csantanapr closed pull request #33: Add the support to verify the artifacts with the key URL: https://github.com/apache/incubator-openwhisk-release/pull/33
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/tools/clean_remote_stage_artifacts.sh b/tools/clean_remote_stage_artifacts.sh new file mode 100755 index 0000000..0577f7a --- /dev/null +++ b/tools/clean_remote_stage_artifacts.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +set -e + +echo "Clean the remote artifacts in staging directory" + +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" +source "$SCRIPTDIR/util.sh" + +CONFIG=$(read_file $SCRIPTDIR/config.json) +version_key="version" +version_major=$(json_by_key "$CONFIG" ${version_key}.major) +version_minor=$(json_by_key "$CONFIG" ${version_key}.minor) + +version=$version_major-$version_minor +REMOTE_PATH="openwhisk-$version" +STAGE_URL=$(json_by_key "$CONFIG" "stage_url") +CURRENT_VERSION_URL="$STAGE_URL/${REMOTE_PATH}/" +CREDENTIALS="" + +SVN_USERNAME=$1 +SVN_PASSWORD=$2 + +if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then + CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD --non-interactive" +fi + +if [[ `wget -S --spider $CURRENT_VERSION_URL 2>&1 | grep 'HTTP/1.1 200 OK'` ]]; then + svn delete $CURRENT_VERSION_URL -m "Removing Apache OpenWhisk release ${version} from staging." $CREDENTIALS +fi diff --git a/tools/install_dependencies.sh b/tools/install_dependencies.sh index f48e33f..ca365bc 100755 --- a/tools/install_dependencies.sh +++ b/tools/install_dependencies.sh @@ -7,7 +7,6 @@ if [ $sysOS == "Darwin" ];then echo "This is MacOS." brew install jq brew install gpg - brew install md5sha1sum elif [ $sysOS == "Linux" ];then echo "This is Linux." if [ -f /etc/lsb-release -o -d /etc/lsb-release.d ]; then diff --git a/tools/key_pub.gpg b/tools/key_pub.gpg new file mode 100644 index 0000000..febbeaf --- /dev/null +++ b/tools/key_pub.gpg @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFqB+RMBEACeKz2rzESI9Hch8ZUEY2mrTsCumXsFn8YAUkiuMN4g6Q5PvoRU +k0tkD0wdQDg9Tqd5DlOaJMFaP25rvchR7OCgygf5DaKW4IsUh7FN5uID94ozwNvD +oznyl5OTwzCB8jdRz5pMTRNx989yi0z0kMhIqXULQeCBWMdbv6wVcRlGmwWO6T42 +b2hi8gPZJjP++577WjGZWTV/NgOLyFPRYIn7phjBLkCfD15fGVzy+icXCxeunTgK +T0qxD/r+6iTtxyWMkLQxLByZWxRUJCdt03oQVVwrL7SJHdKYvU5ElOUr1J4/axN+ +x43+Z5kz06ZZghewzdCMvnwf3IaEdJmrksY1U3wije1wXGKs7f9Y+eS+E9tVDuI/ +yLrhFs1/A6uNtuvfSqvHzaWWNUUl4/YP8VgPttaWKBBNw/EL2i3di9RQAfTMqRsk +JBx2bLORu/MjAnH3nBztw3MHI6ll4u2xb03k1iW9Uc+lh76V63DcykVlhL0renCR +ccZ3cGGi9vrfZ8pQHcPTLxK/l++QRUzewHEUM2nPOSW9DRe1jR128DhTr4p5yaKF +z5vvtjU+GP+cZFM8HkY1RLrNA2/a4G/gHGQqdPybomSeq7hC0GtX6U5ESHeOqyH1 +hDblT7nldvyw1nb52+yzYjuhiJo/TB/F/7teAmHyDmOIot6EEAx+Onh6/wARAQAB +tDxWaW5jZW50IEhvdSAoUmVsZWFzZSBtYW5hZ2VyIG9mIE9wZW5XaGlzaykgPHNo +b3VAdXMuaWJtLmNvbT6JAk4EEwEIADgWIQT2AFplgI3xoq7hv/aeJ0HSiuatCgUC +WoH5EwIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCeJ0HSiuatClniD/99 +FDXY/Ju8i7+wmnpQpJof+242KhJEumttKn/SRkU79zCrsV3jT+z9Il8CbpPYyPVl +BZPcHYs+1goky3yVJm+tDATtxXYmyeLvU+LcmZA2ftufWaakJti6uAt6gl/CvrPN +Xdu44hcISCZs4b725A3InfGQbBGEppJfa0PxQ8Yx5yktNTom/DuzuaII70DoIffe +rFIs0Bge4m9RDQ21VLxZGyg5l8xhc/viXzASisCiXGpXnRMiwcXwRgUd11VHsTQ+ +iueFBxkfk7O1whobs232iUy2Db42/OtL39fn8HRlkfhV6fzUieX0Z7lcc+hpzLMc +HP/1LGxH5I+LnTN0iZpgZzDiv8HS7toQ3DzMDyMDypskKyrQty+Z0FOLuGFOY06y +rbE6yc9doQBhTugVYQznia+v0G8rrwQwPVsKZnBmEzo1GT16jzGpse2NfPOMpbLk +WJ3a1SNb8mtGS+XFFGQ/y9QNquBFD5kLjptSDdVbNexyxZ6SDpQFzulByonGDpqe +Xez7Ho9kklOb3/1sH918zw6SlWWIhf4HOmZeYyucS6bIGBFnu+r+3wzSvhmJ2IlX +53rX4F/n4PYfS5TEa5rmjxzy+sww1nEdo+/sYF3KiPysLn5h/Y9VtzSh1dsh1mV0 +O/9Ulqw3TsDrGa2k7Kx2PVHVx3KYMvpvskyP51U2EA== +=/f4p +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tools/key_sec.gpg.enc b/tools/key_sec.gpg.enc new file mode 100644 index 0000000..7761b7f Binary files /dev/null and b/tools/key_sec.gpg.enc differ diff --git a/tools/export_pgp_key.sh b/tools/load_config.sh similarity index 63% rename from tools/export_pgp_key.sh rename to tools/load_config.sh index 8eafcac..0d6b2a3 100755 --- a/tools/export_pgp_key.sh +++ b/tools/load_config.sh @@ -1,27 +1,31 @@ #!/usr/bin/env bash -set -e +WORK_DIR=${1:-"$HOME"} +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" -echo "Export the PGP key." +SVN_USERNAME=$2 +SVN_PASSWORD=$3 +CREDENTIALS="" + +if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then + CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD --non-interactive" +fi -WORK_DIR=${1:-"$HOME"} -PGP_EMAIL=${2:-"s...@us.ibm.com"} OPENWHISK_SOURCE_DIR="$WORK_DIR/openwhisk_sources" OPENWHISK_SVN="$OPENWHISK_SOURCE_DIR/openwhisk" -SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" source "$SCRIPTDIR/util.sh" CONFIG=$(read_file $SCRIPTDIR/config.json) repos=$(echo $(json_by_key "$CONFIG" "RepoList") | sed 's/[][]//g') +STAGE_URL=$(json_by_key "$CONFIG" "stage_url") + version_key="version" version_major=$(json_by_key "$CONFIG" ${version_key}.major) version_minor=$(json_by_key "$CONFIG" ${version_key}.minor) version=$version_major-$version_minor -CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version" +REMOTE_PATH="openwhisk-$version" -cd $CURRENT_VERSION_DIR - -# Output the public key into the file KEYS to be uploaded into the staging directory. -gpg --yes --output KEYS --armor --export $PGP_EMAIL +CURRENT_VERSION_URL="$STAGE_URL/${REMOTE_PATH}/" +CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version" diff --git a/tools/package_source_code.sh b/tools/package_source_code.sh index fa1c136..76829e7 100755 --- a/tools/package_source_code.sh +++ b/tools/package_source_code.sh @@ -4,34 +4,8 @@ set -e echo "Package the artifacts." -SVN_USERNAME=$2 -SVN_PASSWORD=$3 -CREDENTIALS="" - -if [ ! -z "$SVN_USERNAME" ] && [ ! -z "$SVN_PASSWORD" ];then - CREDENTIALS="--username $SVN_USERNAME --password $SVN_PASSWORD --non-interactive" -fi - -WORK_DIR=${1:-"$HOME"} - -OPENWHISK_SOURCE_DIR="$WORK_DIR/openwhisk_sources" -OPENWHISK_SVN="$OPENWHISK_SOURCE_DIR/openwhisk" - SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" -source "$SCRIPTDIR/util.sh" - -CONFIG=$(read_file $SCRIPTDIR/config.json) -repos=$(echo $(json_by_key "$CONFIG" "RepoList") | sed 's/[][]//g') -version_key="version" -version_major=$(json_by_key "$CONFIG" ${version_key}.major) -version_minor=$(json_by_key "$CONFIG" ${version_key}.minor) - -version=$version_major-$version_minor -CURRENT_VERSION_DIR="$OPENWHISK_SVN/openwhisk-$version" -echo $version - -STAGE_URL=$(json_by_key "$CONFIG" "stage_url") -echo $STAGE_URL +source "$SCRIPTDIR/load_config.sh" $1 $2 $3 # Create a subversion directory for openwhisk to stage all the packages rm -rf $OPENWHISK_SVN diff --git a/tools/sign_artifacts.sh b/tools/sign_artifacts.sh index 288985a..8695d11 100755 --- a/tools/sign_artifacts.sh +++ b/tools/sign_artifacts.sh @@ -31,10 +31,11 @@ if [ $sysOS == "Darwin" ];then fi cd $CURRENT_VERSION_DIR - +echo "Sign the artifacts with the private key." for artifact in *.tar.gz; do gpg --print-md MD5 ${artifact} > ${artifact}.md5 gpg --print-md SHA512 ${artifact} > ${artifact}.sha512 + if [ $sysOS == "Darwin" ];then # The option --passphrase-fd does not work on Mac. `gpg --yes --armor --output ${artifact}.asc --detach-sig ${artifact}` diff --git a/tools/travis/import_pgp_key.sh b/tools/travis/import_pgp_key.sh new file mode 100755 index 0000000..fca5112 --- /dev/null +++ b/tools/travis/import_pgp_key.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +set -e + +echo "Import the PGP key." + +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" + +# Load the public key located in the repo of openwhisk release. +echo "Load the public key." +gpg --import $SCRIPTDIR/key_pub.gpg + +echo "Load the private key." +gpg --allow-secret-key-import --import $SCRIPTDIR/key_sec.gpg diff --git a/tools/travis/package_source_code.sh b/tools/travis/package_source_code.sh index e09b021..e14244e 100755 --- a/tools/travis/package_source_code.sh +++ b/tools/travis/package_source_code.sh @@ -19,10 +19,10 @@ if [ "$TRAVIS_EVENT_TYPE" == "push" ] ; then fi "$PARENTDIR/package_source_code.sh" $WORK_DIR $SVN_USERNAME $SVN_PASSWORD -"$PARENTDIR/generate_pgp_key.sh" -"$PARENTDIR/export_pgp_key.sh" $WORK_DIR -"$PARENTDIR/sign_artifacts.sh" $WORK_DIR if [ "$TRAVIS_EVENT_TYPE" == "push" ] ; then + openssl aes-256-cbc -K $encrypted_2030e681f34a_key -iv $encrypted_2030e681f34a_iv -in $PARENTDIR/key_sec.gpg.enc -out $PARENTDIR/key_sec.gpg -d + "$SCRIPTDIR/import_pgp_key.sh" + "$PARENTDIR/sign_artifacts.sh" $WORK_DIR "$PARENTDIR/upload_artifacts.sh" $WORK_DIR $SVN_USERNAME $SVN_PASSWORD fi diff --git a/tools/util.sh b/tools/util.sh index 7654c40..36ddc8b 100755 --- a/tools/util.sh +++ b/tools/util.sh @@ -9,3 +9,40 @@ function json_by_key() { key=$2 echo $input | jq ''.$key'' | sed -e 's/^"//' -e 's/"$//' } + +function import_key_verify_signature() { + key_url=$1 + dir=$2 + cd $dir + + echo "Importing PGP keys" + curl $key_url | gpg --import && \ + echo "[?] GPG keys imported" \ + || { echo "[x] Failed to import GPG keys"; exit 1; } + + echo "Checking signatures and hashes of artifacts" + for artifact in $(find * -type f \( -name '*.tar.gz' \) ); do + # Check md5 + artifactMD5=$(gpg --print-md MD5 ${artifact}) + artifactMD5File=$(cat ${artifact}.md5) + if [ "$artifactMD5" == "$artifactMD5File" ];then + echo "[?] MD5 verified for $artifact" + else + echo "[x] Unmatched MD5 for $artifact."; exit 1; + fi + + # Check sha512 + artifactSha512=$(gpg --print-md SHA512 ${artifact}) + artifactSha512File=$(cat ${artifact}.sha512) + if [ "$artifactSha512" == "$artifactSha512File" ];then + echo "[?] SHA512 verified for $artifact" + else + echo "[x] Unmatched SHA512 for $artifact."; exit 1; + fi + + # Verify the signatures + gpg --verify ${artifact}.asc ${artifact} && \ + echo "[?] Signatures verified for $artifact" \ + || { echo "[x] Invalid signature for $artifact."; exit 1; } + done +} \ No newline at end of file diff --git a/tools/verify_local_artifacts.sh b/tools/verify_local_artifacts.sh new file mode 100755 index 0000000..3a83484 --- /dev/null +++ b/tools/verify_local_artifacts.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +set -e + +echo "Verify the local artifacts with the KEYS" + +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" +source "$SCRIPTDIR/load_config.sh" $1 $2 $3 + +mkdir -p $OPENWHISK_SVN +cd $OPENWHISK_SVN/$REMOTE_PATH + +import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH diff --git a/tools/verify_remote_artifacts.sh b/tools/verify_remote_artifacts.sh new file mode 100755 index 0000000..ad4f330 --- /dev/null +++ b/tools/verify_remote_artifacts.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +set -e + +echo "Verify the remote artifacts with the KEYS" + +SCRIPTDIR="$(cd $(dirname "$0")/ && pwd)" +source "$SCRIPTDIR/load_config.sh" $1 $2 $3 + +mkdir -p $OPENWHISK_SVN +cd $OPENWHISK_SVN + +# Remove the local folder, because we are about to download the artifacts from the staging folder. +rm -rf $REMOTE_PATH + +# Check out the artifacts. +svn co $CURRENT_VERSION_URL $REMOTE_PATH + +cd $REMOTE_PATH + +import_key_verify_signature $STAGE_URL/KEYS $OPENWHISK_SVN/$REMOTE_PATH ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services