diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3451b46..9160643 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,3 +60,46 @@ jobs: } done shell: bash # See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference, we want the pipefail option. + + lint-pubring: + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 # We need 0 to validate the git commit signatures. + persist-credentials: false + + - name: Check if there are any keyring changes + id: keyring-changes + run: | + git diff --exit-code --quiet ${{ github.event_name == 'push' && github.event.before || 'HEAD^' }} -- gpg/ || echo "HAS_CHANGED=true" >> "$GITHUB_OUTPUT" + git diff --exit-code --quiet ${{ github.event_name == 'push' && github.event.before || 'HEAD^' }} -- gpg-only-active-keys/ || echo "HAS_ACTIVE_CHANGED=true" >> "$GITHUB_OUTPUT" + + - name: Export pubring content + run: | + for dir in gpg gpg-only-active-keys; do + gpg --no-default-keyring --keyring "$dir/pubring.kbx" --list-keys --with-colons > "$dir/all-keys.list" + gpg --no-default-keyring --keyring "$dir/pubring.kbx" --export --armor > "$dir/all-keys.asc" + git add "$dir/all-keys.list" "$dir/all-keys.asc" + done + - name: Re-generate gpg folders + run: | + ./generate-gpg-dir.sh + for dir in gpg gpg-only-active-keys; do + gpg --no-default-keyring --keyring "$dir/pubring.kbx" --list-keys --with-colons > "$dir/all-keys.list" + gpg --no-default-keyring --keyring "$dir/pubring.kbx" --export --armor > "$dir/all-keys.asc" + done + - run: git diff --exit-code -- gpg/all-keys.list gpg/all-keys.asc gpg-only-active-keys/all-keys.list gpg-only-active-keys/all-keys.asc + + - name: Validate that all non-v0.x releases can be verified using the keyring + if: steps.keyring-changes.outputs.HAS_CHANGED == 'true' + run: | + curl -fs https://nodejs.org/dist/index.json \ + | jq -er '.[].version | select(startswith("v0.") | not)' \ + | while read -r VERSION; do + echo "Checking $VERSION..." + curl -fs "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \ + | gpgv --keyring="gpg/pubring.kbx" + done + shell: bash # See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference, we want the pipefail option. diff --git a/generate-gpg-dir.sh b/generate-gpg-dir.sh new file mode 100755 index 0000000..5511339 --- /dev/null +++ b/generate-gpg-dir.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +set -ex + +GNUPGHOME=${1:-"$(cd "$(dirname "$0")"; pwd)/gpg"} +ONLY_ACTIVE_KEYS=${2:-"$GNUPGHOME-only-active-keys"} + +if [ -d "$GNUPGHOME" ]; then + # If folder exists, move it to a temp dir + # Removing it could be dangerous + TRASH=$(mktemp -d) + mv "$GNUPGHOME" "$TRASH" +fi +if [ -d "$ONLY_ACTIVE_KEYS" ]; then + # If folder exists, move it to a temp dir + # Removing it could be dangerous + TRASH=$(mktemp -d) + mv "$ONLY_ACTIVE_KEYS" "$TRASH" +fi + +mkdir -p "$GNUPGHOME" + +awk -F'`' '/^$/,/^$/ {if($1 == " [") print substr($3, 3, length($3) - 3) }' README.md | while read -r KEY_PATH; do + GNUPGHOME="$GNUPGHOME" gpg --import "$KEY_PATH" +done + +cp -R "$GNUPGHOME" "$ONLY_ACTIVE_KEYS" + +awk -F'`' '/^$/,/^$/ {if($1 == " [") print substr($3, 3, length($3) - 3) }' README.md | while read -r KEY_PATH; do + GNUPGHOME="$GNUPGHOME" gpg --import "$KEY_PATH" +done diff --git a/gpg/crls.d/DIR.txt b/gpg/crls.d/DIR.txt deleted file mode 100644 index 2a29a47..0000000 --- a/gpg/crls.d/DIR.txt +++ /dev/null @@ -1 +0,0 @@ -v:1: diff --git a/gpg/pubring.kbx b/gpg/pubring.kbx index 9036f78..c2cb707 100644 Binary files a/gpg/pubring.kbx and b/gpg/pubring.kbx differ diff --git a/gpg/trustdb.gpg b/gpg/trustdb.gpg index 2d958e7..b453605 100644 Binary files a/gpg/trustdb.gpg and b/gpg/trustdb.gpg differ