feature: default to checking all commits

feature: limit the number of commits to be validated
Signed-off-by: Phil Davis <phil@jankaritech.com>
2025-05-29 09:55:57 +05:45 · 2025-05-28 10:56:06 +05:45 · 2025-03-19 03:55:52 +00:00 · 2025-03-18 13:47:27 +05:45 · 2025-02-17 03:37:10 +00:00 · 2025-02-13 12:09:32 +05:45
7 changed files with 2477 additions and 23 deletions
--- a/.gitea/workflows/validate.yaml
+++ b/.gitea/workflows/validate.yaml
@@ -0,0 +1,32 @@
+name: Validate Trusted Timestamps Actions Demo
+run-name: ${{ gitea.actor }} is validating the trusted timestamps of all commits 🚀
+on: [push]
+
+variables:
+  EXPECTED_TRUSTANCHORS_HASH: "70a1c7e2fc62a0b62e44063f0e730b20b0f209d15c84b310ad06ce616c352829"
+
+jobs:
+  Validate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: Install extra software
+        run: |
+          apt-get update
+          apt-get install -y xxd
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+           fetch-depth: 0
+      - name: Setup timestamping authorities
+        run: |
+          git config --local timestamping.tsa0.url https://freetsa.org/tsr
+          bash -c 'yes | ./hooks/trust.sh https://freetsa.org/tsr'
+          git config --local timestamping.tsa1.url https://tsa.cesnet.cz:3162/tsa
+          bash -c 'yes | ./hooks/trust.sh https://tsa.cesnet.cz:3162/tsa'
+      - name: Check hashes of all trustanchors
+        run: |
+          ./hooks/validate_trustanchors_hash.sh .git/hoqoks/trustanchors ${{ EXPECTED_TRUSTANCHORS_HASH }}
+      - name: Validate timestamps of all commits
+        run: |
+          ./hooks/validate.sh --minversion 0
--- a/.timestampltv/certs/5024EC0B994B2230F00A0F90A60D1D281D1B3FBE.cer
+++ b/.timestampltv/certs/5024EC0B994B2230F00A0F90A60D1D281D1B3FBE.cer
@@ -0,0 +1,89 @@
+subject=DC = cz, DC = cesnet-ca, O = CESNET, CN = tsa.cesnet.cz
+
+issuer=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = Personal Signing 2
+
+-----BEGIN CERTIFICATE-----
+MIIEDjCCAvagAwIBAgIIaveGaDrA13AwDQYJKoZIhvcNAQELBQAwYDESMBAGCgmS
+JomT8ixkARkWAmN6MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQK
+DAlDRVNORVQgQ0ExGzAZBgNVBAMMElBlcnNvbmFsIFNpZ25pbmcgMjAeFw0yNDA4
+MDcwOTQ3MDRaFw0yNzA4MDcwOTQ3MDRaMFgxEjAQBgoJkiaJk/IsZAEZFgJjejEZ
+MBcGCgmSJomT8ixkARkWCWNlc25ldC1jYTEPMA0GA1UECgwGQ0VTTkVUMRYwFAYD
+VQQDDA10c2EuY2VzbmV0LmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAvWLHcBAB3TKzSyP/EpZucr0fet3wqwYYcH8XRCPZNh1+yj858l5UvSp7QHje
+LU8Twnx8/xrVZMteojL1RNaLUDm0TJD7tIkCkwILxY8qxQX8yYgFCQM9wgWzWiMN
+NR9/+W/3pr8HMPwjVlAXvHSi2QIZbIcrVudKqVpkl9hBKWyEU/661M+MjPLuU4BF
+ZCkU7nauf2B8QUSh8K0nKGkHPgZDeD8SNEVpvRcFow187AJz0BSvyOklX15Pr+rI
+7SXxUmVZ03yVBduorqCXwrhbQWxqdc2K1tQ06do8VTIjxUAwe3HyISl98ZFnrT1B
+/g4n+R8uV4QFxgNAPxjiD88BewIDAQABo4HTMIHQMAwGA1UdEwEB/wQCMAAwHwYD
+VR0jBBgwFoAUwR67pD8OE9+Bm75MYrLZur7VtrswKQYDVR0RBCIwIIIOdHNhMS5j
+ZXNuZXQuY3qCDnRzYTIuY2VzbmV0LmN6MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMI
+MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwuY2VzbmV0LWNhLmN6L1BlcnNv
+bmFsU2lnbmluZzIuY3JsMB0GA1UdDgQWBBRkK2hn4tgnpvS/JMiNhCqdneTm1zAN
+BgkqhkiG9w0BAQsFAAOCAQEAYnzrqDcaln6O6uALwwMlgUHIp3u6crLITzKFbPPi
+OKfzlmzsPNfU5kyi1vHS/ajReTNeJet02KGygIH4LB7pVwZKxx7xhQD6AK971Z6d
+rwDVoEYE2SB7PMcWgh+/mV90qJqgBUrVLFVExe91BkQONbNF81tzQXknovr2yWe5
+fYzYE6oJDGImoUmtN2lJRLZdS4TQbmfdSZDClwmraw2i4TAN6aCHrdST81GaIzwP
+bFAKMkgUOD8ynwJTbk8lk9hnO/uf3BFkmPClAmOlRHYRPmsWe2M2eQpBrYNoH0vw
+8SCFNE+MLMTzM1/dRjq9fnKb1pejxj3xqPF6WAojgAYnpw==
+-----END CERTIFICATE-----
+
+subject=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = Personal Signing 2
+
+issuer=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = CESNET CA Root
+
+-----BEGIN CERTIFICATE-----
+MIIETTCCAzWgAwIBAgIHAPTqVoKaNDANBgkqhkiG9w0BAQsFADBcMRIwEAYKCZIm
+iZPyLGQBGRYCY3oxGTAXBgoJkiaJk/IsZAEZFgljZXNuZXQtY2ExEjAQBgNVBAoT
+CUNFU05FVCBDQTEXMBUGA1UEAxMOQ0VTTkVUIENBIFJvb3QwHhcNMTgwNDE4MDky
+MDQ4WhcNMjgwNDIwMDkyMDQ4WjBgMRIwEAYKCZImiZPyLGQBGRYCY3oxGTAXBgoJ
+kiaJk/IsZAEZFgljZXNuZXQtY2ExEjAQBgNVBAoMCUNFU05FVCBDQTEbMBkGA1UE
+AwwSUGVyc29uYWwgU2lnbmluZyAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEApKhbabfUBLMtC10PXFQe+hJI4wpJFNkYt3HRud0rZKmRqlcpPJvc4PLr
+9kEjXS+CP6Ut0UUkDvl686Mi7PsdxYFgDCfj0P694UA2SsGvBShL0vlZVkH19YFJ
+tyY1imP3B94r57+umqKEEr9qxu9nwToS8AB6Ead4zBPMSnHZvyFPuD9Lsc/WhcUb
+HnUvZN9jrrV4D6AjyvaBFPPcDVLjgiGoEE50PVMHPT5ZHpwTBTpBgL3zjE5fmxI4
+HU7aD0orO0pg0kmZrQa98bnnVb7Wp9HhYHc9tPhLMhi9UdTBb9zwQCaezJ0gnS5K
+iEAT5ZCYRUYlg82R07Z8k8UnHjczYQIDAQABo4IBDjCCAQowDwYDVR0TAQH/BAUw
+AwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFMEeu6Q/DhPfgZu+TGKy2bq+1ba7
+MB8GA1UdIwQYMBaAFJ5BMOPD1U6Mg46jPMl/o20TXYQlMG0GCCsGAQUFBwEBBGEw
+XzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AuY2VzbmV0LWNhLmN6LzA2BggrBgEF
+BQcwAoYqaHR0cDovL2NydC5jZXNuZXQtY2EuY3ovQ0VTTkVUX0NBX1Jvb3QuY3J0
+MDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuY2VzbmV0LWNhLmN6L0NFU05F
+VF9DQV9Sb290LmNybDANBgkqhkiG9w0BAQsFAAOCAQEApoIA2/rStoUKnWC+qz3P
+AZLtDiyuUqs4i4Lb18loxE67QdP9nDZEzwHrB9Cr4oxN9cTutdUiwDIBQKuLx3tH
+r7TyuwcIYhHlW0+Ih+yUeyXEJlvSfR29M7SXY2axw4TWv4qOT2LKlFGxFqZx4OwN
+aVMUDSFVr3E5J4doIB2u/pLd+LH1QdsUXF1VhIa+Is/HMhC2JvmdnFqOCypdQrSA
+Ski6L8GRONF4SwzXg/glOQaw0QR69CjrYcogne1d/3Mxwr45MVkPwMJXscPKiRam
+SSTj7AJpyic0xbFBwGu+T7BP0NujkY/CW96UoELgcPsKoTAg7j6BhrWsjrfEaqtu
+7Q==
+-----END CERTIFICATE-----
+
+subject=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = CESNET CA Root
+
+issuer=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = CESNET CA Root
+
+-----BEGIN CERTIFICATE-----
+MIIEDTCCAvWgAwIBAgIJAIf3+gBzaRRPMA0GCSqGSIb3DQEBBQUAMFwxEjAQBgoJ
+kiaJk/IsZAEZFgJjejEZMBcGCgmSJomT8ixkARkWCWNlc25ldC1jYTESMBAGA1UE
+ChMJQ0VTTkVUIENBMRcwFQYDVQQDEw5DRVNORVQgQ0EgUm9vdDAeFw0wOTAyMjQx
+MzE2MDJaFw0yOTAyMjQxMzE2MDJaMFwxEjAQBgoJkiaJk/IsZAEZFgJjejEZMBcG
+CgmSJomT8ixkARkWCWNlc25ldC1jYTESMBAGA1UEChMJQ0VTTkVUIENBMRcwFQYD
+VQQDEw5DRVNORVQgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAPeL9R8QFCBHw/PlWt2wBnx0cCSiNAhlI7HInrzGmtHK/9MJQJpmcoToq91R
+Y+hdo7sVddNqbz3F+oeiKavz3wpdCZJtaPI8Sv44OlCtnxeuw0LkSAAfG3maue7X
+I4jFqCU7/NxcoursXHDMCRLqeKHkast0b4i7d1KOdoc6hMNVaVc1UY/wyimM+Pbh
+XRW4+iwnmJXlIqCumWaVKF0b1F0WK2LV5TRonsoFNPdVHBU795ObAXRsXWfiKwNK
+CX85l3AO37UN1wbQ7UvCzE88jYOanRxL1AKezCa1ca8AohqbqoVVtrRPUTMrlXG3
+JOBfRaG0+LPXxHwQ9zCjvV/9kFcCAwEAAaOB0TCBzjAdBgNVHQ4EFgQUnkEw48PV
+ToyDjqM8yX+jbRNdhCUwgY4GA1UdIwSBhjCBg4AUnkEw48PVToyDjqM8yX+jbRNd
+hCWhYKReMFwxEjAQBgoJkiaJk/IsZAEZFgJjejEZMBcGCgmSJomT8ixkARkWCWNl
+c25ldC1jYTESMBAGA1UEChMJQ0VTTkVUIENBMRcwFQYDVQQDEw5DRVNORVQgQ0Eg
+Um9vdIIJAIf3+gBzaRRPMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMA0G
+CSqGSIb3DQEBBQUAA4IBAQB+vy9hAwzjgjYTnTwfxK03Ze/07GnmulUxUIPOagHJ
+vGQojnjN3BGnMoXNhQrhhCy1BfKt88sweN/ELkeOsgthbQ24lX7YdgPEPSwY2iIB
+E0NWxG87+z5hmfo+M69Q9WS8b5aSd4v5pSzT4+s6UW2lsddbdpnI4OwEEVdmj4e1
+w0trIAfPsFSKx5jMvC0KzoO04fSAjxTj2bn4orRVWlVGUYmQm/Gq0w//f84zox/g
+/XjE+kQ+eFOpNeeJC2Tpl04BByskoOw4LybIZ6iSdrUjoLgrK3R1geXo86Sx8QWE
+VVWM2+1UCVV3AMhYwQUbgasrEPkZ79od6exSUb+ZTpWc
+-----END CERTIFICATE-----
+
--- a/.timestampltv/crls/5024EC0B994B2230F00A0F90A60D1D281D1B3FBE.crl
+++ b/.timestampltv/crls/5024EC0B994B2230F00A0F90A60D1D281D1B3FBE.crl
--- a/.timestampltv/crls/E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3.crl
+++ b/.timestampltv/crls/E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3.crl
@@ -2,17 +2,17 @@
 MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxFTATBgNV
 BAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTExMC8G
 A1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIFRpbWVzdGFtcGluZyBDQRcN
-MjUwMTEwMDUwODUzWhcNMjUwMTE3MDUwODUzWjCB9TAhAhAL2v0LKRQzmpYSZqw1
+MjUwMjEyMDUyMjQ1WhcNMjUwMjE5MDUyMjQ1WjCB9TAhAhAL2v0LKRQzmpYSZqw1
 OkdEFw0xNjEwMjQxNzQyNDlaMCECEAH40oMtKRkZcbNQw9u8pQAXDTE2MTExMTE1
 MjEzNFowIQIQClKwbEb16yWgi9U/3Ht4hhcNMTgwOTAzMTIxMTQyWjAhAhAFlx7K
 SlmJinvPTLfjd5doFw0xOTA5MzAwODE2MjRaMCECEAxFkEkmQLBOlEh/jEwCeJAX
 DTIxMDIwOTIyMzk0MlowIQIQBMvnUVSd49EL7YN0yV7iRBcNMjEwMjA5MjMyMzM3
 WjAhAhALmUrhw5aLANVesgZ0jpseFw0yMTAyMDkyMzI0MjNaoDAwLjAfBgNVHSME
-GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDM4wDQYJKoZIhvcN
-AQELBQADggEBAKSEzS/+5ujMUz0x2zpJuA3Z7zbV25fQsX1BVK3oSie2iyWF2FKv
-sw8meQ1WqyMsveAvocBy36eLdL7Pz1vEls7f4/CAXaAlxZHllsLQxvXwqoWhM7r9
-qZhpHRSD5XjKwjuKLElmnKLdLWSYUBMyIL+pOMb3ltnJDCLU2Ezb4ggPr8CiidSx
-UYOTk8zEg5TpkaloeUmoAUj3m/KxTgFJQ6Dv+ZY1V7eQKo8R4f1Z23rVdue+iPrp
-o02xDbLn57Unu67UKNjXYWTeg1kX+vGw/NRqRY1d1ojVGYj+6gddglyIiE+JiT+s
-ZgixUV5frahIU+okA22U8hccAkvaxsrl8fI=
+GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDO8wDQYJKoZIhvcN
+AQELBQADggEBALr4VopJYkMfQ97HiyqytcWRY/vgyU/LxOwlH0/1DBSeeObQB0Nj
+uF7vcF2bhbpnxba7gvzOPryudwtbqquf2cl3CJG6MC2D8Nk1XzntDnpxCjVSfsAr
+158zAWPevyiuj3yzFz04mYALt/ZmOJMTF0vyKN8cg5bwfLu3itV6b6vhpuloIhRc
+Hmsbgr3BtCVHkf4vJWq/qKDEMcOhSrJ6wxGCzVyphenewSIbVcogj19cRZDFPWOC
+3sAy/GY3Rz0qK30tDvNbE1uum8gy5ijXFmepJ/lEetRCvrIsxTsXJOj0tqVZfIIQ
+E1YWUZ57TiBBrdS+dTgmRxkN/zaAfYVAIck=
 -----END X509 CRL-----
--- a/hooks/timestamping
+++ b/hooks/timestamping
@@ -553,7 +553,7 @@ download_crls_for_chain() {
      local URL=$(openssl x509 -inform PEM -in $EXTRACTED_CERT -text -noout \
                  | awk '/CRL Distribution Points:/{f=1} f && /URI:/ {print; exit}' \
                  | sed 's/^.*URI://1')
-      if curl "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
+      if curl -L "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
        if openssl crl -in "$CRL_TMP" -inform DER -noout &> "$OUT_STREAM"; then
          openssl crl -in "$CRL_TMP" -inform DER >> "$OUTPUT_FILE"
        elif openssl crl -in "$CRL_TMP" -inform PEM -noout &> "$OUT_STREAM"; then
--- a/hooks/validate.sh
+++ b/hooks/validate.sh
@@ -42,8 +42,10 @@ if [[ ! -d "$DIR" ]]; then DIR="$PWD"; fi
 . "$DIR/timestamping"

 declare -i MINVERSION=$TIMESTAMPING_VERSION
+declare -i MAX_COMMITS_TO_CHECK=0
+declare -A PROCESSED_COMMIT

-while [[ $# -gt 1 ]]; do
+while [[ $# -gt 0 ]]; do
  KEY="$1"

  case $KEY in
@@ -61,17 +63,27 @@ while [[ $# -gt 1 ]]; do
      shift # past argument
      shift # past value
      ;;
+    -max|--maxcommits)
+      INTEGER_REGEX='^[0-9]+$'
+      if ! [[ "$2" =~ $INTEGER_REGEX ]]; then
+        echo_error "$KEY: expected positive integer"
+        exit 1
+      fi
+      MAX_COMMITS_TO_CHECK="$2"
+      shift # past argument
+      shift # past value
+      ;;
    -v|--verbose)
      OUT_STREAM=/dev/stdout
      shift # past argument
      ;;
    *) # unknown option
-      echo_error "Unknown argument: $KEY"
-      exit 1
+      OBJECT=$KEY
+      shift # past argument
      ;;
  esac
 done
-OBJECT="$1"
+
 if [ -z "$OBJECT" ]; then
  OBJECT="HEAD"
 fi
@@ -89,6 +101,10 @@ fi
 # tokens, the function will return 0 but echo a warning about the invalid token.
 validate_commit() {
  local COMMIT_HASH="$1"
+  if [[ ${PROCESSED_COMMIT[$COMMIT_HASH]} ]]; then
+    log "validate_commit for $COMMIT_HASH has already been validated"
+    return 0
+  fi
  log "validate_commit for $COMMIT_HASH"

  local TIMESTAMP_COMMIT_VERSION
@@ -275,6 +291,8 @@ validate_commit() {
  #assert that all extracted timestamps have been processed
  assert "[ $NUM_PROCESSED -eq $NUM_EXTRACTED ]" "All extracted token must be processed."

+  PROCESSED_COMMIT[$COMMIT_HASH]=1
+
  if [ $NUM_VALID -gt 0 ]; then
    if [ $NUM_INVALID -gt 0 ]; then
      echo_warning "Warning: While commit $COMMIT_HASH contains $NUM_VALID valid timestamp tokens and thus is considered proppely timestamped, it also contains $NUM_INVALID invalid timestamp tokens."
@@ -300,16 +318,21 @@ validate_commit_and_parents() {
  if ! validate_commit "$COMMIT_HASH"; then
    ALL_PASSED=false
  fi
-  local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
-  #iterate over all parents of commit
-  if [ ! -z "$PARENTS" ]; then
-    while read PARENT_HASH; do
-      if ! validate_commit_and_parents "$PARENT_HASH"; then
-        ALL_PASSED=false
-      fi
-    done <<< $(printf "%s" "$PARENTS")
+  # If MAX_COMMITS_TO_CHECK is zero (or a negative number) then that is understood as "infinity".
+  # So perform the next commit check if we have not reached the limit, or if the limit is "infinity".
+  NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
+  if [[ ${NUM_COMMITS_CHECKED} -lt ${MAX_COMMITS_TO_CHECK} ]] || [[ ${MAX_COMMITS_TO_CHECK} -lt 1 ]]; then
+    local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
+    #iterate over all parents of commit
+    if [ ! -z "$PARENTS" ]; then
+      while read PARENT_HASH; do
+        if ! validate_commit_and_parents "$PARENT_HASH"; then
+          ALL_PASSED=false
+        fi
+      done <<< $(printf "%s" "$PARENTS")
+    fi
  fi
-  if [ "$ALL_PASSED"=true ]; then
+  if [ "$ALL_PASSED" = true ]; then
    return 0
  fi
  return 1
--- a/hooks/validate_trustanchors_hash.sh
+++ b/hooks/validate_trustanchors_hash.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+#    Copyright (c) 2024 JankariTech UG
+#    Authors: Artur Neumann
+#    Script to check if the trustanchors have been changed
+
+TRUSTANCHOR_DIR="$1"
+EXPECTED_COMMIT_HASH="$2"
+
+if [[ $# -ne 2 ]]; then
+    echo "Usage: $0 <trustanchor_dir> <expected_commit_hash>"
+    exit 1
+fi
+
+if [ -z "$EXPECTED_COMMIT_HASH" ]; then
+    echo "No expected hash provided"
+    exit 1
+fi
+
+# get the sha256 hash of all files in the trustanchor directory
+ACTUAL_COMMIT_HASH=$(find "$TRUSTANCHOR_DIR" -type f -exec sha256sum {} \; | sort | sha256sum | cut -d ' ' -f 1)
+
+if [ "$EXPECTED_COMMIT_HASH" != "$ACTUAL_COMMIT_HASH" ]; then
+    echo "The trustanchors have been changed, please review the provided hash"
+    exit 1
+fi