#!/bin/bash echo "Fetching updates from $(git remote get-url origin) ..." echo "" if ! git pull --verify-signatures; then echo "WARNING: git pull did not exit successfully." echo "" echo "EXITING the script. In order to tag your changes," echo "investigate and then run bump-tag again." exit 1 fi if [[ -f ./cosmos.conf ]]; then # shellcheck disable=SC1091 source ./cosmos.conf fi # A tab will be used in multiple commands for git t=$'\t' # Set the default tag according to the repo # or by entering a name as the first argument. if [[ -z "${1}" ]]; then deftag="$(basename "${PWD}")" else deftag="${1}" fi # Set the tag prefix according to: # 1. $tag, if specified in cosmos.conf, # 2. or $deftag, as specified above. # shellcheck disable=SC2154 if [[ -n "${tag}" ]]; then tagpfx="${tag}" else tagpfx="${deftag}" fi # This is the current branch that Git will diff against. this_branch=$(git rev-parse --abbrev-ref HEAD) # Check why the tag couldn't be verified # First argument: the tag to investigate check_tag_sig_failure() { local __tag_to_check="${1}" # shellcheck disable=SC2155 local __verify_tag_output="$(git verify-tag --raw "${__tag_to_check}" 2>&1)" if echo "${__verify_tag_output}" | grep -q "VALIDSIG"; then if echo "${__verify_tag_output}" | grep -q "EXPKEYSIG"; then echo "" echo "WARNING: The tag was correctly signed, but the copy of" echo "the key that you have stored on your computer has expired." echo "Check for an updated key in:" echo "global/overlay/etc/cosmos/keys/" echo "" echo "EXITING the script. In order to tag your changes," echo "investigate and then run bump-tag again." exit 1 else echo "" echo "WARNING: The tag was probably correctly signed," echo "but it still didn't pass the verification check." echo "" echo "EXITING the script. In order to tag your changes," echo "investigate and then run bump-tag again." exit 1 fi else echo "" echo "WARNING: The signature of the tag could not be verified." echo "Please make sure that you have imported the key and that" echo "the key is signed by a trusted party." echo "Keys used for signing in a Cosmos repo can be found at:" echo "global/overlay/etc/cosmos/keys/" echo "" echo "EXITING the script. In order to tag your changes," echo "investigate and then run bump-tag again." exit 1 fi } check_commit_sig_failure() { local __commit_to_check="${1}" local __file_related_to_commit="${2}" # shellcheck disable=SC2155 local __verify_commit_output="$(git verify-commit --raw "${__commit_to_check}" 2>&1)" if echo "${__verify_commit_output}" | grep -q "VALIDSIG"; then if echo "${__verify_commit_output}" | grep -q "EXPKEYSIG"; then echo "WARNING: The commit to ${__file_related_to_commit}" echo "was correctly signed, but the copy of the key that" echo "you have stored on your computer has expired." echo "Check for an updated key in:" echo "global/overlay/etc/cosmos/keys/" echo "" echo "EXITING the script. In order to tag your changes," echo "investigate and then run bump-tag again." exit 1 else echo "WARNING: The commit to ${__file_related_to_commit}" echo "was probably correctly signed, but it still didn't" echo "pass the verification check." echo "" echo "EXITING the script. In order to tag your changes," echo "investigate and then run bump-tag again." exit 1 fi else echo "WARNING: The commit to ${__file_related_to_commit}" echo "could not be verified. Please make sure that you have" echo "imported the key and that the key is signed by a trusted party." echo "" echo "EXITING the script. In order to tag your changes," echo "investigate and then run bump-tag again." exit 1 fi } # Verify the last commit of a file # First argument: the file to verify verify_last_commit() { local __file_to_verify="${1}" if [[ ! -f "${__file_to_verify}" ]]; then return 1 fi if [[ -n "$(git status --porcelain "${__file_to_verify}")" ]]; then echo "" echo "INFO: local changes detected in ${__file_to_verify}," echo "Not checking the signature of the last commit to ${__file_to_verify}." echo "" return 1 fi # shellcheck disable=SC2155 local __last_commit="$(git log -n 1 --pretty=format:%H -- "${__file_to_verify}")" if ! git verify-commit "${__last_commit}" 2> /dev/null; then echo "" echo "WARNING: Untrusted modification to ${__file_to_verify}:" echo "----------------------------" git verify-commit "$(git log -n 1 --pretty=format:%H -- "${__file_to_verify}")" echo "----------------------------" check_commit_sig_failure "${__last_commit}" "${__file_to_verify}" fi } tag_list="$(git tag -l "${tagpfx}-*")" # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]] || [[ -z "${tag_list}" ]]; then if [[ -z ${ALLOW_UNSIGNED_COMMITS_WITHOUT_TAGS} ]]; then echo "No tags found, verifying all commits instead." echo "Please set environment variable ALLOW_UNSIGNED_COMMITS_WITHOUT_TAGS if you want to disable this check." # %H = commit hash # %G? = show "G" for a good (valid) signature git_log="$(git log --pretty="format:%H${t}%G?" \ --first-parent \ | grep -v "${t}G$")" fi else last_tag="$(echo "${tag_list}" | sort | tail -1)" echo "Verifying last tag: ${last_tag} and the commits after that" if ! git verify-tag "${last_tag}"; then check_tag_sig_failure "${last_tag}" fi tag_object="$(git verify-tag -v "${last_tag}" 2>&1 | grep ^object | cut -d' ' -f2)" # The commits after the last valid signed git tag that we need to check revision_range="${tag_object}..HEAD" # Filter out the commits that are unsigned or untrusted # %H = commit hash # %G? = show "G" for a good (valid) signature git_log="$(git log --pretty="format:%H${t}%G?" "${revision_range}" \ --first-parent \ | grep -v "${t}G$")" fi if [[ -n "${git_log}" ]]; then echo "" echo -e "------WARNING: unsigned or untrusted commits after the last tag------" echo "${git_log}" echo -e "---------------------------------------------------------------------" echo "Quick referens on how to configure signing of commits in ~/.gitconfig:" echo "[user]" echo " signingkey = your-prefered-key-id" echo "[commit]" echo " gpgsign = true" echo "" echo "EXITING the script. In order to tag your changes," echo "please make sure that you have configured signing of" echo "your own commits and that the listed unsigned commits" echo "have been made by a trusted party and are not malicous." exit 1 fi # Always check that the last commit of certain # sensitive files is trusted, without taking into # account whether the last tag was trusted or not. verify_last_commit "./scripts/jsonyaml-no-output.py" verify_last_commit "./bump-tag" # Test the syntax of each YAML-file to be tagged. for file in $(git diff --name-only "${last_tag}..${this_branch}" | grep -E "^.*\.(yaml|yml)$"); do if [[ -f "${file}" ]]; then ./scripts/jsonyaml-no-output.py yaml "${file}" fi done echo "Differences between tag ${last_tag} and what you are about to sign:" # With PAGER=cat, git diff will simply dump the output to the screen. # shellcheck disable=SC2037 PAGER="cat" git diff --color "${last_tag}..${this_branch}" # Iterate over the $last_tag until $this_tag is set to a later version iter=1 ok= while [[ -z "${ok}" ]]; do this_tag="$(date +"${tagpfx}-%Y-%m-%d-v$(printf "%02d" "${iter}")")" iter="$(( iter + 1))" case "$( (echo "${this_tag}"; echo "${last_tag}") | sort | tail -1 )" in "${last_tag}") ;; "${this_tag}") ok=yes ;; esac done if [[ "${deftag}" != "${tagpfx}" ]]; then echo -e "Using new tag \e[94m${this_tag}\e[0m according to pattern in cosmos.conf" else echo -e "Using new tag \e[94m${this_tag}\e[0m" fi echo -e "\e[1mONLY SIGN IF YOU APPROVE OF VERIFICATION AND DIFF ABOVE\e[0m" # GITTAGEXTRA is for putting things like "-u 2117364A" # Note that this variable cannot be quoted if left empty. # shellcheck disable=SC2086 git tag ${GITTAGEXTRA} -m bump. -s "${this_tag}" git push git push --tags