feature: default to checking all commits

Signed-off-by: Phil Davis <phil@jankaritech.com>

.gitea/workflows/validate.yaml

@@ -0,0 +1,32 @@
+name: Validate Trusted Timestamps Actions Demo
+run-name: ${{ gitea.actor }} is validating the trusted timestamps of all commits 🚀
+on: [push]
+
+variables:
+  EXPECTED_TRUSTANCHORS_HASH: "70a1c7e2fc62a0b62e44063f0e730b20b0f209d15c84b310ad06ce616c352829"
+
+jobs:
+  Validate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: Install extra software
+        run: |
+          apt-get update
+          apt-get install -y xxd
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+           fetch-depth: 0
+      - name: Setup timestamping authorities
+        run: |
+          git config --local timestamping.tsa0.url https://freetsa.org/tsr
+          bash -c 'yes | ./hooks/trust.sh https://freetsa.org/tsr'
+          git config --local timestamping.tsa1.url https://tsa.cesnet.cz:3162/tsa
+          bash -c 'yes | ./hooks/trust.sh https://tsa.cesnet.cz:3162/tsa'
+      - name: Check hashes of all trustanchors
+        run: |
+          ./hooks/validate_trustanchors_hash.sh .git/hoqoks/trustanchors ${{ EXPECTED_TRUSTANCHORS_HASH }}
+      - name: Validate timestamps of all commits
+        run: |
+          ./hooks/validate.sh --minversion 0

.timestampltv/certs/5024EC0B994B2230F00A0F90A60D1D281D1B3FBE.cer

@@ -0,0 +1,89 @@
+subject=DC = cz, DC = cesnet-ca, O = CESNET, CN = tsa.cesnet.cz
+
+issuer=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = Personal Signing 2
+
+-----BEGIN CERTIFICATE-----
+MIIEDjCCAvagAwIBAgIIaveGaDrA13AwDQYJKoZIhvcNAQELBQAwYDESMBAGCgmS
+JomT8ixkARkWAmN6MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQK
+DAlDRVNORVQgQ0ExGzAZBgNVBAMMElBlcnNvbmFsIFNpZ25pbmcgMjAeFw0yNDA4
+MDcwOTQ3MDRaFw0yNzA4MDcwOTQ3MDRaMFgxEjAQBgoJkiaJk/IsZAEZFgJjejEZ
+MBcGCgmSJomT8ixkARkWCWNlc25ldC1jYTEPMA0GA1UECgwGQ0VTTkVUMRYwFAYD
+VQQDDA10c2EuY2VzbmV0LmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAvWLHcBAB3TKzSyP/EpZucr0fet3wqwYYcH8XRCPZNh1+yj858l5UvSp7QHje
+LU8Twnx8/xrVZMteojL1RNaLUDm0TJD7tIkCkwILxY8qxQX8yYgFCQM9wgWzWiMN
+NR9/+W/3pr8HMPwjVlAXvHSi2QIZbIcrVudKqVpkl9hBKWyEU/661M+MjPLuU4BF
+ZCkU7nauf2B8QUSh8K0nKGkHPgZDeD8SNEVpvRcFow187AJz0BSvyOklX15Pr+rI
+7SXxUmVZ03yVBduorqCXwrhbQWxqdc2K1tQ06do8VTIjxUAwe3HyISl98ZFnrT1B
+/g4n+R8uV4QFxgNAPxjiD88BewIDAQABo4HTMIHQMAwGA1UdEwEB/wQCMAAwHwYD
+VR0jBBgwFoAUwR67pD8OE9+Bm75MYrLZur7VtrswKQYDVR0RBCIwIIIOdHNhMS5j
+ZXNuZXQuY3qCDnRzYTIuY2VzbmV0LmN6MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMI
+MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwuY2VzbmV0LWNhLmN6L1BlcnNv
+bmFsU2lnbmluZzIuY3JsMB0GA1UdDgQWBBRkK2hn4tgnpvS/JMiNhCqdneTm1zAN
+BgkqhkiG9w0BAQsFAAOCAQEAYnzrqDcaln6O6uALwwMlgUHIp3u6crLITzKFbPPi
+OKfzlmzsPNfU5kyi1vHS/ajReTNeJet02KGygIH4LB7pVwZKxx7xhQD6AK971Z6d
+rwDVoEYE2SB7PMcWgh+/mV90qJqgBUrVLFVExe91BkQONbNF81tzQXknovr2yWe5
+fYzYE6oJDGImoUmtN2lJRLZdS4TQbmfdSZDClwmraw2i4TAN6aCHrdST81GaIzwP
+bFAKMkgUOD8ynwJTbk8lk9hnO/uf3BFkmPClAmOlRHYRPmsWe2M2eQpBrYNoH0vw
+8SCFNE+MLMTzM1/dRjq9fnKb1pejxj3xqPF6WAojgAYnpw==
+-----END CERTIFICATE-----
+
+subject=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = Personal Signing 2
+
+issuer=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = CESNET CA Root
+
+-----BEGIN CERTIFICATE-----
+MIIETTCCAzWgAwIBAgIHAPTqVoKaNDANBgkqhkiG9w0BAQsFADBcMRIwEAYKCZIm
+iZPyLGQBGRYCY3oxGTAXBgoJkiaJk/IsZAEZFgljZXNuZXQtY2ExEjAQBgNVBAoT
+CUNFU05FVCBDQTEXMBUGA1UEAxMOQ0VTTkVUIENBIFJvb3QwHhcNMTgwNDE4MDky
+MDQ4WhcNMjgwNDIwMDkyMDQ4WjBgMRIwEAYKCZImiZPyLGQBGRYCY3oxGTAXBgoJ
+kiaJk/IsZAEZFgljZXNuZXQtY2ExEjAQBgNVBAoMCUNFU05FVCBDQTEbMBkGA1UE
+AwwSUGVyc29uYWwgU2lnbmluZyAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEApKhbabfUBLMtC10PXFQe+hJI4wpJFNkYt3HRud0rZKmRqlcpPJvc4PLr
+9kEjXS+CP6Ut0UUkDvl686Mi7PsdxYFgDCfj0P694UA2SsGvBShL0vlZVkH19YFJ
+tyY1imP3B94r57+umqKEEr9qxu9nwToS8AB6Ead4zBPMSnHZvyFPuD9Lsc/WhcUb
+HnUvZN9jrrV4D6AjyvaBFPPcDVLjgiGoEE50PVMHPT5ZHpwTBTpBgL3zjE5fmxI4
+HU7aD0orO0pg0kmZrQa98bnnVb7Wp9HhYHc9tPhLMhi9UdTBb9zwQCaezJ0gnS5K
+iEAT5ZCYRUYlg82R07Z8k8UnHjczYQIDAQABo4IBDjCCAQowDwYDVR0TAQH/BAUw
+AwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFMEeu6Q/DhPfgZu+TGKy2bq+1ba7
+MB8GA1UdIwQYMBaAFJ5BMOPD1U6Mg46jPMl/o20TXYQlMG0GCCsGAQUFBwEBBGEw
+XzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AuY2VzbmV0LWNhLmN6LzA2BggrBgEF
+BQcwAoYqaHR0cDovL2NydC5jZXNuZXQtY2EuY3ovQ0VTTkVUX0NBX1Jvb3QuY3J0
+MDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuY2VzbmV0LWNhLmN6L0NFU05F
+VF9DQV9Sb290LmNybDANBgkqhkiG9w0BAQsFAAOCAQEApoIA2/rStoUKnWC+qz3P
+AZLtDiyuUqs4i4Lb18loxE67QdP9nDZEzwHrB9Cr4oxN9cTutdUiwDIBQKuLx3tH
+r7TyuwcIYhHlW0+Ih+yUeyXEJlvSfR29M7SXY2axw4TWv4qOT2LKlFGxFqZx4OwN
+aVMUDSFVr3E5J4doIB2u/pLd+LH1QdsUXF1VhIa+Is/HMhC2JvmdnFqOCypdQrSA
+Ski6L8GRONF4SwzXg/glOQaw0QR69CjrYcogne1d/3Mxwr45MVkPwMJXscPKiRam
+SSTj7AJpyic0xbFBwGu+T7BP0NujkY/CW96UoELgcPsKoTAg7j6BhrWsjrfEaqtu
+7Q==
+-----END CERTIFICATE-----
+
+subject=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = CESNET CA Root
+
+issuer=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = CESNET CA Root
+
+-----BEGIN CERTIFICATE-----
+MIIEDTCCAvWgAwIBAgIJAIf3+gBzaRRPMA0GCSqGSIb3DQEBBQUAMFwxEjAQBgoJ
+kiaJk/IsZAEZFgJjejEZMBcGCgmSJomT8ixkARkWCWNlc25ldC1jYTESMBAGA1UE
+ChMJQ0VTTkVUIENBMRcwFQYDVQQDEw5DRVNORVQgQ0EgUm9vdDAeFw0wOTAyMjQx
+MzE2MDJaFw0yOTAyMjQxMzE2MDJaMFwxEjAQBgoJkiaJk/IsZAEZFgJjejEZMBcG
+CgmSJomT8ixkARkWCWNlc25ldC1jYTESMBAGA1UEChMJQ0VTTkVUIENBMRcwFQYD
+VQQDEw5DRVNORVQgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAPeL9R8QFCBHw/PlWt2wBnx0cCSiNAhlI7HInrzGmtHK/9MJQJpmcoToq91R
+Y+hdo7sVddNqbz3F+oeiKavz3wpdCZJtaPI8Sv44OlCtnxeuw0LkSAAfG3maue7X
+I4jFqCU7/NxcoursXHDMCRLqeKHkast0b4i7d1KOdoc6hMNVaVc1UY/wyimM+Pbh
+XRW4+iwnmJXlIqCumWaVKF0b1F0WK2LV5TRonsoFNPdVHBU795ObAXRsXWfiKwNK
+CX85l3AO37UN1wbQ7UvCzE88jYOanRxL1AKezCa1ca8AohqbqoVVtrRPUTMrlXG3
+JOBfRaG0+LPXxHwQ9zCjvV/9kFcCAwEAAaOB0TCBzjAdBgNVHQ4EFgQUnkEw48PV
+ToyDjqM8yX+jbRNdhCUwgY4GA1UdIwSBhjCBg4AUnkEw48PVToyDjqM8yX+jbRNd
+hCWhYKReMFwxEjAQBgoJkiaJk/IsZAEZFgJjejEZMBcGCgmSJomT8ixkARkWCWNl
+c25ldC1jYTESMBAGA1UEChMJQ0VTTkVUIENBMRcwFQYDVQQDEw5DRVNORVQgQ0Eg
+Um9vdIIJAIf3+gBzaRRPMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMA0G
+CSqGSIb3DQEBBQUAA4IBAQB+vy9hAwzjgjYTnTwfxK03Ze/07GnmulUxUIPOagHJ
+vGQojnjN3BGnMoXNhQrhhCy1BfKt88sweN/ELkeOsgthbQ24lX7YdgPEPSwY2iIB
+E0NWxG87+z5hmfo+M69Q9WS8b5aSd4v5pSzT4+s6UW2lsddbdpnI4OwEEVdmj4e1
+w0trIAfPsFSKx5jMvC0KzoO04fSAjxTj2bn4orRVWlVGUYmQm/Gq0w//f84zox/g
+/XjE+kQ+eFOpNeeJC2Tpl04BByskoOw4LybIZ6iSdrUjoLgrK3R1geXo86Sx8QWE
+VVWM2+1UCVV3AMhYwQUbgasrEPkZ79od6exSUb+ZTpWc
+-----END CERTIFICATE-----
+

.timestampltv/crls/916DA3D860ECCA82E34BC59D1793E7E968875F14.crl

@@ -2,17 +2,17 @@
 MIIC8DCB2QIBATANBgkqhkiG9w0BAQ0FADCBlTERMA8GA1UEChMIRnJlZSBUU0Ex
 EDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD3d3dy5mcmVldHNhLm9yZzEiMCAG
 CSqGSIb3DQEJARYTYnVzaWxlemFzQGdtYWlsLmNvbTESMBAGA1UEBxMJV3Vlcnpi
-dXJnMQ8wDQYDVQQIEwZCYXllcm4xCzAJBgNVBAYTAkRFFw0yMDAzMjIyMDE4NDVa
-Fw0yMTAzMjIyMDE4NDVaoA8wDTALBgNVHRQEBAICEAAwDQYJKoZIhvcNAQENBQAD
-ggIBAHeOBgUbAkWJHJttPeW3ldH+im6LtMjCl+UnV55q9PbiWmAljmAWKP4KVy0p
-SFULBybfUCZG+5yfyfst2zr9nrw45NSGR/BhMHsS/DrLl5BRcnPy6BpNy+1oQdUN
-H+fPDeHt61wWb27wdbDbpVh7BkxijCLwIlRlbg6Lhom5wVXyGUucWEcppJVaNcic
-lAJ+GgugQuCb1MWIlnMTGz9paOmcQ/cr/s3EqgqIaynaF1jgUpBDVX0NCOcYRuxk
-T+kcyUzuE8i3dPzBNDxyBbCBRVdn5HZ0HJO9rH2MzMkRAwSuXK0A0VShPV4x1+Lg
-74Feov5kMmSxnFMoOGxMOw/QibANSot92snqO27C3xdO/GUV3kVXe4lHo1boCViA
-mTHz50li7oVbSEVnWn7THMWJ3KeYH28fQlvx48G8QPtnG0YHF6oIo/D+aCBKoFDB
-FQegEwlVYvQHQTlbsX2uCwb5+zo8qLOtaoxBmPMKAXGr26Y81qg1O3ucMERKN4Ai
-9ULWQZWF2k+Lfmct+E0EoffAaZYgipxGiUWhSeuOeOdhx31qRNOQ+s8QsTfUxWJs
-XXhSKDqCMbqudPFOX2uezWOM5HiG5MQhib9K8pmPPdQ28/P4KizI2ChgF27XpQOJ
-PUlemsxYjgXWhja5IU4VOGHljMFX1sHIAb6+XAlE3qwTEWcw
+dXJnMQ8wDQYDVQQIEwZCYXllcm4xCzAJBgNVBAYTAkRFFw0yNDA5MTUxMjAwMzJa
+Fw0yNTA5MTUxMjAwMzJaoA8wDTALBgNVHRQEBAICEAAwDQYJKoZIhvcNAQENBQAD
+ggIBABv+d9oHtExwVq7wmfp6tKABBBvvIm1OHMpQM3Qv3rmv4GOSpeeHAiTC4JL5
+M7c4qbq50Au3DteW/NimzK9yZ0xqpW7V3ivQbfRnt4zRk8md0r2aBDDQTd6ECRK/
+wWkzu9je8snbO2ULC+T5tGto/E+bj2LJJ394+4tNCPlrAjFoYshfKXTv6smTVlrH
+YQ2iCDfxwiEant0wEETAndia1gaTIYl8LJv2caO9kRrc+xiw965JoDvKmPhn9LaH
+04IQrtpe7Wjd1RkAm2M3FTJpuvTEN1F7WwHora6xFkmbGQRfU5LsKAvT0IIw7B3j
+ljA/cj16usIpf3rRPiw/IWFam3PDU8PgFS+XUCTqjYqHrkReDNfFJ+LhFNBTtF+t
+B3eoU+s+3+DRjNcH9rMC1KcgUr6XeCK3vjFIRQl2aIkjcTgXe07gRJZcf9WNfsCq
+R5+fjeIrSyMQpoXaowytFP8yEBDQZENG1hU6qERAp3wHRTOYtrQTYAyxdDS5iq8z
+ZexnQW4+OcvwdWbYUAcWs3EUQCVVvWnnlRfg2yKmUO55+ctTmpAHRVrVLNUYWKA3
+Oboa+rttZwHGq/tJoBhzSWLiJFsXyX0PAhKFWSCj4xQpl32PnCvHXfGTc9z5huki
+jJpsDAOse7NS2B9x2ZGbBrla3Y8TjjcQ59l2mioo3suMJveZ
 -----END X509 CRL-----

.timestampltv/crls/E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3.crl

@@ -1,41 +1,18 @@
 -----BEGIN X509 CRL-----
-MIIDuTCCAqECAQEwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxFTATBgNV
+MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxFTATBgNV
 BAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTExMC8G
 A1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIFRpbWVzdGFtcGluZyBDQRcN
-MjEwMzE3MjAzMzIxWhcNMjEwMzI0MjAzMzIxWjCCAccwIQIQC9r9CykUM5qWEmas
-NTpHRBcNMTYxMDI0MTc0MjQ5WjAhAhAB+NKDLSkZGXGzUMPbvKUAFw0xNjExMTEx
-NTIxMzRaMCECEApSsGxG9esloIvVP9x7eIYXDTE4MDkwMzEyMTE0MlowIQIQDXcX
-eXMvGcnSq56UflPayRcNMTkwNTEyMTAzMTMzWjAhAhAMxgIr56pDbDTITESzk3/L
-Fw0xOTA5MjgxODAzNTJaMCECEArvSHyTAbnRz50UjFffg7AXDTE5MDkyODE4MTE1
-NlowIQIQB+Vhknlt9fe4f+PFrqat9RcNMTkwOTI5MDcxNTEwWjAhAhAFlx7KSlmJ
-invPTLfjd5doFw0xOTA5MzAwODE2MjRaMCECEAsbx6LoTjfZ86od8xhAl40XDTE5
-MTAwNDA5MDMxM1owIQIQCkJscPi965iIOgI2+1ocBBcNMjAwMjIxMDMxMDE4WjAh
-AhAMRZBJJkCwTpRIf4xMAniQFw0yMTAyMDkyMjM5NDJaMCECEATL51FUnePRC+2D
-dMle4kQXDTIxMDIwOTIzMjMzN1owIQIQC5lK4cOWiwDVXrIGdI6bHhcNMjEwMjA5
-MjMyNDIzWqAwMC4wHwYDVR0jBBgwFoAU9LbhIB3+Ka7S5GGlsqIlssgXNW4wCwYD
-VR0UBAQCAgdjMA0GCSqGSIb3DQEBCwUAA4IBAQAP6Xpm/8VXcbmveUvvIGcTRDIH
-cr+GO94ZLbcfLAWqD2T6b6Jr8uvPzo59+zGhjhhLETscrA/EEyZANSdxv9LxjYg1
-DKBj4urWLjkesHuXCm8a4OP0nhW2xULFDnSExhAr1t62lX+ycuV7fi+oY8U4hYdG
-MMO/+cYHs8hrchYzRcvn2jBewcnehhCX/GJ5OC2JXu9z1Om0efSfXb9oWlBkD1eh
-hodUk96PgpkesATc7uoPC+XsyNrdz+wat+A97Y9aVs6WTTcONCPDlu7PP0or6sAw
-Iuu3ziSzpeuS73bayTIMRSduvuhN4IRI86bXH/WJ13Dn+kKWoJEv96DEe3iY
------END X509 CRL-----
------BEGIN X509 CRL-----
-MIIDCzCCAfMCAQEwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNV
-BAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIG
-A1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBFw0yMTAzMTIwMTI5NDZa
-Fw0yMTA0MDIwMTI5NDZaMIIBJjAvAhAMNtfIbq1n4/f4HXVg8i1TFw0xODEwMDkx
-NTAwMTdaMAwwCgYDVR0VBAMKAQUwLwIQBoL7H4F3dqV5kSw+2RDv8RcNMjAwODEy
-MTIzMzA5WjAMMAoGA1UdFQQDCgEFMC8CEApBOhYATfpyJADTJoDkJIkXDTE4MTAy
-NTE2MTAzMlowDDAKBgNVHRUEAwoBBTAvAhACPHv+1hmOkW3l0EHImj0lFw0xODEw
-MjUxNjA5MzNaMAwwCgYDVR0VBAMKAQUwLwIQBkoduoMprQURTuDY6pi+fBcNMjAw
-NzIxMjAwMDAwWjAMMAoGA1UdFQQDCgEFMC8CEAER6Rdjkvpnl9JRx+xhVCoXDTIw
-MTIyODE1MzY0MlowDDAKBgNVHRUEAwoBBaAwMC4wHwYDVR0jBBgwFoAUReuir/SS
-y4IxLVGLp6chnfNtyA8wCwYDVR0UBAQCAgI1MA0GCSqGSIb3DQEBCwUAA4IBAQAN
-yaEdhOnCRSHwu/3HZcM0wB1VfOI4sv6vPS0KQ3AJYn3sO08c+l1qwK5aH2eV65aH
-U6bHGTthnbF/tTtMbi291vK98QdPgh+WFEKTo/HBGlrhxnE1Noh8flLoimx1K6Io
-CuxayaUh7LC0RcgYwmVi7MnKQKpE2SHYqPTDkMokz+nQh1sibtTBHrS6fduKCItH
-FZ8MbiabMuBH+vLNt76SDoRvxfKgawSKeYBEf+oYQrK/d3bI7njYfda/cKjHYJez
-yXDurvnFOBBKrmpxUaf9LcbGKCjTCg5Fn9Bk02+mdJ4pOH8D1PNqaTmO5/B3AsuI
-dw+Syb5bUgz8QGTqL+7W
+MjUwMjEyMDUyMjQ1WhcNMjUwMjE5MDUyMjQ1WjCB9TAhAhAL2v0LKRQzmpYSZqw1
+OkdEFw0xNjEwMjQxNzQyNDlaMCECEAH40oMtKRkZcbNQw9u8pQAXDTE2MTExMTE1
+MjEzNFowIQIQClKwbEb16yWgi9U/3Ht4hhcNMTgwOTAzMTIxMTQyWjAhAhAFlx7K
+SlmJinvPTLfjd5doFw0xOTA5MzAwODE2MjRaMCECEAxFkEkmQLBOlEh/jEwCeJAX
+DTIxMDIwOTIyMzk0MlowIQIQBMvnUVSd49EL7YN0yV7iRBcNMjEwMjA5MjMyMzM3
+WjAhAhALmUrhw5aLANVesgZ0jpseFw0yMTAyMDkyMzI0MjNaoDAwLjAfBgNVHSME
+GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDO8wDQYJKoZIhvcN
+AQELBQADggEBALr4VopJYkMfQ97HiyqytcWRY/vgyU/LxOwlH0/1DBSeeObQB0Nj
+uF7vcF2bhbpnxba7gvzOPryudwtbqquf2cl3CJG6MC2D8Nk1XzntDnpxCjVSfsAr
+158zAWPevyiuj3yzFz04mYALt/ZmOJMTF0vyKN8cg5bwfLu3itV6b6vhpuloIhRc
+Hmsbgr3BtCVHkf4vJWq/qKDEMcOhSrJ6wxGCzVyphenewSIbVcogj19cRZDFPWOC
+3sAy/GY3Rz0qK30tDvNbE1uum8gy5ijXFmepJ/lEetRCvrIsxTsXJOj0tqVZfIIQ
+E1YWUZ57TiBBrdS+dTgmRxkN/zaAfYVAIck=
 -----END X509 CRL-----

hooks/timestamping

@@ -553,7 +553,7 @@ download_crls_for_chain() {
       local URL=$(openssl x509 -inform PEM -in $EXTRACTED_CERT -text -noout \
                   | awk '/CRL Distribution Points:/{f=1} f && /URI:/ {print; exit}' \
                   | sed 's/^.*URI://1')
-      if curl "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
+      if curl -L "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
         if openssl crl -in "$CRL_TMP" -inform DER -noout &> "$OUT_STREAM"; then
           openssl crl -in "$CRL_TMP" -inform DER >> "$OUTPUT_FILE"
         elif openssl crl -in "$CRL_TMP" -inform PEM -noout &> "$OUT_STREAM"; then

hooks/validate.sh

@@ -42,8 +42,10 @@ if [[ ! -d "$DIR" ]]; then DIR="$PWD"; fi
 . "$DIR/timestamping"
 
 declare -i MINVERSION=$TIMESTAMPING_VERSION
+declare -i MAX_COMMITS_TO_CHECK=0
+declare -A PROCESSED_COMMIT
 
-while [[ $# -gt 1 ]]; do
+while [[ $# -gt 0 ]]; do
   KEY="$1"
 
   case $KEY in
@@ -61,17 +63,27 @@ while [[ $# -gt 1 ]]; do
       shift # past argument
       shift # past value
       ;;
+    -max|--maxcommits)
+      INTEGER_REGEX='^[0-9]+$'
+      if ! [[ "$2" =~ $INTEGER_REGEX ]]; then
+        echo_error "$KEY: expected positive integer"
+        exit 1
+      fi
+      MAX_COMMITS_TO_CHECK="$2"
+      shift # past argument
+      shift # past value
+      ;;
     -v|--verbose)
       OUT_STREAM=/dev/stdout
       shift # past argument
       ;;
     *) # unknown option
-      echo_error "Unknown argument: $KEY"
-      exit 1
+      OBJECT=$KEY
+      shift # past argument
       ;;
   esac
 done
-OBJECT="$1"
+
 if [ -z "$OBJECT" ]; then
   OBJECT="HEAD"
 fi
@@ -89,6 +101,10 @@ fi
 # tokens, the function will return 0 but echo a warning about the invalid token.
 validate_commit() {
   local COMMIT_HASH="$1"
+  if [[ ${PROCESSED_COMMIT[$COMMIT_HASH]} ]]; then
+    log "validate_commit for $COMMIT_HASH has already been validated"
+    return 0
+  fi
   log "validate_commit for $COMMIT_HASH"
 
   local TIMESTAMP_COMMIT_VERSION
@@ -275,6 +291,8 @@ validate_commit() {
   #assert that all extracted timestamps have been processed
   assert "[ $NUM_PROCESSED -eq $NUM_EXTRACTED ]" "All extracted token must be processed."
 
+  PROCESSED_COMMIT[$COMMIT_HASH]=1
+
   if [ $NUM_VALID -gt 0 ]; then
     if [ $NUM_INVALID -gt 0 ]; then
       echo_warning "Warning: While commit $COMMIT_HASH contains $NUM_VALID valid timestamp tokens and thus is considered proppely timestamped, it also contains $NUM_INVALID invalid timestamp tokens."
@@ -300,16 +318,21 @@ validate_commit_and_parents() {
   if ! validate_commit "$COMMIT_HASH"; then
     ALL_PASSED=false
   fi
-  local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
-  #iterate over all parents of commit
-  if [ ! -z "$PARENTS" ]; then
-    while read PARENT_HASH; do
-      if ! validate_commit_and_parents "$PARENT_HASH"; then
-        ALL_PASSED=false
-      fi
-    done <<< $(printf "%s" "$PARENTS")
+  # If MAX_COMMITS_TO_CHECK is zero (or a negative number) then that is understood as "infinity".
+  # So perform the next commit check if we have not reached the limit, or if the limit is "infinity".
+  NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
+  if [[ ${NUM_COMMITS_CHECKED} -lt ${MAX_COMMITS_TO_CHECK} ]] || [[ ${MAX_COMMITS_TO_CHECK} -lt 1 ]]; then
+    local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
+    #iterate over all parents of commit
+    if [ ! -z "$PARENTS" ]; then
+      while read PARENT_HASH; do
+        if ! validate_commit_and_parents "$PARENT_HASH"; then
+          ALL_PASSED=false
+        fi
+      done <<< $(printf "%s" "$PARENTS")
+    fi
   fi
-  if [ "$ALL_PASSED"=true ]; then
+  if [ "$ALL_PASSED" = true ]; then
     return 0
   fi
   return 1
@@ -332,4 +355,4 @@ if validate_commit_and_parents "$COMMIT_HASH"; then
 else
   echo_error "Validation Failed: There are timestamped commits in the commit history of $COMMIT_HASH which do not contain any valid timestamps."
   exit 1
-fi
+fi

hooks/validate_trustanchors_hash.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+#    Copyright (c) 2024 JankariTech UG
+#    Authors: Artur Neumann
+#    Script to check if the trustanchors have been changed
+
+TRUSTANCHOR_DIR="$1"
+EXPECTED_COMMIT_HASH="$2"
+
+if [[ $# -ne 2 ]]; then
+    echo "Usage: $0 <trustanchor_dir> <expected_commit_hash>"
+    exit 1
+fi
+
+if [ -z "$EXPECTED_COMMIT_HASH" ]; then
+    echo "No expected hash provided"
+    exit 1
+fi
+
+# get the sha256 hash of all files in the trustanchor directory
+ACTUAL_COMMIT_HASH=$(find "$TRUSTANCHOR_DIR" -type f -exec sha256sum {} \; | sort | sha256sum | cut -d ' ' -f 1)
+
+if [ "$EXPECTED_COMMIT_HASH" != "$ACTUAL_COMMIT_HASH" ]; then
+    echo "The trustanchors have been changed, please review the provided hash"
+    exit 1
+fi