Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Morten Linderud
Arch Linux Keyring
Commits
38c96658
Verified
Commit
38c96658
authored
Apr 29, 2021
by
Levente Polyak
🚀
Browse files
ci: add basic job to check new key additions and removals
parent
feab8a68
Changes
2
Hide whitespace changes
Inline
Side-by-side
.gitlab-ci.yml
0 → 100644
View file @
38c96658
image
:
archlinux:latest
stages
:
-
lint
variables
:
PACMAN_CACHE
:
"
${CI_PROJECT_DIR}/.pacman/pkg"
cache
:
paths
:
-
.pacman/pkg
key
:
${CI_JOB_NAME}
check-new-key
:
stage
:
lint
needs
:
[]
script
:
-
install -d "${PACMAN_CACHE}"
-
pacman -Syu --needed --noconfirm --cachedir "${PACMAN_CACHE}" git grep hopenpgp-tools sequoia-keyring-linter
-
./.gitlab/check-keyids-change
only
:
refs
:
-
merge_requests
changes
:
-
master-keyids
-
packager-keyids
.gitlab/check-keyids-change
0 → 100755
View file @
38c96658
#!/bin/bash
set
-eo
pipefail
if
[[
-z
"
${
CI_MERGE_REQUEST_DIFF_BASE_SHA
}
"
]]
;
then
echo
"CI_MERGE_REQUEST_DIFF_BASE_SHA is not set"
exit
1
fi
GNUPGHOME
=
"
$(
mktemp
-d
--tmpdir
archlinux-keyring-XXXXXXXXX
)
"
export
GNUPGHOME
trap
'rm -rf $GNUPGHOME'
EXIT INT TERM QUIT
for
NEW_KEY
in
$(
git diff
--color
=
never
"
${
CI_MERGE_REQUEST_DIFF_BASE_SHA
}
"
--
master-keyids packager-keyids |
grep
-oP
'^\+(\K[A-Z0-9]{40})'
)
;
do
echo
"Receive gpg key
${
NEW_KEY
}
..."
gpg
--recv
"
${
NEW_KEY
}
"
echo
"Export gpg key
${
NEW_KEY
}
..."
gpg
--export
"
${
NEW_KEY
}
"
>
"
${
GNUPGHOME
}
/
${
NEW_KEY
}
"
echo
"Lint gpg key
${
NEW_KEY
}
via hokey..."
hokey lint <
"
${
GNUPGHOME
}
/
${
NEW_KEY
}
"
echo
"Lint gpg key
${
NEW_KEY
}
via sq-keyring-linter..."
sq-keyring-linter
"
${
GNUPGHOME
}
/
${
NEW_KEY
}
"
done
for
REMOVED_KEY
in
$(
git diff
--color
=
never
"
${
CI_MERGE_REQUEST_DIFF_BASE_SHA
}
"
--
packager-keyids |
grep
-oP
'^\-(\K[A-Z0-9]{40})'
)
;
do
echo
"Check if removed packager key
${
REMOVED_KEY
}
is added to revoked keys..."
git diff
--color
=
never
"
${
CI_MERGE_REQUEST_DIFF_BASE_SHA
}
"
--
packager-revoked-keyids |
grep
-E
"^
\+
${
REMOVED_KEY
}
\s
"
echo
"Receive gpg key
${
REMOVED_KEY
}
..."
gpg
--recv
"
${
REMOVED_KEY
}
"
SHORT_KEYID
=
"
${
REMOVED_KEY
:24:16
}
"
echo
"Check if key
${
SHORT_KEYID
}
is still used by a package..."
if
pacman
-Sii
|
grep
-m1
"
${
SHORT_KEYID
}
"
;
then
exit
1
fi
done
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment