Compare commits
2 Commits
date-order
...
5d8dfac4cf
| Author | SHA1 | Date | |
|---|---|---|---|
|
5d8dfac4cf
|
||
|
|
f9c87523b9
|
@@ -1,32 +0,0 @@
|
||||
name: Validate Trusted Timestamps Actions Demo
|
||||
run-name: ${{ gitea.actor }} is validating the trusted timestamps of all commits 🚀
|
||||
on: [push]
|
||||
|
||||
variables:
|
||||
EXPECTED_TRUSTANCHORS_HASH: "70a1c7e2fc62a0b62e44063f0e730b20b0f209d15c84b310ad06ce616c352829"
|
||||
|
||||
jobs:
|
||||
Validate:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 2
|
||||
steps:
|
||||
- name: Install extra software
|
||||
run: |
|
||||
apt-get update
|
||||
apt-get install -y xxd
|
||||
- name: Check out repository code
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Setup timestamping authorities
|
||||
run: |
|
||||
git config --local timestamping.tsa0.url https://freetsa.org/tsr
|
||||
bash -c 'yes | ./hooks/trust.sh https://freetsa.org/tsr'
|
||||
git config --local timestamping.tsa1.url https://tsa.cesnet.cz:3162/tsa
|
||||
bash -c 'yes | ./hooks/trust.sh https://tsa.cesnet.cz:3162/tsa'
|
||||
- name: Check hashes of all trustanchors
|
||||
run: |
|
||||
./hooks/validate_trustanchors_hash.sh .git/hoqoks/trustanchors ${{ EXPECTED_TRUSTANCHORS_HASH }}
|
||||
- name: Validate timestamps of all commits
|
||||
run: |
|
||||
./hooks/validate.sh --minversion 0
|
||||
@@ -1,89 +0,0 @@
|
||||
subject=DC = cz, DC = cesnet-ca, O = CESNET, CN = tsa.cesnet.cz
|
||||
|
||||
issuer=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = Personal Signing 2
|
||||
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEDjCCAvagAwIBAgIIaveGaDrA13AwDQYJKoZIhvcNAQELBQAwYDESMBAGCgmS
|
||||
JomT8ixkARkWAmN6MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQK
|
||||
DAlDRVNORVQgQ0ExGzAZBgNVBAMMElBlcnNvbmFsIFNpZ25pbmcgMjAeFw0yNDA4
|
||||
MDcwOTQ3MDRaFw0yNzA4MDcwOTQ3MDRaMFgxEjAQBgoJkiaJk/IsZAEZFgJjejEZ
|
||||
MBcGCgmSJomT8ixkARkWCWNlc25ldC1jYTEPMA0GA1UECgwGQ0VTTkVUMRYwFAYD
|
||||
VQQDDA10c2EuY2VzbmV0LmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
|
||||
AQEAvWLHcBAB3TKzSyP/EpZucr0fet3wqwYYcH8XRCPZNh1+yj858l5UvSp7QHje
|
||||
LU8Twnx8/xrVZMteojL1RNaLUDm0TJD7tIkCkwILxY8qxQX8yYgFCQM9wgWzWiMN
|
||||
NR9/+W/3pr8HMPwjVlAXvHSi2QIZbIcrVudKqVpkl9hBKWyEU/661M+MjPLuU4BF
|
||||
ZCkU7nauf2B8QUSh8K0nKGkHPgZDeD8SNEVpvRcFow187AJz0BSvyOklX15Pr+rI
|
||||
7SXxUmVZ03yVBduorqCXwrhbQWxqdc2K1tQ06do8VTIjxUAwe3HyISl98ZFnrT1B
|
||||
/g4n+R8uV4QFxgNAPxjiD88BewIDAQABo4HTMIHQMAwGA1UdEwEB/wQCMAAwHwYD
|
||||
VR0jBBgwFoAUwR67pD8OE9+Bm75MYrLZur7VtrswKQYDVR0RBCIwIIIOdHNhMS5j
|
||||
ZXNuZXQuY3qCDnRzYTIuY2VzbmV0LmN6MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMI
|
||||
MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwuY2VzbmV0LWNhLmN6L1BlcnNv
|
||||
bmFsU2lnbmluZzIuY3JsMB0GA1UdDgQWBBRkK2hn4tgnpvS/JMiNhCqdneTm1zAN
|
||||
BgkqhkiG9w0BAQsFAAOCAQEAYnzrqDcaln6O6uALwwMlgUHIp3u6crLITzKFbPPi
|
||||
OKfzlmzsPNfU5kyi1vHS/ajReTNeJet02KGygIH4LB7pVwZKxx7xhQD6AK971Z6d
|
||||
rwDVoEYE2SB7PMcWgh+/mV90qJqgBUrVLFVExe91BkQONbNF81tzQXknovr2yWe5
|
||||
fYzYE6oJDGImoUmtN2lJRLZdS4TQbmfdSZDClwmraw2i4TAN6aCHrdST81GaIzwP
|
||||
bFAKMkgUOD8ynwJTbk8lk9hnO/uf3BFkmPClAmOlRHYRPmsWe2M2eQpBrYNoH0vw
|
||||
8SCFNE+MLMTzM1/dRjq9fnKb1pejxj3xqPF6WAojgAYnpw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
subject=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = Personal Signing 2
|
||||
|
||||
issuer=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = CESNET CA Root
|
||||
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIETTCCAzWgAwIBAgIHAPTqVoKaNDANBgkqhkiG9w0BAQsFADBcMRIwEAYKCZIm
|
||||
iZPyLGQBGRYCY3oxGTAXBgoJkiaJk/IsZAEZFgljZXNuZXQtY2ExEjAQBgNVBAoT
|
||||
CUNFU05FVCBDQTEXMBUGA1UEAxMOQ0VTTkVUIENBIFJvb3QwHhcNMTgwNDE4MDky
|
||||
MDQ4WhcNMjgwNDIwMDkyMDQ4WjBgMRIwEAYKCZImiZPyLGQBGRYCY3oxGTAXBgoJ
|
||||
kiaJk/IsZAEZFgljZXNuZXQtY2ExEjAQBgNVBAoMCUNFU05FVCBDQTEbMBkGA1UE
|
||||
AwwSUGVyc29uYWwgU2lnbmluZyAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
|
||||
CgKCAQEApKhbabfUBLMtC10PXFQe+hJI4wpJFNkYt3HRud0rZKmRqlcpPJvc4PLr
|
||||
9kEjXS+CP6Ut0UUkDvl686Mi7PsdxYFgDCfj0P694UA2SsGvBShL0vlZVkH19YFJ
|
||||
tyY1imP3B94r57+umqKEEr9qxu9nwToS8AB6Ead4zBPMSnHZvyFPuD9Lsc/WhcUb
|
||||
HnUvZN9jrrV4D6AjyvaBFPPcDVLjgiGoEE50PVMHPT5ZHpwTBTpBgL3zjE5fmxI4
|
||||
HU7aD0orO0pg0kmZrQa98bnnVb7Wp9HhYHc9tPhLMhi9UdTBb9zwQCaezJ0gnS5K
|
||||
iEAT5ZCYRUYlg82R07Z8k8UnHjczYQIDAQABo4IBDjCCAQowDwYDVR0TAQH/BAUw
|
||||
AwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFMEeu6Q/DhPfgZu+TGKy2bq+1ba7
|
||||
MB8GA1UdIwQYMBaAFJ5BMOPD1U6Mg46jPMl/o20TXYQlMG0GCCsGAQUFBwEBBGEw
|
||||
XzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AuY2VzbmV0LWNhLmN6LzA2BggrBgEF
|
||||
BQcwAoYqaHR0cDovL2NydC5jZXNuZXQtY2EuY3ovQ0VTTkVUX0NBX1Jvb3QuY3J0
|
||||
MDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuY2VzbmV0LWNhLmN6L0NFU05F
|
||||
VF9DQV9Sb290LmNybDANBgkqhkiG9w0BAQsFAAOCAQEApoIA2/rStoUKnWC+qz3P
|
||||
AZLtDiyuUqs4i4Lb18loxE67QdP9nDZEzwHrB9Cr4oxN9cTutdUiwDIBQKuLx3tH
|
||||
r7TyuwcIYhHlW0+Ih+yUeyXEJlvSfR29M7SXY2axw4TWv4qOT2LKlFGxFqZx4OwN
|
||||
aVMUDSFVr3E5J4doIB2u/pLd+LH1QdsUXF1VhIa+Is/HMhC2JvmdnFqOCypdQrSA
|
||||
Ski6L8GRONF4SwzXg/glOQaw0QR69CjrYcogne1d/3Mxwr45MVkPwMJXscPKiRam
|
||||
SSTj7AJpyic0xbFBwGu+T7BP0NujkY/CW96UoELgcPsKoTAg7j6BhrWsjrfEaqtu
|
||||
7Q==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
subject=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = CESNET CA Root
|
||||
|
||||
issuer=DC = cz, DC = cesnet-ca, O = CESNET CA, CN = CESNET CA Root
|
||||
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEDTCCAvWgAwIBAgIJAIf3+gBzaRRPMA0GCSqGSIb3DQEBBQUAMFwxEjAQBgoJ
|
||||
kiaJk/IsZAEZFgJjejEZMBcGCgmSJomT8ixkARkWCWNlc25ldC1jYTESMBAGA1UE
|
||||
ChMJQ0VTTkVUIENBMRcwFQYDVQQDEw5DRVNORVQgQ0EgUm9vdDAeFw0wOTAyMjQx
|
||||
MzE2MDJaFw0yOTAyMjQxMzE2MDJaMFwxEjAQBgoJkiaJk/IsZAEZFgJjejEZMBcG
|
||||
CgmSJomT8ixkARkWCWNlc25ldC1jYTESMBAGA1UEChMJQ0VTTkVUIENBMRcwFQYD
|
||||
VQQDEw5DRVNORVQgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
|
||||
ggEBAPeL9R8QFCBHw/PlWt2wBnx0cCSiNAhlI7HInrzGmtHK/9MJQJpmcoToq91R
|
||||
Y+hdo7sVddNqbz3F+oeiKavz3wpdCZJtaPI8Sv44OlCtnxeuw0LkSAAfG3maue7X
|
||||
I4jFqCU7/NxcoursXHDMCRLqeKHkast0b4i7d1KOdoc6hMNVaVc1UY/wyimM+Pbh
|
||||
XRW4+iwnmJXlIqCumWaVKF0b1F0WK2LV5TRonsoFNPdVHBU795ObAXRsXWfiKwNK
|
||||
CX85l3AO37UN1wbQ7UvCzE88jYOanRxL1AKezCa1ca8AohqbqoVVtrRPUTMrlXG3
|
||||
JOBfRaG0+LPXxHwQ9zCjvV/9kFcCAwEAAaOB0TCBzjAdBgNVHQ4EFgQUnkEw48PV
|
||||
ToyDjqM8yX+jbRNdhCUwgY4GA1UdIwSBhjCBg4AUnkEw48PVToyDjqM8yX+jbRNd
|
||||
hCWhYKReMFwxEjAQBgoJkiaJk/IsZAEZFgJjejEZMBcGCgmSJomT8ixkARkWCWNl
|
||||
c25ldC1jYTESMBAGA1UEChMJQ0VTTkVUIENBMRcwFQYDVQQDEw5DRVNORVQgQ0Eg
|
||||
Um9vdIIJAIf3+gBzaRRPMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMA0G
|
||||
CSqGSIb3DQEBBQUAA4IBAQB+vy9hAwzjgjYTnTwfxK03Ze/07GnmulUxUIPOagHJ
|
||||
vGQojnjN3BGnMoXNhQrhhCy1BfKt88sweN/ELkeOsgthbQ24lX7YdgPEPSwY2iIB
|
||||
E0NWxG87+z5hmfo+M69Q9WS8b5aSd4v5pSzT4+s6UW2lsddbdpnI4OwEEVdmj4e1
|
||||
w0trIAfPsFSKx5jMvC0KzoO04fSAjxTj2bn4orRVWlVGUYmQm/Gq0w//f84zox/g
|
||||
/XjE+kQ+eFOpNeeJC2Tpl04BByskoOw4LybIZ6iSdrUjoLgrK3R1geXo86Sx8QWE
|
||||
VVWM2+1UCVV3AMhYwQUbgasrEPkZ79od6exSUb+ZTpWc
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -2,17 +2,17 @@
|
||||
MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxFTATBgNV
|
||||
BAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTExMC8G
|
||||
A1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIFRpbWVzdGFtcGluZyBDQRcN
|
||||
MjUwMjEyMDUyMjQ1WhcNMjUwMjE5MDUyMjQ1WjCB9TAhAhAL2v0LKRQzmpYSZqw1
|
||||
MjUwMTEwMDUwODUzWhcNMjUwMTE3MDUwODUzWjCB9TAhAhAL2v0LKRQzmpYSZqw1
|
||||
OkdEFw0xNjEwMjQxNzQyNDlaMCECEAH40oMtKRkZcbNQw9u8pQAXDTE2MTExMTE1
|
||||
MjEzNFowIQIQClKwbEb16yWgi9U/3Ht4hhcNMTgwOTAzMTIxMTQyWjAhAhAFlx7K
|
||||
SlmJinvPTLfjd5doFw0xOTA5MzAwODE2MjRaMCECEAxFkEkmQLBOlEh/jEwCeJAX
|
||||
DTIxMDIwOTIyMzk0MlowIQIQBMvnUVSd49EL7YN0yV7iRBcNMjEwMjA5MjMyMzM3
|
||||
WjAhAhALmUrhw5aLANVesgZ0jpseFw0yMTAyMDkyMzI0MjNaoDAwLjAfBgNVHSME
|
||||
GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDO8wDQYJKoZIhvcN
|
||||
AQELBQADggEBALr4VopJYkMfQ97HiyqytcWRY/vgyU/LxOwlH0/1DBSeeObQB0Nj
|
||||
uF7vcF2bhbpnxba7gvzOPryudwtbqquf2cl3CJG6MC2D8Nk1XzntDnpxCjVSfsAr
|
||||
158zAWPevyiuj3yzFz04mYALt/ZmOJMTF0vyKN8cg5bwfLu3itV6b6vhpuloIhRc
|
||||
Hmsbgr3BtCVHkf4vJWq/qKDEMcOhSrJ6wxGCzVyphenewSIbVcogj19cRZDFPWOC
|
||||
3sAy/GY3Rz0qK30tDvNbE1uum8gy5ijXFmepJ/lEetRCvrIsxTsXJOj0tqVZfIIQ
|
||||
E1YWUZ57TiBBrdS+dTgmRxkN/zaAfYVAIck=
|
||||
GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDM4wDQYJKoZIhvcN
|
||||
AQELBQADggEBAKSEzS/+5ujMUz0x2zpJuA3Z7zbV25fQsX1BVK3oSie2iyWF2FKv
|
||||
sw8meQ1WqyMsveAvocBy36eLdL7Pz1vEls7f4/CAXaAlxZHllsLQxvXwqoWhM7r9
|
||||
qZhpHRSD5XjKwjuKLElmnKLdLWSYUBMyIL+pOMb3ltnJDCLU2Ezb4ggPr8CiidSx
|
||||
UYOTk8zEg5TpkaloeUmoAUj3m/KxTgFJQ6Dv+ZY1V7eQKo8R4f1Z23rVdue+iPrp
|
||||
o02xDbLn57Unu67UKNjXYWTeg1kX+vGw/NRqRY1d1ojVGYj+6gddglyIiE+JiT+s
|
||||
ZgixUV5frahIU+okA22U8hccAkvaxsrl8fI=
|
||||
-----END X509 CRL-----
|
||||
|
||||
@@ -553,7 +553,7 @@ download_crls_for_chain() {
|
||||
local URL=$(openssl x509 -inform PEM -in $EXTRACTED_CERT -text -noout \
|
||||
| awk '/CRL Distribution Points:/{f=1} f && /URI:/ {print; exit}' \
|
||||
| sed 's/^.*URI://1')
|
||||
if curl -L "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
|
||||
if curl "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
|
||||
if openssl crl -in "$CRL_TMP" -inform DER -noout &> "$OUT_STREAM"; then
|
||||
openssl crl -in "$CRL_TMP" -inform DER >> "$OUTPUT_FILE"
|
||||
elif openssl crl -in "$CRL_TMP" -inform PEM -noout &> "$OUT_STREAM"; then
|
||||
|
||||
@@ -42,12 +42,8 @@ if [[ ! -d "$DIR" ]]; then DIR="$PWD"; fi
|
||||
. "$DIR/timestamping"
|
||||
|
||||
declare -i MINVERSION=$TIMESTAMPING_VERSION
|
||||
declare -i MAX_COMMITS_TO_CHECK=0
|
||||
declare -A PROCESSED_COMMIT
|
||||
declare -A COMMITS
|
||||
declare -A COMMIT_TIMES
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
while [[ $# -gt 1 ]]; do
|
||||
KEY="$1"
|
||||
|
||||
case $KEY in
|
||||
@@ -65,27 +61,17 @@ while [[ $# -gt 0 ]]; do
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
-max|--maxcommits)
|
||||
INTEGER_REGEX='^[0-9]+$'
|
||||
if ! [[ "$2" =~ $INTEGER_REGEX ]]; then
|
||||
echo_error "$KEY: expected positive integer"
|
||||
exit 1
|
||||
fi
|
||||
MAX_COMMITS_TO_CHECK="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
-v|--verbose)
|
||||
OUT_STREAM=/dev/stdout
|
||||
shift # past argument
|
||||
;;
|
||||
*) # unknown option
|
||||
OBJECT=$KEY
|
||||
shift # past argument
|
||||
echo_error "Unknown argument: $KEY"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
OBJECT="$1"
|
||||
if [ -z "$OBJECT" ]; then
|
||||
OBJECT="HEAD"
|
||||
fi
|
||||
@@ -103,10 +89,6 @@ fi
|
||||
# tokens, the function will return 0 but echo a warning about the invalid token.
|
||||
validate_commit() {
|
||||
local COMMIT_HASH="$1"
|
||||
if [[ ${PROCESSED_COMMIT[$COMMIT_HASH]} ]]; then
|
||||
log "validate_commit for $COMMIT_HASH has already been validated"
|
||||
return 0
|
||||
fi
|
||||
log "validate_commit for $COMMIT_HASH"
|
||||
|
||||
local TIMESTAMP_COMMIT_VERSION
|
||||
@@ -293,11 +275,9 @@ validate_commit() {
|
||||
#assert that all extracted timestamps have been processed
|
||||
assert "[ $NUM_PROCESSED -eq $NUM_EXTRACTED ]" "All extracted token must be processed."
|
||||
|
||||
PROCESSED_COMMIT[$COMMIT_HASH]=1
|
||||
|
||||
if [ $NUM_VALID -gt 0 ]; then
|
||||
if [ $NUM_INVALID -gt 0 ]; then
|
||||
echo_warning "Warning: While commit $COMMIT_HASH contains $NUM_VALID valid timestamp tokens and thus is considered properly timestamped, it also contains $NUM_INVALID invalid timestamp tokens."
|
||||
echo_warning "Warning: While commit $COMMIT_HASH contains $NUM_VALID valid timestamp tokens and thus is considered proppely timestamped, it also contains $NUM_INVALID invalid timestamp tokens."
|
||||
fi
|
||||
DATE_STRING=$(date -d @"$EARLIEST_VALID_UNIX_TIME")
|
||||
echo_info "Commit $COMMIT_HASH, which timestamps commit $PARENT_HASH at $DATE_STRING, contains $NUM_VALID valid timestamp tokens."
|
||||
@@ -313,13 +293,6 @@ validate_commit() {
|
||||
# param1: commit hash
|
||||
# returns: 0 if the validation of the commit and all its ancestors succeeded
|
||||
validate_commit_and_parents() {
|
||||
# If MAX_COMMITS_TO_CHECK is zero (or a negative number) then that is understood as "infinity".
|
||||
# So finish if we have reached the limit, and if the limit is not "infinity".
|
||||
NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
|
||||
if [[ ${NUM_COMMITS_CHECKED} -ge ${MAX_COMMITS_TO_CHECK} ]] && [[ ${MAX_COMMITS_TO_CHECK} -ge 1 ]]; then
|
||||
# enough commits have already been checked, so return early
|
||||
return 0;
|
||||
fi
|
||||
local COMMIT_HASH="$1"
|
||||
log "validate_commit_and_parents for $COMMIT_HASH"
|
||||
|
||||
@@ -327,7 +300,6 @@ validate_commit_and_parents() {
|
||||
if ! validate_commit "$COMMIT_HASH"; then
|
||||
ALL_PASSED=false
|
||||
fi
|
||||
NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
|
||||
local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
|
||||
#iterate over all parents of commit
|
||||
if [ ! -z "$PARENTS" ]; then
|
||||
@@ -337,65 +309,7 @@ validate_commit_and_parents() {
|
||||
fi
|
||||
done <<< $(printf "%s" "$PARENTS")
|
||||
fi
|
||||
if [ "$ALL_PASSED" = true ]; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
# Recursive function to find all ancestors of commit
|
||||
# param1: commit hash
|
||||
# creates an array COMMITS, key is the commit hash, value is the commit time (Unix epoch seconds)
|
||||
# the array contains all commits found in all paths from the passed-in commit hash back to the root commit of the repo
|
||||
# the array is global so it can be accessed after the function returns
|
||||
find_all_commits() {
|
||||
local COMMIT_HASH="$1"
|
||||
log "find_all_commits for $COMMIT_HASH"
|
||||
# git show "ct" format returns the commit time as Unix epoch seconds
|
||||
COMMIT_TIME=$(git show --no-patch --format=%ct "$COMMIT_HASH")
|
||||
COMMITS[$COMMIT_HASH]="${COMMIT_TIME}"
|
||||
|
||||
local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
|
||||
# iterate over all parents of commit
|
||||
if [ ! -z "$PARENTS" ]; then
|
||||
while read PARENT_HASH; do
|
||||
if [[ ${COMMITS[$PARENT_HASH]} ]]; then
|
||||
log "commit $PARENT_HASH has already been processed"
|
||||
else
|
||||
find_all_commits "$PARENT_HASH"
|
||||
fi
|
||||
done <<< $(printf "%s" "$PARENTS")
|
||||
fi
|
||||
}
|
||||
|
||||
# Validate the commits in the COMMITS array, up to MAX_COMMITS_TO_CHECK
|
||||
# returns: 0 if the validation of the commits succeeded
|
||||
validate_commits() {
|
||||
ALL_PASSED=true
|
||||
# create an associative array with keys using the Unix epoch commit time and value the commit hash
|
||||
# this array can be easily used to sort in (forward or reverse) order of time
|
||||
for HASH in "${!COMMITS[@]}"; do
|
||||
UNIX_EPOCH_TIME="${COMMITS[$HASH]}"
|
||||
# two commits could have the exact same Unix epoch in seconds
|
||||
# so make that unique by appending an "x" and the hash
|
||||
UNIQUE_KEY="${UNIX_EPOCH_TIME}x${HASH}"
|
||||
COMMIT_TIMES[$UNIQUE_KEY]="${HASH}"
|
||||
done
|
||||
# sort into reverse order
|
||||
SORTED_KEYS=($(printf "%s\n" "${!COMMIT_TIMES[@]}" | sort -r))
|
||||
# process the commits from latest time to oldest time
|
||||
ALL_PASSED=true
|
||||
for ENTRY in "${SORTED_KEYS[@]}"; do
|
||||
COMMIT_HASH=${COMMIT_TIMES[${ENTRY}]}
|
||||
log "${ENTRY} has value ${COMMIT_HASH}"
|
||||
NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
|
||||
if [[ ${NUM_COMMITS_CHECKED} -lt ${MAX_COMMITS_TO_CHECK} ]]; then
|
||||
if ! validate_commit "$COMMIT_HASH"; then
|
||||
ALL_PASSED=false
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ "$ALL_PASSED" = true ]; then
|
||||
if [ "$ALL_PASSED"=true ]; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
@@ -412,21 +326,10 @@ echo ""
|
||||
|
||||
echo_info "Validating timestamps. This may take a while..."
|
||||
echo ""
|
||||
if [[ ${MAX_COMMITS_TO_CHECK} -ge 1 ]]; then
|
||||
find_all_commits "$COMMIT_HASH"
|
||||
if validate_commits; then
|
||||
echo_success "Validation OK: ${NUM_COMMITS_CHECKED} timestamped commits in the commit history of $COMMIT_HASH contain at least one valid timestamp."
|
||||
exit 0
|
||||
else
|
||||
echo_error "Validation Failed: There are timestamped commits in the commit history of $COMMIT_HASH which do not contain any valid timestamps."
|
||||
exit 1
|
||||
fi
|
||||
if validate_commit_and_parents "$COMMIT_HASH"; then
|
||||
echo_success "Validation OK: All timestamped commits in the commit history of $COMMIT_HASH contain at least one valid timestamp."
|
||||
exit 0
|
||||
else
|
||||
if validate_commit_and_parents "$COMMIT_HASH"; then
|
||||
echo_success "Validation OK: All timestamped commits in the commit history of $COMMIT_HASH contain at least one valid timestamp."
|
||||
exit 0
|
||||
else
|
||||
echo_error "Validation Failed: There are timestamped commits in the commit history of $COMMIT_HASH which do not contain any valid timestamps."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
echo_error "Validation Failed: There are timestamped commits in the commit history of $COMMIT_HASH which do not contain any valid timestamps."
|
||||
exit 1
|
||||
fi
|
||||
@@ -1,26 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (c) 2024 JankariTech UG
|
||||
# Authors: Artur Neumann
|
||||
# Script to check if the trustanchors have been changed
|
||||
|
||||
TRUSTANCHOR_DIR="$1"
|
||||
EXPECTED_COMMIT_HASH="$2"
|
||||
|
||||
if [[ $# -ne 2 ]]; then
|
||||
echo "Usage: $0 <trustanchor_dir> <expected_commit_hash>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$EXPECTED_COMMIT_HASH" ]; then
|
||||
echo "No expected hash provided"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# get the sha256 hash of all files in the trustanchor directory
|
||||
ACTUAL_COMMIT_HASH=$(find "$TRUSTANCHOR_DIR" -type f -exec sha256sum {} \; | sort | sha256sum | cut -d ' ' -f 1)
|
||||
|
||||
if [ "$EXPECTED_COMMIT_HASH" != "$ACTUAL_COMMIT_HASH" ]; then
|
||||
echo "The trustanchors have been changed, please review the provided hash"
|
||||
exit 1
|
||||
fi
|
||||
Reference in New Issue
Block a user