mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
scripts: release: add verification checks for signing keys
We need to make sure the release is being signed by a key that is actually listed as a trusted signing key, and we also need to ask the person cutting the release whether the list of trusted keys is acceptable. Also add some verification checks after a release is signed to make sure everything was signed with the correct keys. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
+61
-10
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
# Copyright (C) 2017 SUSE LLC.
|
||||
# Copyright (C) 2017-2021 Open Containers Authors
|
||||
# Copyright (C) 2017-2023 SUSE LLC.
|
||||
# Copyright (C) 2017-2023 Open Containers Authors
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -14,7 +14,7 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -e
|
||||
set -Eeuo pipefail
|
||||
|
||||
project="runc"
|
||||
root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
|
||||
@@ -28,15 +28,21 @@ function usage() {
|
||||
|
||||
# Log something to stderr.
|
||||
function log() {
|
||||
echo "[*] $*" >&2
|
||||
echo "[*]" "$@" >&2
|
||||
}
|
||||
|
||||
# Log something to stderr and then exit with 0.
|
||||
function bail() {
|
||||
function quit() {
|
||||
log "$@"
|
||||
exit 0
|
||||
}
|
||||
|
||||
# Log something to stderr and then exit with 1.
|
||||
function bail() {
|
||||
log "$@"
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Conduct a sanity-check to make sure that GPG provided with the given
|
||||
# arguments can sign something. Inability to sign things is not a fatal error.
|
||||
function gpg_cansign() {
|
||||
@@ -86,17 +92,47 @@ log "signing $project release in '$releasedir'"
|
||||
log " key: ${keyid:-DEFAULT}"
|
||||
log " hash: $hashcmd"
|
||||
|
||||
# Make explicit what we're doing.
|
||||
set -x
|
||||
|
||||
# Set up the gpgflags.
|
||||
gpgflags=()
|
||||
[[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
|
||||
gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step."
|
||||
gpg_cansign "${gpgflags[@]}" || quit "Could not find suitable GPG key, skipping signing step."
|
||||
|
||||
# Make explicit what we're doing.
|
||||
set -x
|
||||
|
||||
# Check that the keyid is actually in the $project.keyring by signing a piece
|
||||
# of dummy text then verifying it against the list of keys in that keyring.
|
||||
tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")"
|
||||
trap 'rm -r "$tmp_gpgdir"' EXIT
|
||||
|
||||
tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring")
|
||||
gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring"
|
||||
|
||||
tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring")
|
||||
gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
|
||||
gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A
|
||||
|
||||
gpg "${gpgflags[@]}" --clear-sign <<<"[This is test text used for $project release scripts. $(date --rfc-email)]" |
|
||||
gpg "${tmp_runc_gpgflags[@]}" --verify || bail "Signing key ${keyid:-DEFAULT} is not in trusted $project.keyring list!"
|
||||
|
||||
# Make sure the signer is okay with the list of keys in the keyring (once this
|
||||
# release is signed, distributions will trust this keyring).
|
||||
cat >&2 <<EOF
|
||||
== PLEASE VERIFY THE FOLLOWING KEYS ==
|
||||
|
||||
The sources for this release will contain the following signing keys as
|
||||
"trusted", meaning that distributions may trust the keys to sign future
|
||||
releases. Please make sure that only authorised users' keys are listed.
|
||||
|
||||
$(gpg "${tmp_runc_gpgflags[@]}" --list-keys)
|
||||
|
||||
[ Press ENTER to continue. ]
|
||||
EOF
|
||||
read -r
|
||||
|
||||
# Only needed for local signing -- change the owner since by default it's built
|
||||
# inside a container which means it'll have the wrong owner and permissions.
|
||||
[ -w "$releasedir" ] || sudo chown -R "$USER:$GROUP" "$releasedir"
|
||||
[ -w "$releasedir" ] || sudo chown -R "$(id -u):$(id -g)" "$releasedir"
|
||||
|
||||
# Sign everything.
|
||||
for bin in "$releasedir/$project".*; do
|
||||
@@ -106,3 +142,18 @@ done
|
||||
gpg "${gpgflags[@]}" --clear-sign --armor \
|
||||
--output "$releasedir/$project.$hashcmd"{.tmp,} &&
|
||||
mv "$releasedir/$project.$hashcmd"{.tmp,}
|
||||
|
||||
# Verify that all the signatures and shasum are correct.
|
||||
pushd "$releasedir"
|
||||
|
||||
# Verify project-signed detached signatures.
|
||||
find . -name "$project.*.asc" -print0 | xargs -0 -L1 gpg "${tmp_runc_gpgflags[@]}" --verify --
|
||||
|
||||
# Verify shasum.
|
||||
"$hashcmd" -c "$project.$hashcmd"
|
||||
gpg "${tmp_runc_gpgflags[@]}" --verify "$project.$hashcmd"
|
||||
|
||||
# Verify seccomp tarball.
|
||||
gpg "${tmp_seccomp_gpgflags[@]}" --verify libseccomp*.asc
|
||||
|
||||
popd
|
||||
|
||||
Reference in New Issue
Block a user