Add basic verification between signatories' release tarballs

Add support to check if the release tarball checksum between different signed
assertions match.
This is only meant for quick verification, not for actual validation of the
assertion contents.
This commit is contained in:
TheCharlatan 2019-11-19 18:07:29 +01:00
parent 3f5f557f41
commit 3d5a5ab9bf
No known key found for this signature in database
GPG key ID: 9B79B45691DB4173

View file

@ -36,6 +36,35 @@ def verify():
sys.stderr.write('ERROR: One or more signatures failed verification.\n')
exit(1)
print('All signatures verified correctly.\n')
print('Beginning checksum comparison...\n')
# Check that the contents between the assertion signers match. This is meant for quick verification, not for validation of their contents
# TODO: prevent false positives related to filenames / whitespace / formatting.
builds = glob.glob(ver_pattern + '*')
for build in builds:
first_file = glob.glob(build + '/*/*.assert', recursive=False)[0]
f = open(first_file, "r")
first_file_contents = f.readlines()
f.close()
for assert_file in glob.glob(build + '/*/*.assert', recursive=False):
f = open(assert_file, "r")
assert_file_contents = f.readlines()
f.close()
for i in range(len(assert_file_contents)):
# compare everything in the assertions until the base image manifests
if assert_file_contents[i] == "- base_manifests: !!omap\n":
break
# the OSX SDK may change from time to time
if "sdk" in assert_file_contents[i]:
continue
if assert_file_contents[i] != first_file_contents[i]:
print("ERROR: Found conflicting contents on line:", i)
print(assert_file, ":\n", assert_file_contents[i])
print(first_file, ":\n", first_file_contents[i])
exit(1)
print('No discrepancies found in assertion files.')
print('All checks passed.')
os.chdir(workdir)
def main():