aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Corallo <git@bluematt.me>2015-10-23 02:05:42 -0700
committerMatt Corallo <git@bluematt.me>2015-10-23 02:05:42 -0700
commit1d94b72019e31066b33947af5709383b8075e43a (patch)
treee83ac333adc4b84830cc4482bcee2abde9a15e26
parent27252b73894d00f9dbe27b664159b2a999683069 (diff)
Whitelist commits signed with Pieter's now-revoked key
-rw-r--r--contrib/verify-commits/allow-revsig-commits2
-rwxr-xr-xcontrib/verify-commits/gpg.sh22
-rwxr-xr-xcontrib/verify-commits/verify-commits.sh12
3 files changed, 34 insertions, 2 deletions
diff --git a/contrib/verify-commits/allow-revsig-commits b/contrib/verify-commits/allow-revsig-commits
new file mode 100644
index 0000000000..31aeb8f3d3
--- /dev/null
+++ b/contrib/verify-commits/allow-revsig-commits
@@ -0,0 +1,2 @@
+586a29253dabec3ca0f1ccba9091daabd16b8411
+eddaba7b5692288087a926da5733e86b47274e4e
diff --git a/contrib/verify-commits/gpg.sh b/contrib/verify-commits/gpg.sh
index 6b5137e7b5..0218b82e11 100755
--- a/contrib/verify-commits/gpg.sh
+++ b/contrib/verify-commits/gpg.sh
@@ -1,15 +1,33 @@
#!/bin/sh
INPUT=$(</dev/stdin)
VALID=false
+REVSIG=false
IFS=$'\n'
for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
- case "$LINE" in "[GNUPG:] VALIDSIG"*)
+ case "$LINE" in
+ "[GNUPG:] VALIDSIG "*)
while read KEY; do
case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac
done < ./contrib/verify-commits/trusted-keys
+ ;;
+ "[GNUPG:] REVKEYSIG "*)
+ [ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
+ while read KEY; do
+ case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY:24:40} "*)
+ REVSIG=true
+ GOODREVSIG="[GNUPG:] GOODSIG ${KEY:24:40} "
+ ;;
+ esac
+ done < ./contrib/verify-commits/trusted-keys
+ ;;
esac
done
if ! $VALID; then
exit 1
fi
-echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
+if $VALID && $REVSIG; then
+ echo "$INPUT" | gpg --trust-model always "$@" | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null
+ echo "$GOODREVSIG"
+else
+ echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
+fi
diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh
index 5841fa2077..9ba781008a 100755
--- a/contrib/verify-commits/verify-commits.sh
+++ b/contrib/verify-commits/verify-commits.sh
@@ -7,11 +7,23 @@ git log "$DIR"
VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
+IS_REVSIG_ALLOWED () {
+ while read LINE; do
+ [ "$LINE" = "$1" ] && return 0
+ done < "${DIR}/allow-revsig-commits"
+ return 1
+}
+
HAVE_FAILED=false
IS_SIGNED () {
if [ $1 = $VERIFIED_ROOT ]; then
return 0;
fi
+ if IS_REVSIG_ALLOWED "$1"; then
+ export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
+ else
+ export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
+ fi
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
return 1;
fi