Skip to content

Commit

Permalink
Simplify CI verification script, move to GitHub Actions
Browse files Browse the repository at this point in the history
It only takes a few seconds to run, so let's verify everything, all the
time. The code is simpler now, we let exceptions bubble up instead of
catching them and re-printing the error message.

We also don't need to bundle the PGP keys in this repo, we can download
them from securedrop-builder at runtime (just like how we do it in
securedrop-apt-prod).
  • Loading branch information
legoktm committed Aug 4, 2023
1 parent ecc7e53 commit 2ef3763
Show file tree
Hide file tree
Showing 6 changed files with 69 additions and 212 deletions.
27 changes: 0 additions & 27 deletions .circleci/config.yml

This file was deleted.

25 changes: 25 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: CI
on: [push, pull_request]
defaults:
run:
shell: bash

jobs:
verify:
runs-on: ubuntu-latest
container: debian:bookworm
steps:
- name: Install dependencies
run: |
apt-get update && apt-get install --yes python3 rpm gpg git git-lfs wget
- name: Checkout
uses: actions/checkout@v3
with:
lfs: true
fetch-depth: 0
- name: Verify rpms are signed by release key
run: |
git config --global --add safe.directory '*'
wget https://github.com/freedomofpress/securedrop-debian-packaging/raw/main/securedrop-keyring/securedrop-keyring.gpg
gpg --import securedrop-keyring.gpg && gpg --armor --export > securedrop-keyring.asc
./tools/check-signed securedrop-keyring.asc
43 changes: 0 additions & 43 deletions pubkeys/prod-legacy.key

This file was deleted.

53 changes: 0 additions & 53 deletions pubkeys/prod.key

This file was deleted.

89 changes: 0 additions & 89 deletions scripts/check.py

This file was deleted.

44 changes: 44 additions & 0 deletions tools/check-signed
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
#!/usr/bin/env python3
import argparse
import subprocess
import sys
from pathlib import Path


def verify_sig_rpm(path: Path):
output = subprocess.check_output(["rpm", "--checksig", path], text=True).strip()
# rpm --checksig returns 0 if there is *no* signature, so we have
# to parse stdout
print(output)
expected = "{}: digests signatures OK".format(path)
if output != expected:
print(f"Signature verification failed for {path}")
sys.exit(1)


def remove_keys_in_rpm_keyring():
# Returns non-zero if no keys are installed
result = subprocess.run(["rpm", "-q", "gpg-pubkey"], stdout=subprocess.PIPE)
if result.returncode == 0:
# If a key is in the keyring, delete it
subprocess.check_call(
["rpm", "--erase", "--allmatches", "gpg-pubkey"], stderr=subprocess.PIPE
)


def main():
parser = argparse.ArgumentParser(description="Verify all .rpm files are signed")
parser.add_argument("keyring", type=Path)
args = parser.parse_args()
if not args.keyring.exists():
raise RuntimeError(f"{args.keyring} doesn't exist!")
# Since we can't specify with which key to check sigs, clear the keyring
# and just import our signing key
remove_keys_in_rpm_keyring()
subprocess.check_call(["rpmkeys", "--import", str(args.keyring)])
for rpm in Path("workstation").glob("**/*.rpm"):
verify_sig_rpm(rpm)


if __name__ == "__main__":
main()

0 comments on commit 2ef3763

Please sign in to comment.