From 617f52db3e65d7c1760e4882521ec67f8ff7cfd2 Mon Sep 17 00:00:00 2001
From: TheCharlatan <seb.kung@gmail.com>
Date: Mon, 22 Jul 2019 00:41:20 +0200
Subject: [PATCH] Add script to make verifying the gitian signatures easy

---
 README.md       |  9 +++++++
 verify-merge.py | 65 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100755 verify-merge.py

diff --git a/README.md b/README.md
index f95dfaf..991921a 100644
--- a/README.md
+++ b/README.md
@@ -22,3 +22,12 @@ Example for release `v0.14.1.0`:
 v0.14.1.0-linux/${GH_USERNAME}/monero-linux-v0.14.1.0-build.assert
 v0.14.1.0-linux/${GH_USERNAME}/monero-linux-v0.14.1.0-build.assert.sig
 ```
+
+If you are committing for the first time, add your pgp public key to the gitian-pubkeys directory in armored ASCII format and a filename of `username.asc`.
+
+## Verifying Gitian Signatures
+
+The `verify-merge.py` script can be used to verify existing gitian sigs. For example to verify all the signatures on the v0.14.1.0 assert files, run `./verify-merge.py v0.14.1.0`. More information on how to use the script can be found by running `./verify-merge.py --help`.
+
+It is also possible to use the script to check the signatures of open pull requests. For example for pull request id 12 on github: `./verify-merge.py --pull_id 12 v0.14.1.0`. Be aware that running this will change the content of your git tree by creating a new `$pull_id_head` and `$pull_id_base` branch. The script deletes these branches again on exit.
+
diff --git a/verify-merge.py b/verify-merge.py
new file mode 100755
index 0000000..ecf634d
--- /dev/null
+++ b/verify-merge.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+import argparse
+import os
+import subprocess
+import glob
+
+GIT = os.getenv('GIT','git')
+GPG = os.getenv('GPG','gpg')
+
+def verify():
+    global args, workdir
+    os.chdir('gitian-pubkeys')
+    print('Importing pubkeys...')
+    keys = [f for f in glob.glob("*.asc", recursive=True)]
+    for key in keys:
+        subprocess.check_call([GPG, '--import', key])
+    print('Refreshing pubkeys...')
+    subprocess.check_call([GPG, '--refresh'])
+    os.chdir('../../gitian-builder')
+    print('\nVerifying '+args.version+' Linux\n')
+    subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-linux', '../monero/contrib/gitian/gitian-linux.yml'])
+    print('\nVerifying '+args.version+' Windows\n')
+    subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-win', '../monero/contrib/gitian/gitian-win.yml'])
+    print('\nVerifying '+args.version+' MacOS\n')
+    subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-osx', '../monero/contrib/gitian/gitian-osx.yml'])
+    os.chdir(workdir)
+
+def main():
+    host_repo = "git@github.com/monero-project/gitian.sigs"
+    global args, workdir
+    parser = argparse.ArgumentParser(usage='%(prog)s [options] version', description='Use this script before merging a pull request to the gitian.sigs repository and to verify the signature of existing gitian assert files and gitian assert files in specific pull requests')
+    parser.add_argument('-p', '--pull_id', dest='pull_id', help='Github Pull request id to check')
+    parser.add_argument('-r', '--remote', dest='remote', default='upstream', help='git remote repository')
+    parser.add_argument('-t', '--target_branch', dest='target_branch', default='master', help='Remote repository merge into branch')
+    parser.add_argument('-m', '--merge', action='store_true', dest='merge', help='Merge the given pull request id')
+    parser.add_argument('-o', '--no-verify', action='store_true', dest='no_verify', help='Do not run any signature verification')
+    parser.add_argument('-n', '--name', dest='name', help='username for pgp key verification')
+    parser.add_argument('version', help='Version number, commit, or branch to build.')
+
+    args = parser.parse_args()
+    workdir = os.getcwd()
+    if args.pull_id != None:
+        # Get branch from remote pull request and compare
+        head_branch = args.pull_id+'_head'
+
+        subprocess.check_call([GIT, 'fetch', args.remote])
+        subprocess.check_call([GIT, 'checkout', args.remote+'/'+args.target_branch])
+        subprocess.check_call([GIT, 'fetch','-q', args.remote, 'pull/'+args.pull_id+'/head:'+head_branch])
+        subprocess.check_call([GIT, 'checkout', '-f', head_branch])
+        if args.merge:
+            # Hard reset the target branch to the remote's state and merge the pull request's head branch into it
+            subprocess.check_call([GIT, 'checkout', args.target_branch])
+            subprocess.check_call([GIT, 'reset', '--hard', args.remote + '/' + args.target_branch])
+            print('Merging and signing pull request #' + args.pull_id + ' , if you are using a smartcard, confirm the signature now.')
+            subprocess.check_call([GIT, 'merge','-q', '--commit', '--no-edit', '-m', 'Merge pull request #'+args.pull_id+' into '+args.target_branch, '--no-ff', '--gpg-sign', head_branch])
+        if not args.no_verify:
+            verify()
+        subprocess.check_call([GIT, 'checkout', 'master'])
+        subprocess.check_call([GIT, 'branch', '-D', head_branch])
+    else:
+        verify()
+
+
+if __name__ == '__main__':
+    main()