mirror of
https://github.com/digital-asset/daml.git
synced 2024-09-19 08:48:21 +03:00
periodically check signatures (#7543)
This is a first, very incomplete step in the spirit of small, incremental PRs. Known missing features: - Should check all versions, not just the 30 most recent ones. - Should also download from GCP backup and compare. - Should alert on Slack if anything is unexpected. - Should handle versions prior to us starting to sign (and do what?). - Should also check artifacts in Artifactory, not just GitHub Releases. - Optionally should save to GCP if we don't have a backup already. So at the moment it's just downloading the artifacts for the 30 most recent releases and printing a message stating whether we have a signature and whether it's valid. CHANGELOG_BEGIN CHANGELOG_END
This commit is contained in:
parent
c5abcece56
commit
fda2eca084
@ -49,5 +49,54 @@ steps:
|
|||||||
trap - EXIT
|
trap - EXIT
|
||||||
eval "$restore_trap"
|
eval "$restore_trap"
|
||||||
}
|
}
|
||||||
|
gpg_verify() {
|
||||||
|
local key gpg_dir signature_file res
|
||||||
|
signature_file=$1
|
||||||
|
key=$(mktemp)
|
||||||
|
cat > $key <<PUB_KEY
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQENBFzdsasBCADO+ZcfZQATP6ceTh4WfXiL2Z2tetvUZGfTaEs/UfBoJPmQ53bN
|
||||||
|
90MxudKhgB2mi8DuifYnHfLCvkxSgzfhj2IogV1S+Fa2x99Y819GausJoYfK9gwc
|
||||||
|
8YWKEkM81F15jA5UWJTsssKNxUddr/sxJIHIFfqGRQ0e6YeAcc5bOAogBE8UrmxE
|
||||||
|
uGfOt9/MvLpDewjDE+2lQOFi9RZuy7S8RMJLTiq2JWbO5yI50oFKeMQy/AJPmV7y
|
||||||
|
qAyYUIeZZxvrYeBWi5JDsZ2HOSJPqV7ttD2MvkyXcJCW/Xf8FcleAoWJU09RwVww
|
||||||
|
BhZSDz+9mipwZBHENILMuVyEygG5A+vc/YptABEBAAG0N0RpZ2l0YWwgQXNzZXQg
|
||||||
|
SG9sZGluZ3MsIExMQyA8c2VjdXJpdHlAZGlnaXRhbGFzc2V0LmNvbT6JAVQEEwEI
|
||||||
|
AD4WIQRJEajf6Xas36BxMNvoNywMHHNMUQUCXN2xqwIbAwUJA8JnAAULCQgHAgYV
|
||||||
|
CgkICwIEFgIDAQIeAQIXgAAKCRDoNywMHHNMUeVdCACAEwJ9f0DAKkhwQcg1RG4O
|
||||||
|
RiyWZ7h0nC4XSdmDUe5RhcrU8xUhiyYqKFVCRtYC0BILC/7bQCJcQUkvUH+hY5rK
|
||||||
|
MZM+jeBDLZToEQaZgytkyvRPzaKKx6LrvbGLoOyBgFGi9X9a5thXrAZaKN8Cgp2d
|
||||||
|
0OFDXMi+ep+x0hbmlxtPYhHXcdr2u/BwT1nsEVZn1uTefwcfom8aKw3uOmLQdE+2
|
||||||
|
5eM4GvLC7sJvrlbNLt0FCbty3hvdfINrIOEPj5yjguY4kKewzfZTG7ygccJQ4eyh
|
||||||
|
8HnPFcuBJCCGwOsFsccViX5wevijfGie9tyVeLGZdV2k6aElWDuRVRWKQtrfL0Xk
|
||||||
|
uQENBFzdsasBCAC5fr5pqxFm+AWPc7wiBSt7uKNdxiRJYydeoPqgmYZTvc8Um8pI
|
||||||
|
6JHtUrNxnx4WWKtj6iSPn5pSUrJbue4NAUsBF5O9LZ0fcQKb5diZLGHKtOZttCaj
|
||||||
|
Iryp1Rm961skmPmi3yYaHXq4GC/05Ra/bo3C+ZByv/W0JzntOxA3Pvc3c8Pw5sBm
|
||||||
|
63xu7iRrnJBtyFGD+MuAZxbN8dwYX0OcmwuSFGxf/wa+aB8b7Ut9RP76sbDvFaXx
|
||||||
|
Ef314k8AwxUvlv+ozdNWmEBxp1wR/Fra9i8EbC0V6EkCcModRhjbaNSPIbgkC0ka
|
||||||
|
2cgYp1UDgf9FrKvkuir70dg75qSrPRwvFghrABEBAAGJATwEGAEIACYWIQRJEajf
|
||||||
|
6Xas36BxMNvoNywMHHNMUQUCXN2xqwIbDAUJA8JnAAAKCRDoNywMHHNMUZYBCACW
|
||||||
|
wXLl3untEom4VwzTfvc4xwLThjnNDhewW8LfudYh3ZUbxnqH9jlmZjTALllr+66f
|
||||||
|
+TB1B8EGO5nTV5TxzE2s2rF9+S3Qj2hl1+PyVFjy1p93mUaWOz33sGlpXLOi5/p4
|
||||||
|
9ekSKOzyVYWvMm3FoDagqMCPvSMJ0AN8CJwrCeWyMcGcY+ohzajXKXpJ1vBdzaUU
|
||||||
|
LTZi2uRiN7cTZVAAOr1jO6Rcx4+EfmkjDW6ww/O/sWTDmsS1+Ge6zp9qZCspYX8d
|
||||||
|
7vBpuEUwEYpxVvxDR/TBztlfbQx4Pw+n1gpbXBO0BwJC9L67MS6yMUmuhSrw8UTI
|
||||||
|
JKX1t3MFLLpYQbaNwBgA
|
||||||
|
=5Xfu
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
PUB_KEY
|
||||||
|
gpg_dir=$(mktemp -d)
|
||||||
|
GNUPGHOME=$gpg_dir gpg --no-tty --quiet --import $key
|
||||||
|
GNUPGHOME=$gpg_dir gpg --no-tty --quiet --command-fd 0 --edit-key 4911A8DFE976ACDFA07130DBE8372C0C1C734C51 << CMD
|
||||||
|
trust
|
||||||
|
4
|
||||||
|
quit
|
||||||
|
CMD
|
||||||
|
GNUPGHOME=$gpg_dir gpg --verify $signature_file
|
||||||
|
res=$?
|
||||||
|
rm -rf $gpg_dir $key
|
||||||
|
return $res
|
||||||
|
}
|
||||||
END
|
END
|
||||||
echo "##vso[task.setvariable variable=${{parameters.var_name}}]$TMP"
|
echo "##vso[task.setvariable variable=${{parameters.var_name}}]$TMP"
|
||||||
|
@ -174,3 +174,63 @@ jobs:
|
|||||||
displayName: measure http-json performance
|
displayName: measure http-json performance
|
||||||
env:
|
env:
|
||||||
GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
|
GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
|
||||||
|
|
||||||
|
- job: check_releases
|
||||||
|
timeoutInMinutes: 120
|
||||||
|
pool:
|
||||||
|
name: linux-pool
|
||||||
|
demands: assignment -equals default
|
||||||
|
steps:
|
||||||
|
- checkout: self
|
||||||
|
- bash: ci/dev-env-install.sh
|
||||||
|
displayName: 'Build/Install the Developer Environment'
|
||||||
|
- template: ../bash-lib.yml
|
||||||
|
parameters:
|
||||||
|
var_name: bash_lib
|
||||||
|
- bash: |
|
||||||
|
set -euo pipefail
|
||||||
|
eval "$(dev-env/bin/dade assist)"
|
||||||
|
source $(bash_lib)
|
||||||
|
|
||||||
|
LOG=$(mktemp)
|
||||||
|
|
||||||
|
DIR=$(mktemp -d)
|
||||||
|
trap "rm -rf \"$DIR\"" EXIT
|
||||||
|
cd "$DIR"
|
||||||
|
|
||||||
|
shopt -s extglob # enable !() pattern: things that _don't_ match
|
||||||
|
|
||||||
|
# TODO: get all releases (GH paginates by 30)
|
||||||
|
RELEASES=$(curl https://api.github.com/repos/digital-asset/daml/releases -s)
|
||||||
|
for i in $(seq 1 $(echo "$RELEASES" | jq length)); do
|
||||||
|
VERSION=$(echo "$RELEASES" | jq -r ".[$i-1].tag_name")
|
||||||
|
mkdir "$VERSION"
|
||||||
|
cd "$VERSION"
|
||||||
|
PIDS=""
|
||||||
|
for ass in $(seq 1 $(echo "$RELEASES" | jq ".[$i-1].assets | length")); do
|
||||||
|
{
|
||||||
|
wget --quiet "$(echo "$RELEASES" | jq -r ".[$i-1].assets[$ass-1].browser_download_url")" &
|
||||||
|
} >$LOG 2>&1
|
||||||
|
PIDS="$PIDS $!"
|
||||||
|
done
|
||||||
|
for pid in $PIDS; do
|
||||||
|
wait $pid >$LOG 2>&1
|
||||||
|
done
|
||||||
|
for f in !(*.asc); do
|
||||||
|
p=github/$VERSION/$f
|
||||||
|
if ! test -f $f.asc; then
|
||||||
|
echo $p: no signature file
|
||||||
|
else
|
||||||
|
if gpg_verify $f.asc >$LOG 2>&1; then
|
||||||
|
echo $p: signature matches
|
||||||
|
else
|
||||||
|
echo $p: signature does not match
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
cd "$DIR"
|
||||||
|
rm -rf "$VERSION"
|
||||||
|
done
|
||||||
|
displayName: check releases
|
||||||
|
env:
|
||||||
|
GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
|
||||||
|
Loading…
Reference in New Issue
Block a user