From 957bccfe2f979f80eb99fe63f479b5f9facd5723 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 7 Apr 2023 14:31:01 +1000 Subject: [PATCH] scripts: release: add verification checks for signing keys We need to make sure the release is being signed by a key that is actually listed as a trusted signing key, and we also need to ask the person cutting the release whether the list of trusted keys is acceptable. Also add some verification checks after a release is signed to make sure everything was signed with the correct keys. Signed-off-by: Aleksa Sarai --- script/release_sign.sh | 71 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 61 insertions(+), 10 deletions(-) diff --git a/script/release_sign.sh b/script/release_sign.sh index 8cc224ac6..e66a81bc7 100755 --- a/script/release_sign.sh +++ b/script/release_sign.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (C) 2017 SUSE LLC. -# Copyright (C) 2017-2021 Open Containers Authors +# Copyright (C) 2017-2023 SUSE LLC. +# Copyright (C) 2017-2023 Open Containers Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,7 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -set -e +set -Eeuo pipefail project="runc" root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")" @@ -28,15 +28,21 @@ function usage() { # Log something to stderr. function log() { - echo "[*] $*" >&2 + echo "[*]" "$@" >&2 } # Log something to stderr and then exit with 0. -function bail() { +function quit() { log "$@" exit 0 } +# Log something to stderr and then exit with 1. +function bail() { + log "$@" + exit 1 +} + # Conduct a sanity-check to make sure that GPG provided with the given # arguments can sign something. Inability to sign things is not a fatal error. function gpg_cansign() { @@ -86,17 +92,47 @@ log "signing $project release in '$releasedir'" log " key: ${keyid:-DEFAULT}" log " hash: $hashcmd" -# Make explicit what we're doing. -set -x - # Set up the gpgflags. gpgflags=() [[ "$keyid" ]] && gpgflags=(--default-key "$keyid") -gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step." +gpg_cansign "${gpgflags[@]}" || quit "Could not find suitable GPG key, skipping signing step." + +# Make explicit what we're doing. +set -x + +# Check that the keyid is actually in the $project.keyring by signing a piece +# of dummy text then verifying it against the list of keys in that keyring. +tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")" +trap 'rm -r "$tmp_gpgdir"' EXIT + +tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring") +gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring" + +tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring") +gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099 +gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A + +gpg "${gpgflags[@]}" --clear-sign <<<"[This is test text used for $project release scripts. $(date --rfc-email)]" | + gpg "${tmp_runc_gpgflags[@]}" --verify || bail "Signing key ${keyid:-DEFAULT} is not in trusted $project.keyring list!" + +# Make sure the signer is okay with the list of keys in the keyring (once this +# release is signed, distributions will trust this keyring). +cat >&2 <