Linux maintainer tooling and workflows
 help / color / Atom feed
* [sig-prover] random tarball signature verification script
@ 2021-04-01 19:27 Konstantin Ryabitsev
  2021-04-01 22:16 ` Miguel Ojeda
  0 siblings, 1 reply; 3+ messages in thread
From: Konstantin Ryabitsev @ 2021-04-01 19:27 UTC (permalink / raw)
  To: tools, users


[-- Attachment #1: Type: text/plain, Size: 2012 bytes --]

Hi, all:

I resurrected one of my previously unreleased helper scripts that I used to
run to randomly check signatures on various kernel tarballs. It will do the
following:

- download a random tarball from one of the frontend servers
- download its corresponding signature
- check the signature against a pre-defined local keyring
- complain to an email address if verification fails

I rewrote it in Python-3 and I'm making it public just in case others feel an
inkling to run it on their own.

Here it is in action, with the default config:

	[latest]
	  retrieving https://www.kernel.org/releases.json
	  retrieving https://sjc.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.11.11.tar.sign
	  retrieving https://sjc.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.11.11.tar.xz
		uncompressing xz
		verifying with ./sig-prover-keyrings/kernel.gpg
	  signature is good and valid (created: 2021-03-30)
	--- sleeping 60 seconds ---
	[git]
	  retrieving https://ewr.edge.kernel.org/pub/software/scm/git/sha256sums.asc
		verifying with ./sig-prover-keyrings/dirsigner.gpg
		checksums signature is good and valid (created: 2021-03-30)
	  retrieving https://ewr.edge.kernel.org/pub/software/scm/git/git-2.14.5.tar.sign
	  retrieving https://ewr.edge.kernel.org/pub/software/scm/git/git-2.14.5.tar.xz
		uncompressing xz
		verifying with ./sig-prover-keyrings/git.gpg
	  signature is good and valid (created: 2018-10-05)
	--- sleeping 60 seconds ---

The config is also easy to modify to monitor any other subdir, not just kernel
and git -- so if you want to keep an eye on other tools you release on
kernel.org, you can run your own checker with your own keyring.

You can find the tool here:
https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/sig-prover.py

(If you decide to run it, it's best to clone the entire repo so you get the
.conf and the default keyrings dir.)

Please report any problems to tools@linux.kernel.org.
As it's a pretty major rewrite, I expect it has bugs.

Regards,
-K

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [sig-prover] random tarball signature verification script
  2021-04-01 19:27 [sig-prover] random tarball signature verification script Konstantin Ryabitsev
@ 2021-04-01 22:16 ` Miguel Ojeda
  2021-04-02  0:38   ` Konstantin Ryabitsev
  0 siblings, 1 reply; 3+ messages in thread
From: Miguel Ojeda @ 2021-04-01 22:16 UTC (permalink / raw)
  To: tools, users

On Thu, Apr 1, 2021 at 9:27 PM Konstantin Ryabitsev
<konstantin@linuxfoundation.org> wrote:
>
> I resurrected one of my previously unreleased helper scripts that I used to
> run to randomly check signatures on various kernel tarballs. It will do the
> following:

Thanks for this! Curious: is it random because it helps avoiding
others to predict when the checks would be done if run at fixed
frequency & pattern?

Cheers,
Miguel

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [sig-prover] random tarball signature verification script
  2021-04-01 22:16 ` Miguel Ojeda
@ 2021-04-02  0:38   ` Konstantin Ryabitsev
  0 siblings, 0 replies; 3+ messages in thread
From: Konstantin Ryabitsev @ 2021-04-02  0:38 UTC (permalink / raw)
  To: Miguel Ojeda; +Cc: tools, users

On Fri, Apr 02, 2021 at 12:16:05AM +0200, Miguel Ojeda wrote:
> > I resurrected one of my previously unreleased helper scripts that I used to
> > run to randomly check signatures on various kernel tarballs. It will do the
> > following:
> 
> Thanks for this! Curious: is it random because it helps avoiding
> others to predict when the checks would be done if run at fixed
> frequency & pattern?

Mostly, I didn't want it always starting from the top of the dir
listing, as that would likely result in some files being checked less
frequently than others. 

It does remember the files that have already been checked within the
same running session, so it should eventually check all of them before
it loops around -- but I think there may be a couple of logic bugs there
that need ironing out for that statement to be 100% accurate.

-K

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-01 19:27 [sig-prover] random tarball signature verification script Konstantin Ryabitsev
2021-04-01 22:16 ` Miguel Ojeda
2021-04-02  0:38   ` Konstantin Ryabitsev

Linux maintainer tooling and workflows

Archives are clonable:
	git clone --mirror https://lore.kernel.org/tools/0 tools/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 tools tools/ https://lore.kernel.org/tools \
		tools@linux.kernel.org
	public-inbox-index tools

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.linux.tools


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git