Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden get-latest-pulsecore.sh #166

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Harden get-latest-pulsecore.sh #166

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 29 additions & 13 deletions get-latest-pulsecore.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash

set -ex
set -euxo pipefail

exit_updater() {
local exit_code=$?
Expand All @@ -22,29 +22,45 @@ fi

REPO_URL=https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git

LATEST_REPO_VERSION="$(git ls-remote --exit-code --refs --tags --sort="v:refname" "$REPO_URL" '*.*' | tail -n1 | cut -d/ -f3 | sed 's/^v//')"
LATEST_REPO_VERSION=$(
git ls-remote --exit-code --refs --tags --sort="v:refname" "$REPO_URL" |
head -c $((1 << 16)) |
sed -nE $'$ s%^[0-9a-f]{40}\trefs/tags/v([0-9]+(\\.[0-9]{1,5}){1,2})$%\\1%p'
)
LATEST_QUBES_VERSION="$(find "$LOCALDIR/pulse" -type d -name "pulsecore-*" | sed "s|$LOCALDIR/pulse/pulsecore-||" | sort -g | tail -1)"

trap 'exit_updater' 0 1 2 3 6 15

if [ "${LATEST_QUBES_VERSION}" != "${LATEST_REPO_VERSION}" ] && [ ! -e "$LOCALDIR/pulse/pulsecore-${LATEST_REPO_VERSION}" ]; then
cd "$TMPDIR"
mkdir gnupg-tmp gnupg git
export "GNUPGHOME=$PWD/gnupg"
cd git

git clone --depth 1 --branch "v$LATEST_REPO_VERSION" "$REPO_URL" .
git clone --no-checkout --depth 1 --branch "v$LATEST_REPO_VERSION" "$REPO_URL" .

trusted_signers=(
52DFA7B8BAC74687C8A88EF48165E3D1987E2132
B61E1D411D57BD16F11536162477064CE8B9F3BD
)
# Import keys of repo taggers
for key in \
52DFA7B8BAC74687C8A88EF48165E3D1987E2132 \
B61E1D411D57BD16F11536162477064CE8B9F3BD; do
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ||
gpg --batch --keyserver keys.openpgp.org --recv-keys "$key" ||
gpg --batch --keyserver pgp.mit.edu --recv-keys "$key" ||
gpg --batch --keyserver keyserver.pgp.com --recv-keys "$key" ||
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"
done
for key in "${trusted_signers[@]}"; do
echo "$key:6:" | gpg --import-ownertrust
for i in keyserver.ubuntu.com keys.openpgp.org pgp.mit.edu keyserver.pgp.com; do
sq keyserver --server "$i" get --binary -- "0x$key" && break
done
done | gpg --homedir=../gnupg-tmp --import --no-armor
gpg --homedir=../gnupg-tmp --export -- "${trusted_signers[@]}" | gpg --import --no-armor

for key in "${trusted_signers[@]}"; do
echo "$key:6:"
done | gpg --import-ownertrust
Comment on lines +47 to +57
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why two keyrings and all this dance?
But also, I don't like using both sequoia and gnupg. If sequoia can handle all the tasks (including git tag verification), then switch completely, otherwise stick with gnupg (and perhaps commit pubkeys into the repo to avoid keyservers interaction).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because I don’t want to rely on GnuPG’s networking code, but Git does not support Sequoia. Committing the public keys to the repo is a simpler solution.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides the thing above (which is still relevant), why two temporary gpg's homedirs? Does sq keyserver get potentially fetches a different key than it was asked for?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I can use the chameleon version of Sequoia.


tag_to_verify="refs/tags/v$LATEST_REPO_VERSION"

# Verify integrity
git -c gpg.program=gpg tag -v "$(git describe)"
git -c gpg.openpgp.program=gpg -c gpg.minTrustLevel=ultimate verify-tag "$tag_to_verify" || exit
git checkout "$tag_to_verify^{commit}"

# remove unwanted files
find "src/pulsecore" -type f ! -regex '.*\.h$' -exec rm -f {} \;
Expand Down