feature: default to checking all commits

Signed-off-by: Phil Davis <phil@jankaritech.com>

.gitea/workflows/validate.yaml

@@ -0,0 +1,32 @@
+name: Validate Trusted Timestamps Actions Demo
+run-name: ${{ gitea.actor }} is validating the trusted timestamps of all commits 🚀
+on: [push]
+
+variables:
+  EXPECTED_TRUSTANCHORS_HASH: "70a1c7e2fc62a0b62e44063f0e730b20b0f209d15c84b310ad06ce616c352829"
+
+jobs:
+  Validate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: Install extra software
+        run: |
+          apt-get update
+          apt-get install -y xxd
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+           fetch-depth: 0
+      - name: Setup timestamping authorities
+        run: |
+          git config --local timestamping.tsa0.url https://freetsa.org/tsr
+          bash -c 'yes | ./hooks/trust.sh https://freetsa.org/tsr'
+          git config --local timestamping.tsa1.url https://tsa.cesnet.cz:3162/tsa
+          bash -c 'yes | ./hooks/trust.sh https://tsa.cesnet.cz:3162/tsa'
+      - name: Check hashes of all trustanchors
+        run: |
+          ./hooks/validate_trustanchors_hash.sh .git/hoqoks/trustanchors ${{ EXPECTED_TRUSTANCHORS_HASH }}
+      - name: Validate timestamps of all commits
+        run: |
+          ./hooks/validate.sh --minversion 0

.timestampltv/crls/E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3.crl

@@ -2,17 +2,17 @@
 MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxFTATBgNV
 BAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTExMC8G
 A1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIFRpbWVzdGFtcGluZyBDQRcN
-MjUwMTI0MDUxNDI4WhcNMjUwMTMxMDUxNDI4WjCB9TAhAhAL2v0LKRQzmpYSZqw1
+MjUwMjEyMDUyMjQ1WhcNMjUwMjE5MDUyMjQ1WjCB9TAhAhAL2v0LKRQzmpYSZqw1
 OkdEFw0xNjEwMjQxNzQyNDlaMCECEAH40oMtKRkZcbNQw9u8pQAXDTE2MTExMTE1
 MjEzNFowIQIQClKwbEb16yWgi9U/3Ht4hhcNMTgwOTAzMTIxMTQyWjAhAhAFlx7K
 SlmJinvPTLfjd5doFw0xOTA5MzAwODE2MjRaMCECEAxFkEkmQLBOlEh/jEwCeJAX
 DTIxMDIwOTIyMzk0MlowIQIQBMvnUVSd49EL7YN0yV7iRBcNMjEwMjA5MjMyMzM3
 WjAhAhALmUrhw5aLANVesgZ0jpseFw0yMTAyMDkyMzI0MjNaoDAwLjAfBgNVHSME
-GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDNwwDQYJKoZIhvcN
+GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDO8wDQYJKoZIhvcN
-AQELBQADggEBAGuGW4lrI1pz4IwilL1u3rFRWD43/2Cu0+Pc1+tRx+QqB42aB0Jl
+AQELBQADggEBALr4VopJYkMfQ97HiyqytcWRY/vgyU/LxOwlH0/1DBSeeObQB0Nj
-esdIRc7t7bZ+5wmJyl5DTToQ3Vm7v34dXlblmmlJ2IM+1BKNEO4jMg82i4CFHtaE
+uF7vcF2bhbpnxba7gvzOPryudwtbqquf2cl3CJG6MC2D8Nk1XzntDnpxCjVSfsAr
-1e2lTfCOKR7YiTmUv/E44jAeQNJbt3k/6gnpDTGafJTIybYNh3uVDtC8Iiun4DKH
+158zAWPevyiuj3yzFz04mYALt/ZmOJMTF0vyKN8cg5bwfLu3itV6b6vhpuloIhRc
-x1qe0qzuixF2TDdTRgPP293nShxNJP5G9G5JaOGSreVOItwEhI+GP6rrPffcanfJ
+Hmsbgr3BtCVHkf4vJWq/qKDEMcOhSrJ6wxGCzVyphenewSIbVcogj19cRZDFPWOC
-v7ghEutuJCE2BGZkqL5iEGgAbMYhFitCu58rfwCHF78uz8T/kxbe5Ax2Zu1IV3is
+3sAy/GY3Rz0qK30tDvNbE1uum8gy5ijXFmepJ/lEetRCvrIsxTsXJOj0tqVZfIIQ
-kuc5vOHsT/GFYnMC4PZn9J9eYKLE6mzr0SY=
+E1YWUZ57TiBBrdS+dTgmRxkN/zaAfYVAIck=
 -----END X509 CRL-----

hooks/timestamping

@@ -553,7 +553,7 @@ download_crls_for_chain() {
       local URL=$(openssl x509 -inform PEM -in $EXTRACTED_CERT -text -noout \
                   | awk '/CRL Distribution Points:/{f=1} f && /URI:/ {print; exit}' \
                   | sed 's/^.*URI://1')
-      if curl "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
+      if curl -L "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
         if openssl crl -in "$CRL_TMP" -inform DER -noout &> "$OUT_STREAM"; then
           openssl crl -in "$CRL_TMP" -inform DER >> "$OUTPUT_FILE"
         elif openssl crl -in "$CRL_TMP" -inform PEM -noout &> "$OUT_STREAM"; then

hooks/validate.sh

@@ -42,6 +42,8 @@ if [[ ! -d "$DIR" ]]; then DIR="$PWD"; fi
 . "$DIR/timestamping"
 
 declare -i MINVERSION=$TIMESTAMPING_VERSION
+declare -i MAX_COMMITS_TO_CHECK=0
+declare -A PROCESSED_COMMIT
 
 while [[ $# -gt 0 ]]; do
   KEY="$1"
@@ -61,6 +63,16 @@ while [[ $# -gt 0 ]]; do
       shift # past argument
       shift # past value
       ;;
+    -max|--maxcommits)
+      INTEGER_REGEX='^[0-9]+$'
+      if ! [[ "$2" =~ $INTEGER_REGEX ]]; then
+        echo_error "$KEY: expected positive integer"
+        exit 1
+      fi
+      MAX_COMMITS_TO_CHECK="$2"
+      shift # past argument
+      shift # past value
+      ;;
     -v|--verbose)
       OUT_STREAM=/dev/stdout
       shift # past argument
@@ -89,6 +101,10 @@ fi
 # tokens, the function will return 0 but echo a warning about the invalid token.
 validate_commit() {
   local COMMIT_HASH="$1"
+  if [[ ${PROCESSED_COMMIT[$COMMIT_HASH]} ]]; then
+    log "validate_commit for $COMMIT_HASH has already been validated"
+    return 0
+  fi
   log "validate_commit for $COMMIT_HASH"
 
   local TIMESTAMP_COMMIT_VERSION
@@ -275,6 +291,8 @@ validate_commit() {
   #assert that all extracted timestamps have been processed
   assert "[ $NUM_PROCESSED -eq $NUM_EXTRACTED ]" "All extracted token must be processed."
 
+  PROCESSED_COMMIT[$COMMIT_HASH]=1
+
   if [ $NUM_VALID -gt 0 ]; then
     if [ $NUM_INVALID -gt 0 ]; then
       echo_warning "Warning: While commit $COMMIT_HASH contains $NUM_VALID valid timestamp tokens and thus is considered proppely timestamped, it also contains $NUM_INVALID invalid timestamp tokens."
@@ -300,14 +318,19 @@ validate_commit_and_parents() {
   if ! validate_commit "$COMMIT_HASH"; then
     ALL_PASSED=false
   fi
-  local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
+  # If MAX_COMMITS_TO_CHECK is zero (or a negative number) then that is understood as "infinity".
-  #iterate over all parents of commit
+  # So perform the next commit check if we have not reached the limit, or if the limit is "infinity".
-  if [ ! -z "$PARENTS" ]; then
+  NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
-    while read PARENT_HASH; do
+  if [[ ${NUM_COMMITS_CHECKED} -lt ${MAX_COMMITS_TO_CHECK} ]] || [[ ${MAX_COMMITS_TO_CHECK} -lt 1 ]]; then
-      if ! validate_commit_and_parents "$PARENT_HASH"; then
+    local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
-        ALL_PASSED=false
+    #iterate over all parents of commit
-      fi
+    if [ ! -z "$PARENTS" ]; then
-    done <<< $(printf "%s" "$PARENTS")
+      while read PARENT_HASH; do
+        if ! validate_commit_and_parents "$PARENT_HASH"; then
+          ALL_PASSED=false
+        fi
+      done <<< $(printf "%s" "$PARENTS")
+    fi
   fi
   if [ "$ALL_PASSED" = true ]; then
     return 0

hooks/validate_trustanchors_hash.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+#    Copyright (c) 2024 JankariTech UG
+#    Authors: Artur Neumann
+#    Script to check if the trustanchors have been changed
+
+TRUSTANCHOR_DIR="$1"
+EXPECTED_COMMIT_HASH="$2"
+
+if [[ $# -ne 2 ]]; then
+    echo "Usage: $0 <trustanchor_dir> <expected_commit_hash>"
+    exit 1
+fi
+
+if [ -z "$EXPECTED_COMMIT_HASH" ]; then
+    echo "No expected hash provided"
+    exit 1
+fi
+
+# get the sha256 hash of all files in the trustanchor directory
+ACTUAL_COMMIT_HASH=$(find "$TRUSTANCHOR_DIR" -type f -exec sha256sum {} \; | sort | sha256sum | cut -d ' ' -f 1)
+
+if [ "$EXPECTED_COMMIT_HASH" != "$ACTUAL_COMMIT_HASH" ]; then
+    echo "The trustanchors have been changed, please review the provided hash"
+    exit 1
+fi