scripts: release: add verification checks for signing keys

We need to make sure the release is being signed by a key that is
actually listed as a trusted signing key, and we also need to ask the
person cutting the release whether the list of trusted keys is
acceptable.

Also add some verification checks after a release is signed to make sure
everything was signed with the correct keys.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
Aleksa Sarai
2023-04-07 14:31:01 +10:00
parent 872149470b
commit 957bccfe2f
+61 -10
View File
@@ -1,6 +1,6 @@
#!/bin/bash
# Copyright (C) 2017 SUSE LLC.
# Copyright (C) 2017-2021 Open Containers Authors
# Copyright (C) 2017-2023 SUSE LLC.
# Copyright (C) 2017-2023 Open Containers Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -Eeuo pipefail
project="runc"
root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
@@ -28,15 +28,21 @@ function usage() {
# Log something to stderr.
function log() {
echo "[*] $*" >&2
echo "[*]" "$@" >&2
}
# Log something to stderr and then exit with 0.
function bail() {
function quit() {
log "$@"
exit 0
}
# Log something to stderr and then exit with 1.
function bail() {
log "$@"
exit 1
}
# Conduct a sanity-check to make sure that GPG provided with the given
# arguments can sign something. Inability to sign things is not a fatal error.
function gpg_cansign() {
@@ -86,17 +92,47 @@ log "signing $project release in '$releasedir'"
log " key: ${keyid:-DEFAULT}"
log " hash: $hashcmd"
# Make explicit what we're doing.
set -x
# Set up the gpgflags.
gpgflags=()
[[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step."
gpg_cansign "${gpgflags[@]}" || quit "Could not find suitable GPG key, skipping signing step."
# Make explicit what we're doing.
set -x
# Check that the keyid is actually in the $project.keyring by signing a piece
# of dummy text then verifying it against the list of keys in that keyring.
tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")"
trap 'rm -r "$tmp_gpgdir"' EXIT
tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring")
gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring"
tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring")
gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A
gpg "${gpgflags[@]}" --clear-sign <<<"[This is test text used for $project release scripts. $(date --rfc-email)]" |
gpg "${tmp_runc_gpgflags[@]}" --verify || bail "Signing key ${keyid:-DEFAULT} is not in trusted $project.keyring list!"
# Make sure the signer is okay with the list of keys in the keyring (once this
# release is signed, distributions will trust this keyring).
cat >&2 <<EOF
== PLEASE VERIFY THE FOLLOWING KEYS ==
The sources for this release will contain the following signing keys as
"trusted", meaning that distributions may trust the keys to sign future
releases. Please make sure that only authorised users' keys are listed.
$(gpg "${tmp_runc_gpgflags[@]}" --list-keys)
[ Press ENTER to continue. ]
EOF
read -r
# Only needed for local signing -- change the owner since by default it's built
# inside a container which means it'll have the wrong owner and permissions.
[ -w "$releasedir" ] || sudo chown -R "$USER:$GROUP" "$releasedir"
[ -w "$releasedir" ] || sudo chown -R "$(id -u):$(id -g)" "$releasedir"
# Sign everything.
for bin in "$releasedir/$project".*; do
@@ -106,3 +142,18 @@ done
gpg "${gpgflags[@]}" --clear-sign --armor \
--output "$releasedir/$project.$hashcmd"{.tmp,} &&
mv "$releasedir/$project.$hashcmd"{.tmp,}
# Verify that all the signatures and shasum are correct.
pushd "$releasedir"
# Verify project-signed detached signatures.
find . -name "$project.*.asc" -print0 | xargs -0 -L1 gpg "${tmp_runc_gpgflags[@]}" --verify --
# Verify shasum.
"$hashcmd" -c "$project.$hashcmd"
gpg "${tmp_runc_gpgflags[@]}" --verify "$project.$hashcmd"
# Verify seccomp tarball.
gpg "${tmp_seccomp_gpgflags[@]}" --verify libseccomp*.asc
popd