diff options
| author | Markus Pettersson <markus.pettersson@mullvad.net> | 2023-05-30 14:13:34 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2023-06-05 15:17:12 +0200 |
| commit | d67c960359227509bbe61bcd2fd8e69461472e42 (patch) | |
| tree | 04e3e6e5a6b7074492eb74cc73c18a2a812d5b9c | |
| parent | 1dad461643a8bd96e3099b7d8c5bd442f85180d5 (diff) | |
| download | mullvadvpn-d67c960359227509bbe61bcd2fd8e69461472e42.tar.xz mullvadvpn-d67c960359227509bbe61bcd2fd8e69461472e42.zip | |
Verify that important files have not been accidentally removed
Verify that we do not remove any file we deem important. If any such
file is removed, they should also be removed from the list this CI job
uses, and as such we raise a flag.
Update the CI job to also check that all files in the list of important
files still exists in the working directory/at the HEAD where it's being
executed from.
| -rwxr-xr-x | ci/verify-locked-down-signatures.sh | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/ci/verify-locked-down-signatures.sh b/ci/verify-locked-down-signatures.sh index 638e9d0831..82bad80073 100755 --- a/ci/verify-locked-down-signatures.sh +++ b/ci/verify-locked-down-signatures.sh @@ -2,8 +2,8 @@ set -eu shopt -s nullglob -SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -readonly SCRIPT_DIR +readonly SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +readonly REPO_DIR="$SCRIPT_DIR/.." # In the CI environment we would like to import trusted public keys from a file, # but not in our build environment @@ -51,26 +51,38 @@ fi # correctly. This is done by replacing all new-lines with a `;` readonly SEPARATOR=';' locked_down_paths=$(\ - < "$SCRIPT_DIR/../.github/workflows/verify-locked-down-signatures.yml" tr '\n' $SEPARATOR \ + < "$REPO_DIR/.github/workflows/verify-locked-down-signatures.yml" tr '\n' $SEPARATOR \ | sed "s/.*paths:$SEPARATOR\(\(\s*-\s[a-zA-Z\/\.-]*$SEPARATOR\)*\).*/\1/" \ | tr $SEPARATOR '\n' \ | awk '{print $2}') + + unsigned_commits_exist=0 +important_file_was_removed=0 for locked_path in $locked_down_paths; do + echo "Checking $locked_path" + locked_path_commit_hashes=$(git rev-list --oneline "$whitelisted_commit"..HEAD \ - "$SCRIPT_DIR/../$locked_path" | awk '{print $1}') + "$REPO_DIR/$locked_path" | awk '{print $1}') for commit in $locked_path_commit_hashes; do + echo -e "\tin $commit.." if ! git verify-commit "$commit" 2> /dev/null; then echo "Commit $commit which changed $locked_path is not signed." unsigned_commits_exist=1 fi done + + # Check if important file has been removed. + if [[ ! -e "$REPO_DIR/$locked_path" ]]; then + echo "$locked_path was removed. If this was intentional, remove it from `verify-locked-down-signatures.yml`." + important_file_was_removed=1 + fi done -if [[ $unsigned_commits_exist == 0 ]]; then - echo "SUCCESS: Could not find any unsigned commits which modified a locked down path" +if [[ "$unsigned_commits_exist" != 0 || "$important_file_was_removed" != 0 ]]; then + exit 1 fi -exit $unsigned_commits_exist +echo "SUCCESS: Could not find any offenses to locked down paths" |