Simplify CI verification script, move to GitHub Actions

It only takes a few seconds to run, so let's verify everything, all the time. The code is simpler now, we let exceptions bubble up instead of catching them and re-printing the error message. We also don't need to bundle the PGP keys in this repo, we can download them from securedrop-builder at runtime (just like how we do it in securedrop-apt-prod).
freedomofpress · Aug 4, 2023 · 5645ba8 · 5645ba8
1 parent 2ebf104
commit 5645ba8
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 212 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,25 @@
+name: CI
+on: [push, pull_request]
+defaults:
+  run:
+    shell: bash
+
+jobs:
+    verify:
+        runs-on: ubuntu-latest
+        container: debian:bookworm
+        steps:
+            - name: Install dependencies
+              run: |
+                apt-get update && apt-get install --yes python3 rpm gpg git git-lfs wget
+            - name: Checkout
+              uses: actions/checkout@v3
+              with:
+                lfs: true
+                fetch-depth: 0
+            - name: Verify rpms are signed by release key
+              run: |
+                git config --global --add safe.directory '*'
+                wget https://github.com/freedomofpress/securedrop-debian-packaging/raw/main/securedrop-keyring/securedrop-keyring.gpg
+                gpg --import securedrop-keyring.gpg && gpg --armor --export > securedrop-keyring.asc
+                ./tools/check-signed securedrop-keyring.asc
diff --git a/pubkeys/prod-legacy.key b/pubkeys/prod-legacy.key
diff --git a/pubkeys/prod.key b/pubkeys/prod.key
diff --git a/scripts/check.py b/scripts/check.py
diff --git a/tools/check-signed b/tools/check-signed
@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+import argparse
+import subprocess
+import sys
+from pathlib import Path
+
+
+def verify_sig_rpm(path: Path):
+    output = subprocess.check_output(["rpm", "--checksig", path], text=True).strip()
+    # rpm --checksig returns 0 if there is *no* signature, so we have
+    # to parse stdout
+    print(output)
+    expected = "{}: digests signatures OK".format(path)
+    if output != expected:
+        print(f"Signature verification failed for {path}")
+        sys.exit(1)
+
+
+def remove_keys_in_rpm_keyring():
+    # Returns non-zero if no keys are installed
+    result = subprocess.run(["rpm", "-q", "gpg-pubkey"], stdout=subprocess.PIPE)
+    if result.returncode == 0:
+        # If a key is in the keyring, delete it
+        subprocess.check_call(
+            ["rpm", "--erase", "--allmatches", "gpg-pubkey"], stderr=subprocess.PIPE
+        )
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Verify all .rpm files are signed")
+    parser.add_argument("keyring", type=Path)
+    args = parser.parse_args()
+    if not args.keyring.exists():
+        raise RuntimeError(f"{args.keyring} doesn't exist!")
+    # Since we can't specify with which key to check sigs, clear the keyring
+    # and just import our signing key
+    remove_keys_in_rpm_keyring()
+    subprocess.check_call(["rpmkeys", "--import", str(args.keyring)])
+    for rpm in Path("workstation").glob("**/*.rpm"):
+        verify_sig_rpm(rpm)
+
+
+if __name__ == "__main__":
+    main()