Verified Commit 38c96658 authored by Levente Polyak's avatar Levente Polyak 🚀
Browse files

ci: add basic job to check new key additions and removals

parent feab8a68
image: archlinux:latest
stages:
- lint
variables:
PACMAN_CACHE: "${CI_PROJECT_DIR}/.pacman/pkg"
cache:
paths:
- .pacman/pkg
key: ${CI_JOB_NAME}
check-new-key:
stage: lint
needs: []
script:
- install -d "${PACMAN_CACHE}"
- pacman -Syu --needed --noconfirm --cachedir "${PACMAN_CACHE}" git grep hopenpgp-tools sequoia-keyring-linter
- ./.gitlab/check-keyids-change
only:
refs:
- merge_requests
changes:
- master-keyids
- packager-keyids
#!/bin/bash
set -eo pipefail
if [[ -z "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" ]]; then
echo "CI_MERGE_REQUEST_DIFF_BASE_SHA is not set"
exit 1
fi
GNUPGHOME="$(mktemp -d --tmpdir archlinux-keyring-XXXXXXXXX)"
export GNUPGHOME
trap 'rm -rf $GNUPGHOME' EXIT INT TERM QUIT
for NEW_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- master-keyids packager-keyids | grep -oP '^\+(\K[A-Z0-9]{40})'); do
echo "Receive gpg key ${NEW_KEY} ..."
gpg --recv "${NEW_KEY}"
echo "Export gpg key ${NEW_KEY} ..."
gpg --export "${NEW_KEY}" > "${GNUPGHOME}/${NEW_KEY}"
echo "Lint gpg key ${NEW_KEY} via hokey..."
hokey lint < "${GNUPGHOME}/${NEW_KEY}"
echo "Lint gpg key ${NEW_KEY} via sq-keyring-linter..."
sq-keyring-linter "${GNUPGHOME}/${NEW_KEY}"
done
for REMOVED_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-keyids | grep -oP '^\-(\K[A-Z0-9]{40})'); do
echo "Check if removed packager key ${REMOVED_KEY} is added to revoked keys..."
git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-revoked-keyids | grep -E "^\+${REMOVED_KEY}\s"
echo "Receive gpg key ${REMOVED_KEY} ..."
gpg --recv "${REMOVED_KEY}"
SHORT_KEYID="${REMOVED_KEY:24:16}"
echo "Check if key ${SHORT_KEYID} is still used by a package..."
if pacman -Sii | grep -m1 "${SHORT_KEYID}"; then
exit 1
fi
done
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment