diff options
author | Andrew Chow <github@achow101.com> | 2023-02-07 14:01:47 -0500 |
---|---|---|
committer | Andrew Chow <github@achow101.com> | 2023-02-16 12:47:00 -0500 |
commit | bb86887527d817ee2a015863ddf3541dac42080f (patch) | |
tree | a2fa4a1df10238704346da43b4cc525bbb7b93ec /contrib/verify-commits/verify-commits.py | |
parent | 5497c1483097a9b582ef78089a2ce1101b7d722e (diff) |
verify-commits: Skip checks for commits older than trusted roots
Diffstat (limited to 'contrib/verify-commits/verify-commits.py')
-rwxr-xr-x | contrib/verify-commits/verify-commits.py | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/contrib/verify-commits/verify-commits.py b/contrib/verify-commits/verify-commits.py index 5c37fbcbfe..f301964280 100755 --- a/contrib/verify-commits/verify-commits.py +++ b/contrib/verify-commits/verify-commits.py @@ -114,11 +114,26 @@ def main(): if current_commit == verified_root: print('There is a valid path from "{}" to {} where all commits are signed!'.format(initial_commit, verified_root)) sys.exit(0) - if current_commit == verified_sha512_root: - if verify_tree: + else: + # Make sure this commit isn't older than trusted roots + check_root_older_res = subprocess.run([GIT, "merge-base", "--is-ancestor", verified_root, current_commit]) + if check_root_older_res.returncode != 0: + print(f"\"{current_commit}\" predates the trusted root, stopping!") + sys.exit(0) + + if verify_tree: + if current_commit == verified_sha512_root: print("All Tree-SHA512s matched up to {}".format(verified_sha512_root), file=sys.stderr) - verify_tree = False - no_sha1 = False + verify_tree = False + no_sha1 = False + else: + # Skip the tree check if we are older than the trusted root + check_root_older_res = subprocess.run([GIT, "merge-base", "--is-ancestor", verified_sha512_root, current_commit]) + if check_root_older_res.returncode != 0: + print(f"\"{current_commit}\" predates the trusted SHA512 root, disabling tree verification.") + verify_tree = False + no_sha1 = False + os.environ['BITCOIN_VERIFY_COMMITS_ALLOW_SHA1'] = "0" if no_sha1 else "1" allow_revsig = current_commit in revsig_allowed |