From 3d5a5ab9bf2acfcecbd6fbf29073c310570b73e0 Mon Sep 17 00:00:00 2001 From: TheCharlatan Date: Tue, 19 Nov 2019 18:07:29 +0100 Subject: [PATCH] Add basic verification between signatories' release tarballs Add support to check if the release tarball checksum between different signed assertions match. This is only meant for quick verification, not for actual validation of the assertion contents. --- verify-merge.py | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/verify-merge.py b/verify-merge.py index 788d8b0..7566cd1 100755 --- a/verify-merge.py +++ b/verify-merge.py @@ -36,6 +36,35 @@ def verify(): sys.stderr.write('ERROR: One or more signatures failed verification.\n') exit(1) + print('All signatures verified correctly.\n') + print('Beginning checksum comparison...\n') + # Check that the contents between the assertion signers match. This is meant for quick verification, not for validation of their contents + # TODO: prevent false positives related to filenames / whitespace / formatting. + builds = glob.glob(ver_pattern + '*') + for build in builds: + first_file = glob.glob(build + '/*/*.assert', recursive=False)[0] + f = open(first_file, "r") + first_file_contents = f.readlines() + f.close() + for assert_file in glob.glob(build + '/*/*.assert', recursive=False): + f = open(assert_file, "r") + assert_file_contents = f.readlines() + f.close() + for i in range(len(assert_file_contents)): + # compare everything in the assertions until the base image manifests + if assert_file_contents[i] == "- base_manifests: !!omap\n": + break + # the OSX SDK may change from time to time + if "sdk" in assert_file_contents[i]: + continue + if assert_file_contents[i] != first_file_contents[i]: + print("ERROR: Found conflicting contents on line:", i) + print(assert_file, ":\n", assert_file_contents[i]) + print(first_file, ":\n", first_file_contents[i]) + exit(1) + + print('No discrepancies found in assertion files.') + print('All checks passed.') os.chdir(workdir) def main():