Browse Source

Whitelist commits signed with Pieter's now-revoked key

0.13
Matt Corallo 9 years ago
parent
commit
1d94b72019
  1. 2
      contrib/verify-commits/allow-revsig-commits
  2. 22
      contrib/verify-commits/gpg.sh
  3. 12
      contrib/verify-commits/verify-commits.sh

2
contrib/verify-commits/allow-revsig-commits

@ -0,0 +1,2 @@
586a29253dabec3ca0f1ccba9091daabd16b8411
eddaba7b5692288087a926da5733e86b47274e4e

22
contrib/verify-commits/gpg.sh

@ -1,15 +1,33 @@
#!/bin/sh #!/bin/sh
INPUT=$(</dev/stdin) INPUT=$(</dev/stdin)
VALID=false VALID=false
REVSIG=false
IFS=$'\n' IFS=$'\n'
for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
case "$LINE" in "[GNUPG:] VALIDSIG"*) case "$LINE" in
"[GNUPG:] VALIDSIG "*)
while read KEY; do while read KEY; do
case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac
done < ./contrib/verify-commits/trusted-keys done < ./contrib/verify-commits/trusted-keys
;;
"[GNUPG:] REVKEYSIG "*)
[ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
while read KEY; do
case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY:24:40} "*)
REVSIG=true
GOODREVSIG="[GNUPG:] GOODSIG ${KEY:24:40} "
;;
esac
done < ./contrib/verify-commits/trusted-keys
;;
esac esac
done done
if ! $VALID; then if ! $VALID; then
exit 1 exit 1
fi fi
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null if $VALID && $REVSIG; then
echo "$INPUT" | gpg --trust-model always "$@" | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null
echo "$GOODREVSIG"
else
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
fi

12
contrib/verify-commits/verify-commits.sh

@ -7,11 +7,23 @@ git log "$DIR"
VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root") VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
IS_REVSIG_ALLOWED () {
while read LINE; do
[ "$LINE" = "$1" ] && return 0
done < "${DIR}/allow-revsig-commits"
return 1
}
HAVE_FAILED=false HAVE_FAILED=false
IS_SIGNED () { IS_SIGNED () {
if [ $1 = $VERIFIED_ROOT ]; then if [ $1 = $VERIFIED_ROOT ]; then
return 0; return 0;
fi fi
if IS_REVSIG_ALLOWED "$1"; then
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
else
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
fi
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
return 1; return 1;
fi fi

Loading…
Cancel
Save