
|
|
|
|
|
|
# GitHub Actions fix
|
2020-07-16 19:14:05 -04:00
|
|
|
if [ -e "/github/home/" ]; then
|
2020-07-16 18:51:46 -04:00
|
|
|
cp -r /root/.gnupg /github/home/
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Show imported public keys
|
|
|
|
gpg --list-keys --keyid LONG
|
|
|
|
|
|
|
|
# Check signatures
|
|
|
|
raw_gpg_status=$(
|
|
|
|
# shellcheck disable=SC2086
|
|
|
|
git $git_options verify-commit --raw "$ref" 2>&1
|
|
|
|
tags="$(git tag --points-at "$ref")"
|
|
|
|
|
|
|
|
if [ -n "$tags" ]; then
|
|
|
|
# shellcheck disable=SC2046,SC2086
|
|
|
|
git $git_options verify-tag --raw $tags 2>&1
|
|
|
|
fi
|
|
|
|
)
|
|
|
|
|
|
|
|
goodsig=0
|
|
|
|
readarray -t status_line <<<"$raw_gpg_status"
|
|
|
|
# read -r -a info <<<"$status"
|
|
|
|
for status in "${status_line[@]}"; do
|
|
|
|
#readarray -t -d" " info <<<"$status"
|
|
|
|
read -r -a info <<<"$status"
|
|
|
|
|
|
|
|
case "${info[1]}" in
|
|
|
|
"GOODSIG")
|
|
|
|
echo "Verified signature from ${info[2]}"
|
|
|
|
((goodsig++)) || true
|
|
|
|
;;
|
|
|
|
|
|
|
|
"NO_PUBKEY")
|
|
|
|
echo "WARNING: Missing public key for ${info[2]}"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
|
|
|
|
echo "RESULT: Found $goodsig good signatures"
|
|
|
|
|
|
|
|
if [ "$goodsig" -lt "$required" ]; then
|
|
|
|
echo "FAIL: Not enough signatures ($required was required)"
|
|
|
|
exit 1
|
|
|
|
else
|
|
|
|
exit 0
|
|
|
|
fi
|