periodically check signatures (#7543)

This is a first, very incomplete step in the spirit of small, incremental PRs. Known missing features: - Should check all versions, not just the 30 most recent ones. - Should also download from GCP backup and compare. - Should alert on Slack if anything is unexpected. - Should handle versions prior to us starting to sign (and do what?). - Should also check artifacts in Artifactory, not just GitHub Releases. - Optionally should save to GCP if we don't have a backup already. So at the moment it's just downloading the artifacts for the 30 most recent releases and printing a message stating whether we have a signature and whether it's valid. CHANGELOG_BEGIN CHANGELOG_END
2024-09-11 04:45:57 +03:00 · 2020-10-01 21:01:42 +02:00 · 2020-10-01 21:01:42 +02:00 · fda2eca084
commit fda2eca084
parent c5abcece56
2 changed files with 109 additions and 0 deletions
--- a/ci/bash-lib.yml
+++ b/ci/bash-lib.yml
@ -49,5 +49,54 @@ steps:
        trap - EXIT
        eval "$restore_trap"
    }
+    gpg_verify() {
+        local key gpg_dir signature_file res
+        signature_file=$1
+        key=$(mktemp)
+        cat > $key <<PUB_KEY
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    mQENBFzdsasBCADO+ZcfZQATP6ceTh4WfXiL2Z2tetvUZGfTaEs/UfBoJPmQ53bN
+    90MxudKhgB2mi8DuifYnHfLCvkxSgzfhj2IogV1S+Fa2x99Y819GausJoYfK9gwc
+    8YWKEkM81F15jA5UWJTsssKNxUddr/sxJIHIFfqGRQ0e6YeAcc5bOAogBE8UrmxE
+    uGfOt9/MvLpDewjDE+2lQOFi9RZuy7S8RMJLTiq2JWbO5yI50oFKeMQy/AJPmV7y
+    qAyYUIeZZxvrYeBWi5JDsZ2HOSJPqV7ttD2MvkyXcJCW/Xf8FcleAoWJU09RwVww
+    BhZSDz+9mipwZBHENILMuVyEygG5A+vc/YptABEBAAG0N0RpZ2l0YWwgQXNzZXQg
+    SG9sZGluZ3MsIExMQyA8c2VjdXJpdHlAZGlnaXRhbGFzc2V0LmNvbT6JAVQEEwEI
+    AD4WIQRJEajf6Xas36BxMNvoNywMHHNMUQUCXN2xqwIbAwUJA8JnAAULCQgHAgYV
+    CgkICwIEFgIDAQIeAQIXgAAKCRDoNywMHHNMUeVdCACAEwJ9f0DAKkhwQcg1RG4O
+    RiyWZ7h0nC4XSdmDUe5RhcrU8xUhiyYqKFVCRtYC0BILC/7bQCJcQUkvUH+hY5rK
+    MZM+jeBDLZToEQaZgytkyvRPzaKKx6LrvbGLoOyBgFGi9X9a5thXrAZaKN8Cgp2d
+    0OFDXMi+ep+x0hbmlxtPYhHXcdr2u/BwT1nsEVZn1uTefwcfom8aKw3uOmLQdE+2
+    5eM4GvLC7sJvrlbNLt0FCbty3hvdfINrIOEPj5yjguY4kKewzfZTG7ygccJQ4eyh
+    8HnPFcuBJCCGwOsFsccViX5wevijfGie9tyVeLGZdV2k6aElWDuRVRWKQtrfL0Xk
+    uQENBFzdsasBCAC5fr5pqxFm+AWPc7wiBSt7uKNdxiRJYydeoPqgmYZTvc8Um8pI
+    6JHtUrNxnx4WWKtj6iSPn5pSUrJbue4NAUsBF5O9LZ0fcQKb5diZLGHKtOZttCaj
+    Iryp1Rm961skmPmi3yYaHXq4GC/05Ra/bo3C+ZByv/W0JzntOxA3Pvc3c8Pw5sBm
+    63xu7iRrnJBtyFGD+MuAZxbN8dwYX0OcmwuSFGxf/wa+aB8b7Ut9RP76sbDvFaXx
+    Ef314k8AwxUvlv+ozdNWmEBxp1wR/Fra9i8EbC0V6EkCcModRhjbaNSPIbgkC0ka
+    2cgYp1UDgf9FrKvkuir70dg75qSrPRwvFghrABEBAAGJATwEGAEIACYWIQRJEajf
+    6Xas36BxMNvoNywMHHNMUQUCXN2xqwIbDAUJA8JnAAAKCRDoNywMHHNMUZYBCACW
+    wXLl3untEom4VwzTfvc4xwLThjnNDhewW8LfudYh3ZUbxnqH9jlmZjTALllr+66f
+    +TB1B8EGO5nTV5TxzE2s2rF9+S3Qj2hl1+PyVFjy1p93mUaWOz33sGlpXLOi5/p4
+    9ekSKOzyVYWvMm3FoDagqMCPvSMJ0AN8CJwrCeWyMcGcY+ohzajXKXpJ1vBdzaUU
+    LTZi2uRiN7cTZVAAOr1jO6Rcx4+EfmkjDW6ww/O/sWTDmsS1+Ge6zp9qZCspYX8d
+    7vBpuEUwEYpxVvxDR/TBztlfbQx4Pw+n1gpbXBO0BwJC9L67MS6yMUmuhSrw8UTI
+    JKX1t3MFLLpYQbaNwBgA
+    =5Xfu
+    -----END PGP PUBLIC KEY BLOCK-----
+    PUB_KEY
+        gpg_dir=$(mktemp -d)
+        GNUPGHOME=$gpg_dir gpg --no-tty --quiet --import $key
+        GNUPGHOME=$gpg_dir gpg --no-tty --quiet --command-fd 0 --edit-key 4911A8DFE976ACDFA07130DBE8372C0C1C734C51 << CMD
+    trust
+    4
+    quit
+    CMD
+        GNUPGHOME=$gpg_dir gpg --verify $signature_file
+        res=$?
+        rm -rf $gpg_dir $key
+        return $res
+    }
    END
    echo "##vso[task.setvariable variable=${{parameters.var_name}}]$TMP"
--- a/ci/cron/daily-compat.yml
+++ b/ci/cron/daily-compat.yml
@ -174,3 +174,63 @@ jobs:
        displayName: measure http-json performance
        env:
          GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
+
+  - job: check_releases
+    timeoutInMinutes: 120
+    pool:
+      name: linux-pool
+      demands: assignment -equals default
+    steps:
+      - checkout: self
+      - bash: ci/dev-env-install.sh
+        displayName: 'Build/Install the Developer Environment'
+      - template: ../bash-lib.yml
+        parameters:
+          var_name: bash_lib
+      - bash: |
+          set -euo pipefail
+          eval "$(dev-env/bin/dade assist)"
+          source $(bash_lib)
+
+          LOG=$(mktemp)
+
+          DIR=$(mktemp -d)
+          trap "rm -rf \"$DIR\"" EXIT
+          cd "$DIR"
+
+          shopt -s extglob # enable !() pattern: things that _don't_ match
+
+          # TODO: get all releases (GH paginates by 30)
+          RELEASES=$(curl https://api.github.com/repos/digital-asset/daml/releases -s)
+          for i in $(seq 1 $(echo "$RELEASES" | jq length)); do
+              VERSION=$(echo "$RELEASES" | jq -r ".[$i-1].tag_name")
+              mkdir "$VERSION"
+              cd "$VERSION"
+              PIDS=""
+              for ass in $(seq 1 $(echo "$RELEASES" | jq ".[$i-1].assets | length")); do
+                  {
+                      wget --quiet "$(echo "$RELEASES" | jq -r ".[$i-1].assets[$ass-1].browser_download_url")" &
+                  } >$LOG 2>&1
+                  PIDS="$PIDS $!"
+              done
+              for pid in $PIDS; do
+                  wait $pid >$LOG 2>&1
+              done
+              for f in !(*.asc); do
+                  p=github/$VERSION/$f
+                  if ! test -f $f.asc; then
+                      echo $p: no signature file
+                  else
+                      if gpg_verify $f.asc >$LOG 2>&1; then
+                          echo $p: signature matches
+                      else
+                          echo $p: signature does not match
+                      fi
+                  fi
+              done
+              cd "$DIR"
+              rm -rf "$VERSION"
+          done
+        displayName: check releases
+        env:
+          GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)