2018-05-10 16:22:58 +00:00
#!/usr/bin/env python3
2022-12-24 23:49:50 +00:00
# Copyright (c) 2018-2022 The Bitcoin Core developers
2018-05-10 16:22:58 +00:00
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
""" Verify commits against a trusted keys list. """
import argparse
import hashlib
2019-01-24 21:28:27 -06:00
import logging
2018-05-10 16:22:58 +00:00
import os
import subprocess
import sys
import time
GIT = os . getenv ( ' GIT ' , ' git ' )
def tree_sha512sum ( commit = ' HEAD ' ) :
""" Calculate the Tree-sha512 for the commit.
2019-08-16 08:20:39 +08:00
This is copied from github - merge . py . See https : / / github . com / bitcoin - core / bitcoin - maintainer - tools . """
2018-05-10 16:22:58 +00:00
# request metadata for entire tree, recursively
files = [ ]
blob_by_name = { }
for line in subprocess . check_output ( [ GIT , ' ls-tree ' , ' --full-tree ' , ' -r ' , commit ] ) . splitlines ( ) :
name_sep = line . index ( b ' \t ' )
metadata = line [ : name_sep ] . split ( ) # perms, 'blob', blobid
assert metadata [ 1 ] == b ' blob '
name = line [ name_sep + 1 : ]
files . append ( name )
blob_by_name [ name ] = metadata [ 2 ]
files . sort ( )
# open connection to git-cat-file in batch mode to request data for all blobs
# this is much faster than launching it per file
p = subprocess . Popen ( [ GIT , ' cat-file ' , ' --batch ' ] , stdout = subprocess . PIPE , stdin = subprocess . PIPE )
overall = hashlib . sha512 ( )
for f in files :
blob = blob_by_name [ f ]
# request blob
p . stdin . write ( blob + b ' \n ' )
p . stdin . flush ( )
# read header: blob, "blob", size
reply = p . stdout . readline ( ) . split ( )
assert reply [ 0 ] == blob and reply [ 1 ] == b ' blob '
size = int ( reply [ 2 ] )
# hash the blob data
intern = hashlib . sha512 ( )
ptr = 0
while ptr < size :
bs = min ( 65536 , size - ptr )
piece = p . stdout . read ( bs )
if len ( piece ) == bs :
intern . update ( piece )
else :
raise IOError ( ' Premature EOF reading git cat-file output ' )
ptr + = bs
dig = intern . hexdigest ( )
assert p . stdout . read ( 1 ) == b ' \n ' # ignore LF that follows blob data
# update overall hash with file hash
overall . update ( dig . encode ( " utf-8 " ) )
overall . update ( " " . encode ( " utf-8 " ) )
overall . update ( f )
overall . update ( " \n " . encode ( " utf-8 " ) )
p . stdin . close ( )
if p . wait ( ) :
raise IOError ( ' Non-zero return value executing git cat-file ' )
return overall . hexdigest ( )
def main ( ) :
2019-01-24 21:28:27 -06:00
# Enable debug logging if running in CI
if ' CI ' in os . environ and os . environ [ ' CI ' ] . lower ( ) == " true " :
logging . getLogger ( ) . setLevel ( logging . DEBUG )
2018-05-10 16:22:58 +00:00
# Parse arguments
parser = argparse . ArgumentParser ( usage = ' %(prog)s [options] [commit id] ' )
parser . add_argument ( ' --disable-tree-check ' , action = ' store_false ' , dest = ' verify_tree ' , help = ' disable SHA-512 tree check ' )
parser . add_argument ( ' --clean-merge ' , type = float , dest = ' clean_merge ' , default = float ( ' inf ' ) , help = ' Only check clean merge after <NUMBER> days ago (default: %(default)s ) ' , metavar = ' NUMBER ' )
parser . add_argument ( ' commit ' , nargs = ' ? ' , default = ' HEAD ' , help = ' Check clean merge up to commit <commit> ' )
args = parser . parse_args ( )
# get directory of this program and read data files
dirname = os . path . dirname ( os . path . abspath ( __file__ ) )
print ( " Using verify-commits data from " + dirname )
2022-04-26 14:39:07 -03:00
with open ( dirname + " /trusted-git-root " , " r " , encoding = " utf8 " ) as f :
verified_root = f . read ( ) . splitlines ( ) [ 0 ]
with open ( dirname + " /trusted-sha512-root-commit " , " r " , encoding = " utf8 " ) as f :
verified_sha512_root = f . read ( ) . splitlines ( ) [ 0 ]
with open ( dirname + " /allow-revsig-commits " , " r " , encoding = " utf8 " ) as f :
revsig_allowed = f . read ( ) . splitlines ( )
2022-05-05 13:27:11 -03:00
with open ( dirname + " /allow-unclean-merge-commits " , " r " , encoding = " utf8 " ) as f :
2022-04-26 14:39:07 -03:00
unclean_merge_allowed = f . read ( ) . splitlines ( )
with open ( dirname + " /allow-incorrect-sha512-commits " , " r " , encoding = " utf8 " ) as f :
incorrect_sha512_allowed = f . read ( ) . splitlines ( )
2023-02-07 12:27:32 -05:00
with open ( dirname + " /trusted-keys " , " r " , encoding = " utf8 " ) as f :
trusted_keys = f . read ( ) . splitlines ( )
2018-05-10 16:22:58 +00:00
# Set commit and branch and set variables
current_commit = args . commit
if ' ' in current_commit :
print ( " Commit must not contain spaces " , file = sys . stderr )
sys . exit ( 1 )
verify_tree = args . verify_tree
no_sha1 = True
prev_commit = " "
initial_commit = current_commit
2019-01-18 09:36:39 -06:00
branch = subprocess . check_output ( [ GIT , ' show ' , ' -s ' , ' --format= % H ' , initial_commit ] ) . decode ( ' utf8 ' ) . splitlines ( ) [ 0 ]
2018-05-10 16:22:58 +00:00
# Iterate through commits
while True :
2019-01-24 21:28:27 -06:00
# Log a message to prevent Travis from timing out
logging . debug ( " verify-commits: [in-progress] processing commit {} " . format ( current_commit [ : 8 ] ) )
2018-05-10 16:22:58 +00:00
if current_commit == verified_root :
print ( ' There is a valid path from " {} " to {} where all commits are signed! ' . format ( initial_commit , verified_root ) )
sys . exit ( 0 )
if current_commit == verified_sha512_root :
if verify_tree :
print ( " All Tree-SHA512s matched up to {} " . format ( verified_sha512_root ) , file = sys . stderr )
verify_tree = False
no_sha1 = False
os . environ [ ' BITCOIN_VERIFY_COMMITS_ALLOW_SHA1 ' ] = " 0 " if no_sha1 else " 1 "
2023-02-07 12:27:32 -05:00
allow_revsig = current_commit in revsig_allowed
2018-05-10 16:22:58 +00:00
# Check that the commit (and parents) was signed with a trusted key
2023-02-07 12:27:32 -05:00
valid_sig = False
verify_res = subprocess . run ( [ GIT , ' -c ' , ' gpg.program= {} /gpg.sh ' . format ( dirname ) , ' verify-commit ' , " --raw " , current_commit ] , capture_output = True )
for line in verify_res . stderr . decode ( ) . splitlines ( ) :
if line . startswith ( " [GNUPG:] VALIDSIG " ) :
key = line . split ( " " ) [ - 1 ]
valid_sig = key in trusted_keys
elif ( line . startswith ( " [GNUPG:] REVKEYSIG " ) or line . startswith ( " [GNUPG:] EXPKEYSIG " ) ) and not allow_revsig :
valid_sig = False
break
if not valid_sig :
2018-05-10 16:22:58 +00:00
if prev_commit != " " :
print ( " No parent of {} was signed with a trusted key! " . format ( prev_commit ) , file = sys . stderr )
print ( " Parents are: " , file = sys . stderr )
2019-01-18 09:36:39 -06:00
parents = subprocess . check_output ( [ GIT , ' show ' , ' -s ' , ' --format=format: % P ' , prev_commit ] ) . decode ( ' utf8 ' ) . splitlines ( ) [ 0 ] . split ( ' ' )
2018-05-10 16:22:58 +00:00
for parent in parents :
subprocess . call ( [ GIT , ' show ' , ' -s ' , parent ] , stdout = sys . stderr )
else :
print ( " {} was not signed with a trusted key! " . format ( current_commit ) , file = sys . stderr )
sys . exit ( 1 )
# Check the Tree-SHA512
if ( verify_tree or prev_commit == " " ) and current_commit not in incorrect_sha512_allowed :
tree_hash = tree_sha512sum ( current_commit )
2019-01-18 09:36:39 -06:00
if ( " Tree-SHA512: {} " . format ( tree_hash ) ) not in subprocess . check_output ( [ GIT , ' show ' , ' -s ' , ' --format=format: % B ' , current_commit ] ) . decode ( ' utf8 ' ) . splitlines ( ) :
2018-05-10 16:22:58 +00:00
print ( " Tree-SHA512 did not match for commit " + current_commit , file = sys . stderr )
sys . exit ( 1 )
# Merge commits should only have two parents
2019-01-18 09:36:39 -06:00
parents = subprocess . check_output ( [ GIT , ' show ' , ' -s ' , ' --format=format: % P ' , current_commit ] ) . decode ( ' utf8 ' ) . splitlines ( ) [ 0 ] . split ( ' ' )
2018-05-10 16:22:58 +00:00
if len ( parents ) > 2 :
print ( " Commit {} is an octopus merge " . format ( current_commit ) , file = sys . stderr )
sys . exit ( 1 )
# Check that the merge commit is clean
2019-01-18 09:36:39 -06:00
commit_time = int ( subprocess . check_output ( [ GIT , ' show ' , ' -s ' , ' --format=format: %c t ' , current_commit ] ) . decode ( ' utf8 ' ) . splitlines ( ) [ 0 ] )
2018-05-10 16:22:58 +00:00
check_merge = commit_time > time . time ( ) - args . clean_merge * 24 * 60 * 60 # Only check commits in clean_merge days
allow_unclean = current_commit in unclean_merge_allowed
if len ( parents ) == 2 and check_merge and not allow_unclean :
2019-01-18 09:36:39 -06:00
current_tree = subprocess . check_output ( [ GIT , ' show ' , ' --format= % T ' , current_commit ] ) . decode ( ' utf8 ' ) . splitlines ( ) [ 0 ]
2018-05-10 16:22:58 +00:00
subprocess . call ( [ GIT , ' checkout ' , ' --force ' , ' --quiet ' , parents [ 0 ] ] )
2018-11-26 10:22:36 -05:00
subprocess . call ( [ GIT , ' merge ' , ' --no-ff ' , ' --quiet ' , ' --no-gpg-sign ' , parents [ 1 ] ] , stdout = subprocess . DEVNULL )
2019-01-18 09:36:39 -06:00
recreated_tree = subprocess . check_output ( [ GIT , ' show ' , ' --format=format: % T ' , ' HEAD ' ] ) . decode ( ' utf8 ' ) . splitlines ( ) [ 0 ]
2018-05-10 16:22:58 +00:00
if current_tree != recreated_tree :
print ( " Merge commit {} is not clean " . format ( current_commit ) , file = sys . stderr )
subprocess . call ( [ GIT , ' diff ' , current_commit ] )
subprocess . call ( [ GIT , ' checkout ' , ' --force ' , ' --quiet ' , branch ] )
sys . exit ( 1 )
subprocess . call ( [ GIT , ' checkout ' , ' --force ' , ' --quiet ' , branch ] )
prev_commit = current_commit
current_commit = parents [ 0 ]
if __name__ == ' __main__ ' :
main ( )