From 8a436ec36ae5be5cd6a50fa98791da54433068ee Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Tue, 7 Mar 2017 10:51:38 +0100 Subject: [PATCH] Merge #9932: Fix verify-commits on travis and always check top commit's tree b3ec305 Fix bashisms in verify-commits and always check top commit's tree (Matt Corallo) f20e664 Check gpg version before setting --weak-digest (Matt Corallo) Tree-SHA512: f87247008ae6a265e3fd371f00aec0e84f1feb713bf5859eab139a88a4e205e1f26de7b510bcc2c3ab538d5443978a48ec920d25b52b9601e625d198fa2d725f --- contrib/verify-commits/gpg.sh | 18 +++++++++++++++--- .../verify-commits/trusted-sha512-root-commit | 2 +- contrib/verify-commits/verify-commits.sh | 15 ++++++++------- 3 files changed, 24 insertions(+), 11 deletions(-) mode change 100755 => 100644 contrib/verify-commits/gpg.sh diff --git a/contrib/verify-commits/gpg.sh b/contrib/verify-commits/gpg.sh old mode 100755 new mode 100644 index ffb22478a03c3..b01e2a6d39e5a --- a/contrib/verify-commits/gpg.sh +++ b/contrib/verify-commits/gpg.sh @@ -19,8 +19,20 @@ else # an attacker could construct a pull-req that results in a commit object that # they've created a collision for. Not the most likely attack, but preventing # it is pretty easy so we do so as a "belt-and-suspenders" measure. - - GPG_RES="$(echo "$INPUT" | gpg --trust-model always --weak-digest sha1 "$@" 2>/dev/null)" + GPG_RES="" + for LINE in "$(gpg --version)"; do + case "$LINE" in + "gpg (GnuPG) 1.4.1"*|"gpg (GnuPG) 2.0."*) + echo "Please upgrade to at least gpg 2.1.10 to check for weak signatures" > /dev/stderr + GPG_RES="$(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)" + ;; + # We assume if you're running 2.1+, you're probably running 2.1.10+ + # gpg will fail otherwise + # We assume if you're running 1.X, it is either 1.4.1X or 1.4.20+ + # gpg will fail otherwise + esac + done + [ "$GPG_RES" = "" ] && GPG_RES="$(echo "$INPUT" | gpg --trust-model always --weak-digest sha1 "$@" 2>/dev/null)" fi for LINE in $(echo "$GPG_RES"); do case "$LINE" in @@ -40,7 +52,7 @@ if ! $VALID; then exit 1 fi if $VALID && $REVSIG; then - echo "$INPUT" | gpg --trust-model always "$@" | grep "^\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null + echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" echo "$GOODREVSIG" else echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null diff --git a/contrib/verify-commits/trusted-sha512-root-commit b/contrib/verify-commits/trusted-sha512-root-commit index 189dc215e3902..c28f50ff78454 100644 --- a/contrib/verify-commits/trusted-sha512-root-commit +++ b/contrib/verify-commits/trusted-sha512-root-commit @@ -1 +1 @@ -b00ba6251f71fa1edaabdf809514e1bc3c67862e +f7ec7cfd38b543ba81ac7bed5b77f9a19739460b diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh index 19d719ed1c528..73a3cf0356b55 100644 --- a/contrib/verify-commits/verify-commits.sh +++ b/contrib/verify-commits/verify-commits.sh @@ -43,11 +43,12 @@ IS_SIGNED () { export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0 fi - if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then + if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null; then return 1; fi - if [ "$VERIFY_TREE" = 1 ]; then + # We set $4 to 1 on the first call, always verifying the top of the tree + if [ "$VERIFY_TREE" = 1 -o "$4" = "1" ]; then IFS_CACHE="$IFS" IFS=' ' @@ -63,9 +64,10 @@ IS_SIGNED () { IFS="$IFS_CACHE" FILE_HASHES="" - for FILE in $(git ls-tree --full-tree -r --name-only $1 | LANG=C sort); do + for FILE in $(git ls-tree --full-tree -r --name-only $1 | LC_ALL=C sort); do HASH=$(git cat-file blob $1:"$FILE" | sha512sum | { read FIRST OTHER; echo $FIRST; } ) - [ "$FILE_HASHES" != "" ] && FILE_HASHES="$FILE_HASHES"$'\n' + [ "$FILE_HASHES" != "" ] && FILE_HASHES="$FILE_HASHES"' +' FILE_HASHES="$FILE_HASHES$HASH $FILE" done HASH_MATCHES=0 @@ -86,7 +88,7 @@ IS_SIGNED () { local PARENTS PARENTS=$(git show -s --format=format:%P $1) for PARENT in $PARENTS; do - if IS_SIGNED $PARENT $VERIFY_TREE $NO_SHA1; then + if IS_SIGNED $PARENT $VERIFY_TREE $NO_SHA1 0; then return 0; fi done @@ -110,10 +112,9 @@ fi DO_CHECKOUT_TEST=0 if [ x"$2" = "x--tree-checks" ]; then DO_CHECKOUT_TEST=1 - fi -IS_SIGNED "$TEST_COMMIT" "$DO_CHECKOUT_TEST" 1 +IS_SIGNED "$TEST_COMMIT" "$DO_CHECKOUT_TEST" 1 1 RES=$? if [ "$RES" = 1 ]; then if ! "$HAVE_FAILED"; then