Merge pull request #20 from herbetom/contrib-sigtest

contrib/check-release.sh: init
Freifunk-Rhein-Neckar · May 21, 2024 · 380a927 · 380a927
2 parents 17baf65 + c5b220a
commit 380a927
Show file tree

Hide file tree

Showing 4 changed files with 134 additions and 71 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -30,7 +30,7 @@ jobs:
       - name: Install Dependencies
         run: sudo apt-get update && sudo apt-get install -y shellcheck
       - name: Validate Shell Scripts
-        run: shellcheck $SHELL_FILES
+        run: shellcheck --external-sources --source-path=SCRIPTDIR $SHELL_FILES
 
   image-customization:
     name: "Image-Customization"

diff --git a/contrib/check-release.sh b/contrib/check-release.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+source "${SCRIPT_DIR}/functions-sign.sh"
+
+declare -A SIGKEYS
+
+
+SIGKEYS["Tom/herbetom"]="3a00002ecf1392e7ddbb8db395412cdcb5d9cd8e310b486c3ec1fc0bf161195b"
+SIGKEYS["Kai/wusel42"]="cd2ed332a77bb71ade862d5b8521c59c7987ef418da6ecc69c19f32aa5ec5e66"
+SIGKEYS["Jan/Jevermeister"]="6fbba7d2e081a0a2c3d6832d5440e8786f90acabfe462b602531b4665ce58590"
+SIGKEYS["Michel/eriu"]="be5155bac7681fb4631bdab72c47b6e606e3f0ccfe50bb8f6cd6866c1c97c729"
+SIGKEYS["github-actions-ci"]="ff49b7abc9d2caab57bc5c88fb8cc3b5c5b0eb5312b7cc326a18cc811305592a"
+SIGKEYS["buildserver"]="e191158c837941158d827e5c6df971bfb01161d5d6f86a366d8a7897feedf9da"
+
+function usage() {
+	echo "Usage: $0 <release-version> <branch>"
+	echo "Example: $0 2.0.0 stable"
+	exit 1
+}
+
+function cleanup() {
+	rm -rf "$TEMP_DIR"
+}
+
+RELEASE_VERSION="${1:-}"
+BRANCH="${2:-}"
+
+[ -z "$RELEASE_VERSION" ] && usage
+[ -z "$BRANCH" ] && usage
+
+# Create Temporary working directory
+TEMP_DIR="$(mktemp -d)"
+
+MANIFEST_PATH="${TEMP_DIR}/checking.manifest"
+
+# Download released manifest archive
+MANIFEST_URL="https://fw.ffrn.de/images/${RELEASE_VERSION}/images/sysupgrade/${BRANCH}.manifest"
+echo "Download manifest from $MANIFEST_URL"
+curl -s -L -o "${MANIFEST_PATH}" "${MANIFEST_URL}"
+
+for name in "${!SIGKEYS[@]}"
+do
+	valid_ci_signature="$(get_valid_signature "${MANIFEST_PATH}" "${SIGKEYS[$name]}")"
+
+	# Check if manifest is signed with the key under test
+	if [ -n "$valid_ci_signature" ]; then
+		echo "Manifest is signed with the \"${name}\" key"
+		echo "Signature: $valid_ci_signature"
+	fi
+done
+
+cleanup
diff --git a/contrib/functions-sign.sh b/contrib/functions-sign.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+function split_manifest() {
+    local manifest upper lower
+
+    manifest="$1"
+    upper="$2"
+    lower="$3"
+
+    awk 'BEGIN    {
+        sep = 0
+    }
+
+    /^---$/ {
+        sep = 1;
+        next
+    }
+
+    {
+        if(sep == 0) {
+            print > "'"$upper"'"
+        } else {
+            print > "'"$lower"'"
+        }
+    }' "$manifest"
+}
+
+function create_signature() {
+    local secret manifest upper lower
+
+    manifest="$1"
+    secret="$2"
+
+    upper="$(mktemp)"
+    lower="$(mktemp)"
+
+    # Split manifest into upper and lower part
+    split_manifest "$manifest" "$upper" "$lower"
+
+    # Sign upper part of manifest
+    ecdsasign "$upper" < "$secret"
+
+    # Remove temporary files
+    rm -f "$upper" "$lower"
+}
+
+function get_valid_signature() {
+    local public_key manifest upper lower
+
+    manifest="$1"
+    public_key="$2"
+
+    upper="$(mktemp)"
+    lower="$(mktemp)"
+
+    # Split manifest into upper and lower part
+    split_manifest "$manifest" "$upper" "$lower"
+
+    # Validate upper part of manifest
+    while read -r line
+    do
+        if ecdsaverify -s "$line" -p "$public_key" "$upper"; then
+            echo "$line"
+            break
+        fi
+    done < "$lower"
+
+    # Remove temporary files
+    rm -f "$upper" "$lower"
+}
diff --git a/contrib/sign-release.sh b/contrib/sign-release.sh
@@ -1,82 +1,17 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -euo pipefail
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+source "${SCRIPT_DIR}/functions-sign.sh"
+
 function usage() {
     echo "Usage: $0 <release-version> <private-key-path>"
     echo "Example: $0 2.0.0 /path/to/private-key.ecdsakey"
     exit 1
 }
 
-function split_manifest() {
-    local manifest upper lower
-
-    manifest="$1"
-    upper="$2"
-    lower="$3"
-
-    awk 'BEGIN    {
-        sep = 0
-    }
-
-    /^---$/ {
-        sep = 1;
-        next
-    }
-
-    {
-        if(sep == 0) {
-            print > "'"$upper"'"
-        } else {
-            print > "'"$lower"'"
-        }
-    }' "$manifest"
-}
-
-function create_signature() {
-    local secret manifest upper lower
-
-    manifest="$1"
-    secret="$2"
-
-    upper="$(mktemp)"
-    lower="$(mktemp)"
-
-    # Split manifest into upper and lower part
-    split_manifest "$manifest" "$upper" "$lower"
-
-    # Sign upper part of manifest
-    ecdsasign "$upper" < "$secret"
-
-    # Remove temporary files
-    rm -f "$upper" "$lower"
-}
-
-function get_valid_signature() {
-    local public_key manifest upper lower
-
-    manifest="$1"
-    public_key="$2"
-
-    upper="$(mktemp)"
-    lower="$(mktemp)"
-
-    # Split manifest into upper and lower part
-    split_manifest "$manifest" "$upper" "$lower"
-
-    # Validate upper part of manifest
-    while read -r line
-    do
-        if ecdsaverify -s "$line" -p "$public_key" "$upper"; then
-            echo "$line"
-            break
-        fi
-    done < "$lower"
-
-    # Remove temporary files
-    rm -f "$upper" "$lower"
-}
-
 function cleanup() {
     rm -rf "$TEMP_DIR"
 }