Merge #9940: Fix verify-commits on OSX, update for new bad Tree-SHA512, point travis to different keyservers
df5bae2Update trusted-sha512-root-commit for new bad tree hash (Matt Corallo)efc06c2If GNU sha512sum is missing, try perl shasum in verify-commits (Matt Corallo)8ed849fFix travis failing to fetch keys from the sks keyserver pool (Matt Corallo)fd5e905Make verify-commits.sh non-recursive (Matt Corallo) Tree-SHA512: 457cc81d6e0a77ab32d030ecd058c59857f22cb998a1394593e115639081f3fdc74a6376035b77be0712ad5cb9143bc3f498b77e99eb66034492dbbb38c39bc6
This commit is contained in:
Wladimir J. van der Laan
commit
fa99663bec
|
|
@ -51,7 +51,7 @@ before_script:
|
|||
- if [ -n "$OSX_SDK" -a -f depends/sdk-sources/MacOSX${OSX_SDK}.sdk.tar.gz ]; then tar -C depends/SDKs -xf depends/sdk-sources/MacOSX${OSX_SDK}.sdk.tar.gz; fi
|
||||
- make $MAKEJOBS -C depends HOST=$HOST $DEP_OPTS
|
||||
script:
|
||||
- if [ "$CHECK_DOC" = 1 -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then while read LINE; do travis_retry gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys $LINE; done < contrib/verify-commits/trusted-keys; fi
|
||||
- if [ "$CHECK_DOC" = 1 -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then while read LINE; do travis_retry gpg --keyserver hkp://subset.pool.sks-keyservers.net --recv-keys $LINE; done < contrib/verify-commits/trusted-keys; fi
|
||||
- if [ "$CHECK_DOC" = 1 -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then git fetch --unshallow; fi
|
||||
- if [ "$CHECK_DOC" = 1 -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then contrib/verify-commits/verify-commits.sh; fi
|
||||
- export TRAVIS_COMMIT_LOG=`git log --format=fuller -1`
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
f7ec7cfd38b543ba81ac7bed5b77f9a19739460b
|
||||
309bf16257b2395ce502017be627186b749ee749
|
||||
|
|
|
|||
|
|
@ -3,9 +3,6 @@
|
|||
# Distributed under the MIT software license, see the accompanying
|
||||
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
||||
|
||||
# Not technically POSIX-compliant due to use of "local", but almost every
|
||||
# shell anyone uses today supports it, so its probably fine
|
||||
|
||||
DIR=$(dirname "$0")
|
||||
[ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0")
|
||||
|
||||
|
|
@ -16,14 +13,36 @@ VERIFIED_SHA512_ROOT=$(cat "${DIR}/trusted-sha512-root-commit")
|
|||
REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits")
|
||||
|
||||
HAVE_FAILED=false
|
||||
IS_SIGNED () {
|
||||
if [ $1 = $VERIFIED_ROOT ]; then
|
||||
return 0;
|
||||
|
||||
HAVE_GNU_SHA512=1
|
||||
[ ! -x "$(which sha512sum)" ] && HAVE_GNU_SHA512=0
|
||||
|
||||
if [ x"$1" = "x" ]; then
|
||||
CURRENT_COMMIT="HEAD"
|
||||
else
|
||||
CURRENT_COMMIT="$1"
|
||||
fi
|
||||
|
||||
if [ "${CURRENT_COMMIT#* }" != "$CURRENT_COMMIT" ]; then
|
||||
echo "Commit must not contain spaces?" > /dev/stderr
|
||||
exit 1
|
||||
fi
|
||||
|
||||
VERIFY_TREE=0
|
||||
if [ x"$2" = "x--tree-checks" ]; then
|
||||
VERIFY_TREE=1
|
||||
fi
|
||||
|
||||
NO_SHA1=1
|
||||
PREV_COMMIT=""
|
||||
|
||||
while true; do
|
||||
if [ "$CURRENT_COMMIT" = $VERIFIED_ROOT ]; then
|
||||
echo "There is a valid path from "$CURRENT_COMMIT" to $VERIFIED_ROOT where all commits are signed!"
|
||||
exit 0;
|
||||
fi
|
||||
|
||||
VERIFY_TREE=$2
|
||||
NO_SHA1=$3
|
||||
if [ $1 = $VERIFIED_SHA512_ROOT ]; then
|
||||
if [ "$CURRENT_COMMIT" = $VERIFIED_SHA512_ROOT ]; then
|
||||
if [ "$VERIFY_TREE" = "1" ]; then
|
||||
echo "All Tree-SHA512s matched up to $VERIFIED_SHA512_ROOT" > /dev/stderr
|
||||
fi
|
||||
|
|
@ -37,92 +56,77 @@ IS_SIGNED () {
|
|||
export BITCOIN_VERIFY_COMMITS_ALLOW_SHA1=1
|
||||
fi
|
||||
|
||||
if [ "${REVSIG_ALLOWED#*$1}" != "$REVSIG_ALLOWED" ]; then
|
||||
if [ "${REVSIG_ALLOWED#*$CURRENT_COMMIT}" != "$REVSIG_ALLOWED" ]; then
|
||||
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
|
||||
else
|
||||
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
|
||||
fi
|
||||
|
||||
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null; then
|
||||
return 1;
|
||||
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit "$CURRENT_COMMIT" > /dev/null; then
|
||||
if [ "$PREV_COMMIT" != "" ]; then
|
||||
echo "No parent of $PREV_COMMIT was signed with a trusted key!" > /dev/stderr
|
||||
echo "Parents are:" > /dev/stderr
|
||||
PARENTS=$(git show -s --format=format:%P $PREV_COMMIT)
|
||||
for PARENT in $PARENTS; do
|
||||
git show -s $PARENT > /dev/stderr
|
||||
done
|
||||
else
|
||||
echo "$CURRENT_COMMIT was not signed with a trusted key!" > /dev/stderr
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# We set $4 to 1 on the first call, always verifying the top of the tree
|
||||
if [ "$VERIFY_TREE" = 1 -o "$4" = "1" ]; then
|
||||
# We always verify the top of the tree
|
||||
if [ "$VERIFY_TREE" = 1 -o "$PREV_COMMIT" = "" ]; then
|
||||
IFS_CACHE="$IFS"
|
||||
IFS='
|
||||
'
|
||||
for LINE in $(git ls-tree --full-tree -r $1); do
|
||||
for LINE in $(git ls-tree --full-tree -r "$CURRENT_COMMIT"); do
|
||||
case "$LINE" in
|
||||
"12"*)
|
||||
echo "Repo contains symlinks" > /dev/stderr
|
||||
IFS="$IFS_CACHE"
|
||||
return 1
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
IFS="$IFS_CACHE"
|
||||
|
||||
FILE_HASHES=""
|
||||
for FILE in $(git ls-tree --full-tree -r --name-only $1 | LC_ALL=C sort); do
|
||||
HASH=$(git cat-file blob $1:"$FILE" | sha512sum | { read FIRST OTHER; echo $FIRST; } )
|
||||
for FILE in $(git ls-tree --full-tree -r --name-only "$CURRENT_COMMIT" | LC_ALL=C sort); do
|
||||
if [ "$HAVE_GNU_SHA512" = 1 ]; then
|
||||
HASH=$(git cat-file blob "$CURRENT_COMMIT":"$FILE" | sha512sum | { read FIRST OTHER; echo $FIRST; } )
|
||||
else
|
||||
HASH=$(git cat-file blob "$CURRENT_COMMIT":"$FILE" | shasum -a 512 | { read FIRST OTHER; echo $FIRST; } )
|
||||
fi
|
||||
[ "$FILE_HASHES" != "" ] && FILE_HASHES="$FILE_HASHES"'
|
||||
'
|
||||
FILE_HASHES="$FILE_HASHES$HASH $FILE"
|
||||
done
|
||||
|
||||
if [ "$HAVE_GNU_SHA512" = 1 ]; then
|
||||
TREE_HASH="$(echo "$FILE_HASHES" | sha512sum)"
|
||||
else
|
||||
TREE_HASH="$(echo "$FILE_HASHES" | shasum -a 512)"
|
||||
fi
|
||||
HASH_MATCHES=0
|
||||
MSG="$(git show -s --format=format:%B $1 | tail -n1)"
|
||||
MSG="$(git show -s --format=format:%B "$CURRENT_COMMIT" | tail -n1)"
|
||||
|
||||
case "$MSG -" in
|
||||
"Tree-SHA512: $(echo "$FILE_HASHES" | sha512sum)")
|
||||
"Tree-SHA512: $TREE_HASH")
|
||||
HASH_MATCHES=1;;
|
||||
esac
|
||||
|
||||
if [ "$HASH_MATCHES" = "0" ]; then
|
||||
echo "Tree-SHA512 did not match for commit $1" > /dev/stderr
|
||||
HAVE_FAILED=true
|
||||
return 1
|
||||
echo "Tree-SHA512 did not match for commit $CURRENT_COMMIT" > /dev/stderr
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
local PARENTS
|
||||
PARENTS=$(git show -s --format=format:%P $1)
|
||||
PARENTS=$(git show -s --format=format:%P "$CURRENT_COMMIT")
|
||||
for PARENT in $PARENTS; do
|
||||
if IS_SIGNED $PARENT $VERIFY_TREE $NO_SHA1 0; then
|
||||
return 0;
|
||||
fi
|
||||
PREV_COMMIT="$CURRENT_COMMIT"
|
||||
CURRENT_COMMIT="$PARENT"
|
||||
break
|
||||
done
|
||||
if ! "$HAVE_FAILED"; then
|
||||
echo "No parent of $1 was signed with a trusted key!" > /dev/stderr
|
||||
echo "Parents are:" > /dev/stderr
|
||||
for PARENT in $PARENTS; do
|
||||
git show -s $PARENT > /dev/stderr
|
||||
done
|
||||
HAVE_FAILED=true
|
||||
fi
|
||||
return 1;
|
||||
}
|
||||
|
||||
if [ x"$1" = "x" ]; then
|
||||
TEST_COMMIT="HEAD"
|
||||
else
|
||||
TEST_COMMIT="$1"
|
||||
fi
|
||||
|
||||
DO_CHECKOUT_TEST=0
|
||||
if [ x"$2" = "x--tree-checks" ]; then
|
||||
DO_CHECKOUT_TEST=1
|
||||
fi
|
||||
|
||||
IS_SIGNED "$TEST_COMMIT" "$DO_CHECKOUT_TEST" 1 1
|
||||
RES=$?
|
||||
if [ "$RES" = 1 ]; then
|
||||
if ! "$HAVE_FAILED"; then
|
||||
echo "$TEST_COMMIT was not signed with a trusted key!"
|
||||
fi
|
||||
else
|
||||
echo "There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!"
|
||||
fi
|
||||
|
||||
exit $RES
|
||||
done
|
||||
|
|
|
|||
Loading…
Reference in a new issue