Merge pull request #28 from blocktrron/ci-sign-all

ci contrib: allow validation of all branches against CI key
freifunk-darmstadt · Jan 12, 2024 · 0b9a51b · 0b9a51b
2 parents f7d89e2 + a0008a8
commit 0b9a51b
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 34 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -325,6 +325,32 @@ jobs:
           priority: 1
           broken: ${{ needs.build-meta.outputs.broken }}
 
+      - name: Sign manifest (Stable)
+        uses: freifunk-gluon/action-sign@v1
+        if: >
+          needs.build-meta.outputs.manifest-stable != '0' &&
+          needs.build-meta.outputs.sign-manifest != '0'
+        with:
+          container-version: ${{ needs.build-meta.outputs.container-version }}
+          gluon-path: "gluon-gha-data/gluon"
+          manifest: >-
+            gluon-gha-data/gluon/output/images/sysupgrade/stable.manifest
+          signing-key: ${{ secrets.GHA_FFDA_BUILD_ECDSA_KEY_STABLE }}
+          write-signature: "true"
+
+      - name: Sign manifest (Beta)
+        uses: freifunk-gluon/action-sign@v1
+        if: >
+          needs.build-meta.outputs.manifest-beta != '0' &&
+          needs.build-meta.outputs.sign-manifest != '0'
+        with:
+          container-version: ${{ needs.build-meta.outputs.container-version }}
+          gluon-path: "gluon-gha-data/gluon"
+          manifest: >-
+            gluon-gha-data/gluon/output/images/sysupgrade/beta.manifest
+          signing-key: ${{ secrets.GHA_FFDA_BUILD_ECDSA_KEY_BETA }}
+          write-signature: "true"
+
       - name: Sign manifest (Testing)
         uses: freifunk-gluon/action-sign@v1
         if: >

diff --git a/contrib/sign-release.sh b/contrib/sign-release.sh
@@ -8,12 +8,84 @@ function usage() {
     exit 1
 }
 
-SCRIPT_DIR="$(dirname "$0")"
+function split_manifest() {
+    local manifest upper lower
+
+    manifest="$1"
+    upper="$2"
+    lower="$3"
+
+    awk 'BEGIN    {
+        sep = 0
+    }
+
+    /^---$/ {
+        sep = 1;
+        next
+    }
+
+    {
+        if(sep == 0) {
+            print > "'"$upper"'"
+        } else {
+            print > "'"$lower"'"
+        }
+    }' "$manifest"
+}
+
+function create_signature() {
+    local secret manifest upper lower
+
+    manifest="$1"
+    secret="$2"
+
+    upper="$(mktemp)"
+    lower="$(mktemp)"
+
+    # Split manifest into upper and lower part
+    split_manifest "$manifest" "$upper" "$lower"
+
+    # Sign upper part of manifest
+    ecdsasign "$upper" < "$secret"
+
+    # Remove temporary files
+    rm -f "$upper" "$lower"
+}
+
+function get_valid_signature() {
+    local public_key manifest upper lower
+
+    manifest="$1"
+    public_key="$2"
+
+    upper="$(mktemp)"
+    lower="$(mktemp)"
+
+    # Split manifest into upper and lower part
+    split_manifest "$manifest" "$upper" "$lower"
+
+    # Validate upper part of manifest
+    while read -r line
+    do
+        if ecdsaverify -s "$line" -p "$public_key" "$upper"; then
+            echo "$line"
+            break
+        fi
+    done < "$lower"
+
+    # Remove temporary files
+    rm -f "$upper" "$lower"
+}
+
+function cleanup() {
+    rm -rf "$TEMP_DIR"
+}
 
 # This Script is used to sign a Firmware Release using
 # a private ECDSA key.
 
 DEFAULT_GITHUB_REPOSITORY_URL="freifunk-darmstadt/site-ffda"
+CI_PUBLIC_KEY="cea1e84bf157d7362287fcd21d13de14634341e3d1ea7038000062743554dc88"
 
 GITHUB_REPOSITORY_URL="${GITHUB_REPOSITORY_URL:-$DEFAULT_GITHUB_REPOSITORY_URL}"
 
@@ -37,17 +109,25 @@ tar xf "${TEMP_DIR}/manifest.tar.xz" -C "${TEMP_DIR}"
 
 # Sign manifest
 for manifest_path in "${TEMP_DIR}/"*.manifest; do
-    echo ""
+    valid_ci_signature="$(get_valid_signature "$manifest_path" "$CI_PUBLIC_KEY")"
+
+    # Check if manifest is signed with CI key first
+    if [ -n "$valid_ci_signature" ]; then
+        echo "Manifest $manifest_path is signed with CI key"
+        echo "Signature: $valid_ci_signature"
+    else
+        echo "Manifest $manifest_path is not signed with CI key"
+        cleanup
+        exit 1
+    fi
 
     # Get filename without extension
     manifest_branch_name="$(basename "$manifest_path" .manifest)"
 
     # Get Signature
-    signature="$("$SCRIPT_DIR/sign.sh" "$PRIVATE_KEY_PATH" "$manifest_path")"
-
-    echo "Signature for $manifest_branch_name"
-    echo "$signature"
+    echo "-- Signature for $manifest_branch_name --"
+    create_signature "$manifest_path" "$PRIVATE_KEY_PATH"
 done
 
 # Remove Temporary working directory
-rm -rf "$TEMP_DIR"
+cleanup
diff --git a/contrib/sign.sh b/contrib/sign.sh