|
9 | 9 | DIR=$(dirname "$0") |
10 | 10 | [ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0") |
11 | 11 |
|
| 12 | +echo "Using verify-commits data from ${DIR}" |
| 13 | + |
12 | 14 | VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root") |
| 15 | +VERIFIED_SHA512_ROOT=$(cat "${DIR}/trusted-sha512-root-commit") |
13 | 16 | REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits") |
14 | 17 |
|
15 | 18 | HAVE_FAILED=false |
16 | 19 | IS_SIGNED () { |
17 | 20 | if [ $1 = $VERIFIED_ROOT ]; then |
18 | 21 | return 0; |
19 | 22 | fi |
| 23 | + |
| 24 | + VERIFY_TREE=$2 |
| 25 | + NO_SHA1=$3 |
| 26 | + if [ $1 = $VERIFIED_SHA512_ROOT ]; then |
| 27 | + if [ "$VERIFY_TREE" = "1" ]; then |
| 28 | + echo "All Tree-SHA512s matched up to $VERIFIED_SHA512_ROOT" > /dev/stderr |
| 29 | + fi |
| 30 | + VERIFY_TREE=0 |
| 31 | + NO_SHA1=0 |
| 32 | + fi |
| 33 | + |
| 34 | + if [ "$NO_SHA1" = "1" ]; then |
| 35 | + export BITCOIN_VERIFY_COMMITS_ALLOW_SHA1=0 |
| 36 | + else |
| 37 | + export BITCOIN_VERIFY_COMMITS_ALLOW_SHA1=1 |
| 38 | + fi |
| 39 | + |
20 | 40 | if [ "${REVSIG_ALLOWED#*$1}" != "$REVSIG_ALLOWED" ]; then |
21 | 41 | export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1 |
22 | 42 | else |
23 | 43 | export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0 |
24 | 44 | fi |
| 45 | + |
25 | 46 | if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then |
26 | 47 | return 1; |
27 | 48 | fi |
| 49 | + |
| 50 | + if [ "$VERIFY_TREE" = 1 ]; then |
| 51 | + IFS_CACHE="$IFS" |
| 52 | + IFS=' |
| 53 | +' |
| 54 | + for LINE in $(git ls-tree --full-tree -r $1); do |
| 55 | + case "$LINE" in |
| 56 | + "12"*) |
| 57 | + echo "Repo contains symlinks" > /dev/stderr |
| 58 | + IFS="$IFS_CACHE" |
| 59 | + return 1 |
| 60 | + ;; |
| 61 | + esac |
| 62 | + done |
| 63 | + IFS="$IFS_CACHE" |
| 64 | + |
| 65 | + FILE_HASHES="" |
| 66 | + for FILE in $(git ls-tree --full-tree -r --name-only $1 | LANG=C sort); do |
| 67 | + HASH=$(git cat-file blob $1:"$FILE" | sha512sum | { read FIRST OTHER; echo $FIRST; } ) |
| 68 | + [ "$FILE_HASHES" != "" ] && FILE_HASHES="$FILE_HASHES"$'\n' |
| 69 | + FILE_HASHES="$FILE_HASHES$HASH $FILE" |
| 70 | + done |
| 71 | + HASH_MATCHES=0 |
| 72 | + MSG="$(git show -s --format=format:%B $1 | tail -n1)" |
| 73 | + |
| 74 | + case "$MSG -" in |
| 75 | + "Tree-SHA512: $(echo "$FILE_HASHES" | sha512sum)") |
| 76 | + HASH_MATCHES=1;; |
| 77 | + esac |
| 78 | + |
| 79 | + if [ "$HASH_MATCHES" = "0" ]; then |
| 80 | + echo "Tree-SHA512 did not match for commit $1" > /dev/stderr |
| 81 | + HAVE_FAILED=true |
| 82 | + return 1 |
| 83 | + fi |
| 84 | + fi |
| 85 | + |
28 | 86 | local PARENTS |
29 | 87 | PARENTS=$(git show -s --format=format:%P $1) |
30 | 88 | for PARENT in $PARENTS; do |
31 | | - if IS_SIGNED $PARENT; then |
| 89 | + if IS_SIGNED $PARENT $VERIFY_TREE $NO_SHA1; then |
32 | 90 | return 0; |
33 | 91 | fi |
34 | 92 | break |
|
50 | 108 | TEST_COMMIT="$1" |
51 | 109 | fi |
52 | 110 |
|
53 | | -IS_SIGNED "$TEST_COMMIT" |
| 111 | +DO_CHECKOUT_TEST=0 |
| 112 | +if [ x"$2" = "x--tree-checks" ]; then |
| 113 | + DO_CHECKOUT_TEST=1 |
| 114 | + |
| 115 | +fi |
| 116 | + |
| 117 | +IS_SIGNED "$TEST_COMMIT" "$DO_CHECKOUT_TEST" 1 |
54 | 118 | RES=$? |
55 | 119 | if [ "$RES" = 1 ]; then |
56 | 120 | if ! "$HAVE_FAILED"; then |
|
0 commit comments