contrib/verify-commits/gpg.sh

   1 #!/bin/sh
   2 # Copyright (c) 2014-2016 The Bitcoin Core developers
   3 # Distributed under the MIT software license, see the accompanying
   4 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
   5
   6 INPUT=$(cat /dev/stdin)
   7 VALID=false
   8 REVSIG=false
   9 IFS='
  10 '
  11 if [ "$BITCOIN_VERIFY_COMMITS_ALLOW_SHA1" = 1 ]; then
  12         GPG_RES="$(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)"
  13 else
  14         # Note how we've disabled SHA1 with the --weak-digest option, disabling
  15         # signatures - including selfsigs - that use SHA1. While you might think that
  16         # collision attacks shouldn't be an issue as they'd be an attack on yourself,
  17         # in fact because what's being signed is a commit object that's
  18         # semi-deterministically generated by untrusted input (the pull-req) in theory
  19         # an attacker could construct a pull-req that results in a commit object that
  20         # they've created a collision for. Not the most likely attack, but preventing
  21         # it is pretty easy so we do so as a "belt-and-suspenders" measure.
  22         GPG_RES=""
  23         for LINE in "$(gpg --version)"; do
  24                 case "$LINE" in
  25                         "gpg (GnuPG) 1.4.1"*|"gpg (GnuPG) 2.0."*)
  26                                 echo "Please upgrade to at least gpg 2.1.10 to check for weak signatures" > /dev/stderr
  27                                 GPG_RES="$(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)"
  28                                 ;;
  29                         # We assume if you're running 2.1+, you're probably running 2.1.10+
  30                         # gpg will fail otherwise
  31                         # We assume if you're running 1.X, it is either 1.4.1X or 1.4.20+
  32                         # gpg will fail otherwise
  33                 esac
  34         done
  35         [ "$GPG_RES" = "" ] && GPG_RES="$(echo "$INPUT" | gpg --trust-model always --weak-digest sha1 "$@" 2>/dev/null)"
  36 fi
  37 for LINE in $(echo "$GPG_RES"); do
  38         case "$LINE" in
  39         "[GNUPG:] VALIDSIG "*)
  40                 while read KEY; do
  41                         [ "${LINE#?GNUPG:? VALIDSIG * * * * * * * * * }" = "$KEY" ] && VALID=true
  42                 done < ./contrib/verify-commits/trusted-keys
  43                 ;;
  44         "[GNUPG:] REVKEYSIG "*)
  45                 [ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
  46                 REVSIG=true
  47                 GOODREVSIG="[GNUPG:] GOODSIG ${LINE#* * *}"
  48                 ;;
  49         "[GNUPG:] EXPKEYSIG "*)
  50                 [ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
  51                 REVSIG=true
  52                 GOODREVSIG="[GNUPG:] GOODSIG ${LINE#* * *}"
  53                 ;;
  54         esac
  55 done
  56 if ! $VALID; then
  57         exit 1
  58 fi
  59 if $VALID && $REVSIG; then
  60         echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)"
  61         echo "$GOODREVSIG"
  62 else
  63         echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
  64 fi