From fda2eca0841dd171bc13ca3776096d2ca0050476 Mon Sep 17 00:00:00 2001
From: Gary Verhaegen <gary.verhaegen@digitalasset.com>
Date: Thu, 1 Oct 2020 21:01:42 +0200
Subject: [PATCH] periodically check signatures (#7543)

This is a first, very incomplete step in the spirit of small,
incremental PRs. Known missing features:

- Should check all versions, not just the 30 most recent ones.
- Should also download from GCP backup and compare.
- Should alert on Slack if anything is unexpected.
- Should handle versions prior to us starting to sign (and do what?).
- Should also check artifacts in Artifactory, not just GitHub Releases.
- Optionally should save to GCP if we don't have a backup already.

So at the moment it's just downloading the artifacts for the 30 most
recent releases and printing a message stating whether we have a
signature and whether it's valid.

CHANGELOG_BEGIN
CHANGELOG_END
---
 ci/bash-lib.yml          | 49 ++++++++++++++++++++++++++++++++
 ci/cron/daily-compat.yml | 60 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+)

diff --git a/ci/bash-lib.yml b/ci/bash-lib.yml
index 0679ffa273..169c6dde14 100644
--- a/ci/bash-lib.yml
+++ b/ci/bash-lib.yml
@@ -49,5 +49,54 @@ steps:
         trap - EXIT
         eval "$restore_trap"
     }
+    gpg_verify() {
+        local key gpg_dir signature_file res
+        signature_file=$1
+        key=$(mktemp)
+        cat > $key <<PUB_KEY
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    mQENBFzdsasBCADO+ZcfZQATP6ceTh4WfXiL2Z2tetvUZGfTaEs/UfBoJPmQ53bN
+    90MxudKhgB2mi8DuifYnHfLCvkxSgzfhj2IogV1S+Fa2x99Y819GausJoYfK9gwc
+    8YWKEkM81F15jA5UWJTsssKNxUddr/sxJIHIFfqGRQ0e6YeAcc5bOAogBE8UrmxE
+    uGfOt9/MvLpDewjDE+2lQOFi9RZuy7S8RMJLTiq2JWbO5yI50oFKeMQy/AJPmV7y
+    qAyYUIeZZxvrYeBWi5JDsZ2HOSJPqV7ttD2MvkyXcJCW/Xf8FcleAoWJU09RwVww
+    BhZSDz+9mipwZBHENILMuVyEygG5A+vc/YptABEBAAG0N0RpZ2l0YWwgQXNzZXQg
+    SG9sZGluZ3MsIExMQyA8c2VjdXJpdHlAZGlnaXRhbGFzc2V0LmNvbT6JAVQEEwEI
+    AD4WIQRJEajf6Xas36BxMNvoNywMHHNMUQUCXN2xqwIbAwUJA8JnAAULCQgHAgYV
+    CgkICwIEFgIDAQIeAQIXgAAKCRDoNywMHHNMUeVdCACAEwJ9f0DAKkhwQcg1RG4O
+    RiyWZ7h0nC4XSdmDUe5RhcrU8xUhiyYqKFVCRtYC0BILC/7bQCJcQUkvUH+hY5rK
+    MZM+jeBDLZToEQaZgytkyvRPzaKKx6LrvbGLoOyBgFGi9X9a5thXrAZaKN8Cgp2d
+    0OFDXMi+ep+x0hbmlxtPYhHXcdr2u/BwT1nsEVZn1uTefwcfom8aKw3uOmLQdE+2
+    5eM4GvLC7sJvrlbNLt0FCbty3hvdfINrIOEPj5yjguY4kKewzfZTG7ygccJQ4eyh
+    8HnPFcuBJCCGwOsFsccViX5wevijfGie9tyVeLGZdV2k6aElWDuRVRWKQtrfL0Xk
+    uQENBFzdsasBCAC5fr5pqxFm+AWPc7wiBSt7uKNdxiRJYydeoPqgmYZTvc8Um8pI
+    6JHtUrNxnx4WWKtj6iSPn5pSUrJbue4NAUsBF5O9LZ0fcQKb5diZLGHKtOZttCaj
+    Iryp1Rm961skmPmi3yYaHXq4GC/05Ra/bo3C+ZByv/W0JzntOxA3Pvc3c8Pw5sBm
+    63xu7iRrnJBtyFGD+MuAZxbN8dwYX0OcmwuSFGxf/wa+aB8b7Ut9RP76sbDvFaXx
+    Ef314k8AwxUvlv+ozdNWmEBxp1wR/Fra9i8EbC0V6EkCcModRhjbaNSPIbgkC0ka
+    2cgYp1UDgf9FrKvkuir70dg75qSrPRwvFghrABEBAAGJATwEGAEIACYWIQRJEajf
+    6Xas36BxMNvoNywMHHNMUQUCXN2xqwIbDAUJA8JnAAAKCRDoNywMHHNMUZYBCACW
+    wXLl3untEom4VwzTfvc4xwLThjnNDhewW8LfudYh3ZUbxnqH9jlmZjTALllr+66f
+    +TB1B8EGO5nTV5TxzE2s2rF9+S3Qj2hl1+PyVFjy1p93mUaWOz33sGlpXLOi5/p4
+    9ekSKOzyVYWvMm3FoDagqMCPvSMJ0AN8CJwrCeWyMcGcY+ohzajXKXpJ1vBdzaUU
+    LTZi2uRiN7cTZVAAOr1jO6Rcx4+EfmkjDW6ww/O/sWTDmsS1+Ge6zp9qZCspYX8d
+    7vBpuEUwEYpxVvxDR/TBztlfbQx4Pw+n1gpbXBO0BwJC9L67MS6yMUmuhSrw8UTI
+    JKX1t3MFLLpYQbaNwBgA
+    =5Xfu
+    -----END PGP PUBLIC KEY BLOCK-----
+    PUB_KEY
+        gpg_dir=$(mktemp -d)
+        GNUPGHOME=$gpg_dir gpg --no-tty --quiet --import $key
+        GNUPGHOME=$gpg_dir gpg --no-tty --quiet --command-fd 0 --edit-key 4911A8DFE976ACDFA07130DBE8372C0C1C734C51 << CMD
+    trust
+    4
+    quit
+    CMD
+        GNUPGHOME=$gpg_dir gpg --verify $signature_file
+        res=$?
+        rm -rf $gpg_dir $key
+        return $res
+    }
     END
     echo "##vso[task.setvariable variable=${{parameters.var_name}}]$TMP"
diff --git a/ci/cron/daily-compat.yml b/ci/cron/daily-compat.yml
index 53dcd5bf20..402c818725 100644
--- a/ci/cron/daily-compat.yml
+++ b/ci/cron/daily-compat.yml
@@ -174,3 +174,63 @@ jobs:
         displayName: measure http-json performance
         env:
           GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
+
+  - job: check_releases
+    timeoutInMinutes: 120
+    pool:
+      name: linux-pool
+      demands: assignment -equals default
+    steps:
+      - checkout: self
+      - bash: ci/dev-env-install.sh
+        displayName: 'Build/Install the Developer Environment'
+      - template: ../bash-lib.yml
+        parameters:
+          var_name: bash_lib
+      - bash: |
+          set -euo pipefail
+          eval "$(dev-env/bin/dade assist)"
+          source $(bash_lib)
+
+          LOG=$(mktemp)
+
+          DIR=$(mktemp -d)
+          trap "rm -rf \"$DIR\"" EXIT
+          cd "$DIR"
+
+          shopt -s extglob # enable !() pattern: things that _don't_ match
+
+          # TODO: get all releases (GH paginates by 30)
+          RELEASES=$(curl https://api.github.com/repos/digital-asset/daml/releases -s)
+          for i in $(seq 1 $(echo "$RELEASES" | jq length)); do
+              VERSION=$(echo "$RELEASES" | jq -r ".[$i-1].tag_name")
+              mkdir "$VERSION"
+              cd "$VERSION"
+              PIDS=""
+              for ass in $(seq 1 $(echo "$RELEASES" | jq ".[$i-1].assets | length")); do
+                  {
+                      wget --quiet "$(echo "$RELEASES" | jq -r ".[$i-1].assets[$ass-1].browser_download_url")" &
+                  } >$LOG 2>&1
+                  PIDS="$PIDS $!"
+              done
+              for pid in $PIDS; do
+                  wait $pid >$LOG 2>&1
+              done
+              for f in !(*.asc); do
+                  p=github/$VERSION/$f
+                  if ! test -f $f.asc; then
+                      echo $p: no signature file
+                  else
+                      if gpg_verify $f.asc >$LOG 2>&1; then
+                          echo $p: signature matches
+                      else
+                          echo $p: signature does not match
+                      fi
+                  fi
+              done
+              cd "$DIR"
+              rm -rf "$VERSION"
+          done
+        displayName: check releases
+        env:
+          GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)