aboutsummaryrefslogtreecommitdiff
path: root/contrib/verify-commits
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/verify-commits')
-rwxr-xr-xcontrib/verify-commits/gpg.sh40
-rw-r--r--contrib/verify-commits/trusted-keys4
-rw-r--r--contrib/verify-commits/trusted-sha512-root-commit1
-rwxr-xr-xcontrib/verify-commits/verify-commits.sh149
4 files changed, 143 insertions, 51 deletions
diff --git a/contrib/verify-commits/gpg.sh b/contrib/verify-commits/gpg.sh
index 09ff237544..b01e2a6d39 100755
--- a/contrib/verify-commits/gpg.sh
+++ b/contrib/verify-commits/gpg.sh
@@ -8,21 +8,43 @@ VALID=false
REVSIG=false
IFS='
'
-for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
+if [ "$BITCOIN_VERIFY_COMMITS_ALLOW_SHA1" = 1 ]; then
+ GPG_RES="$(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)"
+else
+ # Note how we've disabled SHA1 with the --weak-digest option, disabling
+ # signatures - including selfsigs - that use SHA1. While you might think that
+ # collision attacks shouldn't be an issue as they'd be an attack on yourself,
+ # in fact because what's being signed is a commit object that's
+ # semi-deterministically generated by untrusted input (the pull-req) in theory
+ # an attacker could construct a pull-req that results in a commit object that
+ # they've created a collision for. Not the most likely attack, but preventing
+ # it is pretty easy so we do so as a "belt-and-suspenders" measure.
+ GPG_RES=""
+ for LINE in "$(gpg --version)"; do
+ case "$LINE" in
+ "gpg (GnuPG) 1.4.1"*|"gpg (GnuPG) 2.0."*)
+ echo "Please upgrade to at least gpg 2.1.10 to check for weak signatures" > /dev/stderr
+ GPG_RES="$(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)"
+ ;;
+ # We assume if you're running 2.1+, you're probably running 2.1.10+
+ # gpg will fail otherwise
+ # We assume if you're running 1.X, it is either 1.4.1X or 1.4.20+
+ # gpg will fail otherwise
+ esac
+ done
+ [ "$GPG_RES" = "" ] && GPG_RES="$(echo "$INPUT" | gpg --trust-model always --weak-digest sha1 "$@" 2>/dev/null)"
+fi
+for LINE in $(echo "$GPG_RES"); do
case "$LINE" in
"[GNUPG:] VALIDSIG "*)
while read KEY; do
- case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac
+ [ "${LINE#?GNUPG:? VALIDSIG * * * * * * * * * }" = "$KEY" ] && VALID=true
done < ./contrib/verify-commits/trusted-keys
;;
"[GNUPG:] REVKEYSIG "*)
[ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
- while read KEY; do
- case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY#????????????????????????} "*)
- REVSIG=true
- GOODREVSIG="[GNUPG:] GOODSIG ${KEY#????????????????????????} "
- esac
- done < ./contrib/verify-commits/trusted-keys
+ REVSIG=true
+ GOODREVSIG="[GNUPG:] GOODSIG ${LINE#* * *}"
;;
esac
done
@@ -30,7 +52,7 @@ if ! $VALID; then
exit 1
fi
if $VALID && $REVSIG; then
- echo "$INPUT" | gpg --trust-model always "$@" | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null
+ echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)"
echo "$GOODREVSIG"
else
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
diff --git a/contrib/verify-commits/trusted-keys b/contrib/verify-commits/trusted-keys
index 75242c2a97..5610692616 100644
--- a/contrib/verify-commits/trusted-keys
+++ b/contrib/verify-commits/trusted-keys
@@ -1,4 +1,4 @@
71A3B16735405025D447E8F274810B012346C9A6
-3F1888C6DCA92A6499C4911FDBA1A67379A1A931
+133EAC179436F14A5CF1B794860FEB804E669320
32EE5C4C3FA15CCADB46ABE529D4BCB6416F53EC
-FE09B823E6D83A3BC7983EAA2D7F2372E50FE137
+B8B3F1C0E58C15DB6A81D30C3648A882F4316B9B
diff --git a/contrib/verify-commits/trusted-sha512-root-commit b/contrib/verify-commits/trusted-sha512-root-commit
new file mode 100644
index 0000000000..7d41f90ad7
--- /dev/null
+++ b/contrib/verify-commits/trusted-sha512-root-commit
@@ -0,0 +1 @@
+309bf16257b2395ce502017be627186b749ee749
diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh
index b2cebdf1a0..74b7f38375 100755
--- a/contrib/verify-commits/verify-commits.sh
+++ b/contrib/verify-commits/verify-commits.sh
@@ -3,61 +3,130 @@
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-# Not technically POSIX-compliant due to use of "local", but almost every
-# shell anyone uses today supports it, so its probably fine
-
DIR=$(dirname "$0")
[ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0")
+echo "Using verify-commits data from ${DIR}"
+
VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
+VERIFIED_SHA512_ROOT=$(cat "${DIR}/trusted-sha512-root-commit")
REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits")
HAVE_FAILED=false
-IS_SIGNED () {
- if [ $1 = $VERIFIED_ROOT ]; then
- return 0;
+
+HAVE_GNU_SHA512=1
+[ ! -x "$(which sha512sum)" ] && HAVE_GNU_SHA512=0
+
+if [ x"$1" = "x" ]; then
+ CURRENT_COMMIT="HEAD"
+else
+ CURRENT_COMMIT="$1"
+fi
+
+if [ "${CURRENT_COMMIT#* }" != "$CURRENT_COMMIT" ]; then
+ echo "Commit must not contain spaces?" > /dev/stderr
+ exit 1
+fi
+
+VERIFY_TREE=0
+if [ x"$2" = "x--tree-checks" ]; then
+ VERIFY_TREE=1
+fi
+
+NO_SHA1=1
+PREV_COMMIT=""
+
+while true; do
+ if [ "$CURRENT_COMMIT" = $VERIFIED_ROOT ]; then
+ echo "There is a valid path from "$CURRENT_COMMIT" to $VERIFIED_ROOT where all commits are signed!"
+ exit 0;
+ fi
+
+ if [ "$CURRENT_COMMIT" = $VERIFIED_SHA512_ROOT ]; then
+ if [ "$VERIFY_TREE" = "1" ]; then
+ echo "All Tree-SHA512s matched up to $VERIFIED_SHA512_ROOT" > /dev/stderr
+ fi
+ VERIFY_TREE=0
+ NO_SHA1=0
fi
- if [ "${REVSIG_ALLOWED#*$1}" != "$REVSIG_ALLOWED" ]; then
+
+ if [ "$NO_SHA1" = "1" ]; then
+ export BITCOIN_VERIFY_COMMITS_ALLOW_SHA1=0
+ else
+ export BITCOIN_VERIFY_COMMITS_ALLOW_SHA1=1
+ fi
+
+ if [ "${REVSIG_ALLOWED#*$CURRENT_COMMIT}" != "$REVSIG_ALLOWED" ]; then
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
else
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
fi
- if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
- return 1;
- fi
- local PARENTS
- PARENTS=$(git show -s --format=format:%P $1)
- for PARENT in $PARENTS; do
- if IS_SIGNED $PARENT; then
- return 0;
+
+ if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit "$CURRENT_COMMIT" > /dev/null; then
+ if [ "$PREV_COMMIT" != "" ]; then
+ echo "No parent of $PREV_COMMIT was signed with a trusted key!" > /dev/stderr
+ echo "Parents are:" > /dev/stderr
+ PARENTS=$(git show -s --format=format:%P $PREV_COMMIT)
+ for PARENT in $PARENTS; do
+ git show -s $PARENT > /dev/stderr
+ done
+ else
+ echo "$CURRENT_COMMIT was not signed with a trusted key!" > /dev/stderr
fi
- break
- done
- if ! "$HAVE_FAILED"; then
- echo "No parent of $1 was signed with a trusted key!" > /dev/stderr
- echo "Parents are:" > /dev/stderr
- for PARENT in $PARENTS; do
- git show -s $PARENT > /dev/stderr
- done
- HAVE_FAILED=true
+ exit 1
fi
- return 1;
-}
-if [ x"$1" = "x" ]; then
- TEST_COMMIT="HEAD"
-else
- TEST_COMMIT="$1"
-fi
+ # We always verify the top of the tree
+ if [ "$VERIFY_TREE" = 1 -o "$PREV_COMMIT" = "" ]; then
+ IFS_CACHE="$IFS"
+ IFS='
+'
+ for LINE in $(git ls-tree --full-tree -r "$CURRENT_COMMIT"); do
+ case "$LINE" in
+ "12"*)
+ echo "Repo contains symlinks" > /dev/stderr
+ IFS="$IFS_CACHE"
+ exit 1
+ ;;
+ esac
+ done
+ IFS="$IFS_CACHE"
+
+ FILE_HASHES=""
+ for FILE in $(git ls-tree --full-tree -r --name-only "$CURRENT_COMMIT" | LC_ALL=C sort); do
+ if [ "$HAVE_GNU_SHA512" = 1 ]; then
+ HASH=$(git cat-file blob "$CURRENT_COMMIT":"$FILE" | sha512sum | { read FIRST OTHER; echo $FIRST; } )
+ else
+ HASH=$(git cat-file blob "$CURRENT_COMMIT":"$FILE" | shasum -a 512 | { read FIRST OTHER; echo $FIRST; } )
+ fi
+ [ "$FILE_HASHES" != "" ] && FILE_HASHES="$FILE_HASHES"'
+'
+ FILE_HASHES="$FILE_HASHES$HASH $FILE"
+ done
+
+ if [ "$HAVE_GNU_SHA512" = 1 ]; then
+ TREE_HASH="$(echo "$FILE_HASHES" | sha512sum)"
+ else
+ TREE_HASH="$(echo "$FILE_HASHES" | shasum -a 512)"
+ fi
+ HASH_MATCHES=0
+ MSG="$(git show -s --format=format:%B "$CURRENT_COMMIT" | tail -n1)"
-IS_SIGNED "$TEST_COMMIT"
-RES=$?
-if [ "$RES" = 1 ]; then
- if ! "$HAVE_FAILED"; then
- echo "$TEST_COMMIT was not signed with a trusted key!"
+ case "$MSG -" in
+ "Tree-SHA512: $TREE_HASH")
+ HASH_MATCHES=1;;
+ esac
+
+ if [ "$HASH_MATCHES" = "0" ]; then
+ echo "Tree-SHA512 did not match for commit $CURRENT_COMMIT" > /dev/stderr
+ exit 1
+ fi
fi
-else
- echo "There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!"
-fi
-exit $RES
+ PARENTS=$(git show -s --format=format:%P "$CURRENT_COMMIT")
+ for PARENT in $PARENTS; do
+ PREV_COMMIT="$CURRENT_COMMIT"
+ CURRENT_COMMIT="$PARENT"
+ break
+ done
+done