diff options
-rw-r--r-- | .travis.yml | 2 | ||||
-rw-r--r-- | contrib/verify-commits/trusted-sha512-root-commit | 2 | ||||
-rwxr-xr-x | contrib/verify-commits/verify-commits.sh | 126 |
3 files changed, 67 insertions, 63 deletions
diff --git a/.travis.yml b/.travis.yml index ce6cdc2db0..8d20a7e1bb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -51,7 +51,7 @@ before_script: - if [ -n "$OSX_SDK" -a -f depends/sdk-sources/MacOSX${OSX_SDK}.sdk.tar.gz ]; then tar -C depends/SDKs -xf depends/sdk-sources/MacOSX${OSX_SDK}.sdk.tar.gz; fi - make $MAKEJOBS -C depends HOST=$HOST $DEP_OPTS script: - - if [ "$CHECK_DOC" = 1 -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then while read LINE; do travis_retry gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys $LINE; done < contrib/verify-commits/trusted-keys; fi + - if [ "$CHECK_DOC" = 1 -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then while read LINE; do travis_retry gpg --keyserver hkp://subset.pool.sks-keyservers.net --recv-keys $LINE; done < contrib/verify-commits/trusted-keys; fi - if [ "$CHECK_DOC" = 1 -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then git fetch --unshallow; fi - if [ "$CHECK_DOC" = 1 -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then contrib/verify-commits/verify-commits.sh; fi - export TRAVIS_COMMIT_LOG=`git log --format=fuller -1` diff --git a/contrib/verify-commits/trusted-sha512-root-commit b/contrib/verify-commits/trusted-sha512-root-commit index c28f50ff78..7d41f90ad7 100644 --- a/contrib/verify-commits/trusted-sha512-root-commit +++ b/contrib/verify-commits/trusted-sha512-root-commit @@ -1 +1 @@ -f7ec7cfd38b543ba81ac7bed5b77f9a19739460b +309bf16257b2395ce502017be627186b749ee749 diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh index 40c9341445..74b7f38375 100755 --- a/contrib/verify-commits/verify-commits.sh +++ b/contrib/verify-commits/verify-commits.sh @@ -3,9 +3,6 @@ # Distributed under the MIT software license, see the accompanying # file COPYING or http://www.opensource.org/licenses/mit-license.php. -# Not technically POSIX-compliant due to use of "local", but almost every -# shell anyone uses today supports it, so its probably fine - DIR=$(dirname "$0") [ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0") @@ -16,14 +13,36 @@ VERIFIED_SHA512_ROOT=$(cat "${DIR}/trusted-sha512-root-commit") REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits") HAVE_FAILED=false -IS_SIGNED () { - if [ $1 = $VERIFIED_ROOT ]; then - return 0; + +HAVE_GNU_SHA512=1 +[ ! -x "$(which sha512sum)" ] && HAVE_GNU_SHA512=0 + +if [ x"$1" = "x" ]; then + CURRENT_COMMIT="HEAD" +else + CURRENT_COMMIT="$1" +fi + +if [ "${CURRENT_COMMIT#* }" != "$CURRENT_COMMIT" ]; then + echo "Commit must not contain spaces?" > /dev/stderr + exit 1 +fi + +VERIFY_TREE=0 +if [ x"$2" = "x--tree-checks" ]; then + VERIFY_TREE=1 +fi + +NO_SHA1=1 +PREV_COMMIT="" + +while true; do + if [ "$CURRENT_COMMIT" = $VERIFIED_ROOT ]; then + echo "There is a valid path from "$CURRENT_COMMIT" to $VERIFIED_ROOT where all commits are signed!" + exit 0; fi - VERIFY_TREE=$2 - NO_SHA1=$3 - if [ $1 = $VERIFIED_SHA512_ROOT ]; then + if [ "$CURRENT_COMMIT" = $VERIFIED_SHA512_ROOT ]; then if [ "$VERIFY_TREE" = "1" ]; then echo "All Tree-SHA512s matched up to $VERIFIED_SHA512_ROOT" > /dev/stderr fi @@ -37,92 +56,77 @@ IS_SIGNED () { export BITCOIN_VERIFY_COMMITS_ALLOW_SHA1=1 fi - if [ "${REVSIG_ALLOWED#*$1}" != "$REVSIG_ALLOWED" ]; then + if [ "${REVSIG_ALLOWED#*$CURRENT_COMMIT}" != "$REVSIG_ALLOWED" ]; then export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1 else export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0 fi - if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null; then - return 1; + if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit "$CURRENT_COMMIT" > /dev/null; then + if [ "$PREV_COMMIT" != "" ]; then + echo "No parent of $PREV_COMMIT was signed with a trusted key!" > /dev/stderr + echo "Parents are:" > /dev/stderr + PARENTS=$(git show -s --format=format:%P $PREV_COMMIT) + for PARENT in $PARENTS; do + git show -s $PARENT > /dev/stderr + done + else + echo "$CURRENT_COMMIT was not signed with a trusted key!" > /dev/stderr + fi + exit 1 fi - # We set $4 to 1 on the first call, always verifying the top of the tree - if [ "$VERIFY_TREE" = 1 -o "$4" = "1" ]; then + # We always verify the top of the tree + if [ "$VERIFY_TREE" = 1 -o "$PREV_COMMIT" = "" ]; then IFS_CACHE="$IFS" IFS=' ' - for LINE in $(git ls-tree --full-tree -r $1); do + for LINE in $(git ls-tree --full-tree -r "$CURRENT_COMMIT"); do case "$LINE" in "12"*) echo "Repo contains symlinks" > /dev/stderr IFS="$IFS_CACHE" - return 1 + exit 1 ;; esac done IFS="$IFS_CACHE" FILE_HASHES="" - for FILE in $(git ls-tree --full-tree -r --name-only $1 | LC_ALL=C sort); do - HASH=$(git cat-file blob $1:"$FILE" | sha512sum | { read FIRST OTHER; echo $FIRST; } ) + for FILE in $(git ls-tree --full-tree -r --name-only "$CURRENT_COMMIT" | LC_ALL=C sort); do + if [ "$HAVE_GNU_SHA512" = 1 ]; then + HASH=$(git cat-file blob "$CURRENT_COMMIT":"$FILE" | sha512sum | { read FIRST OTHER; echo $FIRST; } ) + else + HASH=$(git cat-file blob "$CURRENT_COMMIT":"$FILE" | shasum -a 512 | { read FIRST OTHER; echo $FIRST; } ) + fi [ "$FILE_HASHES" != "" ] && FILE_HASHES="$FILE_HASHES"' ' FILE_HASHES="$FILE_HASHES$HASH $FILE" done + + if [ "$HAVE_GNU_SHA512" = 1 ]; then + TREE_HASH="$(echo "$FILE_HASHES" | sha512sum)" + else + TREE_HASH="$(echo "$FILE_HASHES" | shasum -a 512)" + fi HASH_MATCHES=0 - MSG="$(git show -s --format=format:%B $1 | tail -n1)" + MSG="$(git show -s --format=format:%B "$CURRENT_COMMIT" | tail -n1)" case "$MSG -" in - "Tree-SHA512: $(echo "$FILE_HASHES" | sha512sum)") + "Tree-SHA512: $TREE_HASH") HASH_MATCHES=1;; esac if [ "$HASH_MATCHES" = "0" ]; then - echo "Tree-SHA512 did not match for commit $1" > /dev/stderr - HAVE_FAILED=true - return 1 + echo "Tree-SHA512 did not match for commit $CURRENT_COMMIT" > /dev/stderr + exit 1 fi fi - local PARENTS - PARENTS=$(git show -s --format=format:%P $1) + PARENTS=$(git show -s --format=format:%P "$CURRENT_COMMIT") for PARENT in $PARENTS; do - if IS_SIGNED $PARENT $VERIFY_TREE $NO_SHA1 0; then - return 0; - fi + PREV_COMMIT="$CURRENT_COMMIT" + CURRENT_COMMIT="$PARENT" break done - if ! "$HAVE_FAILED"; then - echo "No parent of $1 was signed with a trusted key!" > /dev/stderr - echo "Parents are:" > /dev/stderr - for PARENT in $PARENTS; do - git show -s $PARENT > /dev/stderr - done - HAVE_FAILED=true - fi - return 1; -} - -if [ x"$1" = "x" ]; then - TEST_COMMIT="HEAD" -else - TEST_COMMIT="$1" -fi - -DO_CHECKOUT_TEST=0 -if [ x"$2" = "x--tree-checks" ]; then - DO_CHECKOUT_TEST=1 -fi - -IS_SIGNED "$TEST_COMMIT" "$DO_CHECKOUT_TEST" 1 1 -RES=$? -if [ "$RES" = 1 ]; then - if ! "$HAVE_FAILED"; then - echo "$TEST_COMMIT was not signed with a trusted key!" - fi -else - echo "There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!" -fi - -exit $RES +done |