[sig-prover] random tarball signature verification script

[sig-prover] random tarball signature verification script

[Konstantin Ryabitsev]

[-- Attachment #1: Type: text/plain, Size: 2012 bytes --]

Hi, all:

I resurrected one of my previously unreleased helper scripts that I used to
run to randomly check signatures on various kernel tarballs. It will do the
following:

- download a random tarball from one of the frontend servers
- download its corresponding signature
- check the signature against a pre-defined local keyring
- complain to an email address if verification fails

I rewrote it in Python-3 and I'm making it public just in case others feel an
inkling to run it on their own.

Here it is in action, with the default config:

	[latest]
	  retrieving https://www.kernel.org/releases.json
	  retrieving https://sjc.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.11.11.tar.sign
	  retrieving https://sjc.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.11.11.tar.xz
		uncompressing xz
		verifying with ./sig-prover-keyrings/kernel.gpg
	  signature is good and valid (created: 2021-03-30)
	--- sleeping 60 seconds ---
	[git]
	  retrieving https://ewr.edge.kernel.org/pub/software/scm/git/sha256sums.asc
		verifying with ./sig-prover-keyrings/dirsigner.gpg
		checksums signature is good and valid (created: 2021-03-30)
	  retrieving https://ewr.edge.kernel.org/pub/software/scm/git/git-2.14.5.tar.sign
	  retrieving https://ewr.edge.kernel.org/pub/software/scm/git/git-2.14.5.tar.xz
		uncompressing xz
		verifying with ./sig-prover-keyrings/git.gpg
	  signature is good and valid (created: 2018-10-05)
	--- sleeping 60 seconds ---

The config is also easy to modify to monitor any other subdir, not just kernel
and git -- so if you want to keep an eye on other tools you release on
kernel.org, you can run your own checker with your own keyring.

You can find the tool here:
https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/sig-prover.py

(If you decide to run it, it's best to clone the entire repo so you get the
.conf and the default keyrings dir.)

Please report any problems to tools@linux.kernel.org.
As it's a pretty major rewrite, I expect it has bugs.

Regards,
-K

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [sig-prover] random tarball signature verification script

[Miguel Ojeda]

On Thu, Apr 1, 2021 at 9:27 PM Konstantin Ryabitsev
<konstantin@linuxfoundation.org> wrote:
>
> I resurrected one of my previously unreleased helper scripts that I used to
> run to randomly check signatures on various kernel tarballs. It will do the
> following:

Thanks for this! Curious: is it random because it helps avoiding
others to predict when the checks would be done if run at fixed
frequency & pattern?

Cheers,
Miguel

Re: [sig-prover] random tarball signature verification script

[Konstantin Ryabitsev]

On Fri, Apr 02, 2021 at 12:16:05AM +0200, Miguel Ojeda wrote:
> > I resurrected one of my previously unreleased helper scripts that I used to
> > run to randomly check signatures on various kernel tarballs. It will do the
> > following:
> 
> Thanks for this! Curious: is it random because it helps avoiding
> others to predict when the checks would be done if run at fixed
> frequency & pattern?

Mostly, I didn't want it always starting from the top of the dir
listing, as that would likely result in some files being checked less
frequently than others. 

It does remember the files that have already been checked within the
same running session, so it should eventually check all of them before
it loops around -- but I think there may be a couple of logic bugs there
that need ironing out for that statement to be 100% accurate.

-K