scripts: release: add verification checks for signing keys

We need to make sure the release is being signed by a key that is
actually listed as a trusted signing key, and we also need to ask the
person cutting the release whether the list of trusted keys is
acceptable.

Also add some verification checks after a release is signed to make sure
everything was signed with the correct keys.

Signed-off-by: Aleksa Sarai <[email protected]>

script/release_sign.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
-# Copyright (C) 2017 SUSE LLC.
-# Copyright (C) 2017-2021 Open Containers Authors
+# Copyright (C) 2017-2023 SUSE LLC.
+# Copyright (C) 2017-2023 Open Containers Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-set -e
+set -Eeuo pipefail
 
 project="runc"
 root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
@@ -28,15 +28,21 @@ function usage() {
 
 # Log something to stderr.
 function log() {
-	echo "[*] $*" >&2
+	echo "[*]" "$@" >&2
 }
 
 # Log something to stderr and then exit with 0.
-function bail() {
+function quit() {
 	log "$@"
 	exit 0
 }
 
+# Log something to stderr and then exit with 1.
+function bail() {
+	log "$@"
+	exit 1
+}
+
 # Conduct a sanity-check to make sure that GPG provided with the given
 # arguments can sign something. Inability to sign things is not a fatal error.
 function gpg_cansign() {
@@ -86,17 +92,47 @@ log "signing $project release in '$releasedir'"
 log "      key: ${keyid:-DEFAULT}"
 log "     hash: $hashcmd"
 
-# Make explicit what we're doing.
-set -x
-
 # Set up the gpgflags.
 gpgflags=()
 [[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
-gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step."
+gpg_cansign "${gpgflags[@]}" || quit "Could not find suitable GPG key, skipping signing step."
+
+# Make explicit what we're doing.
+set -x
+
+# Check that the keyid is actually in the $project.keyring by signing a piece
+# of dummy text then verifying it against the list of keys in that keyring.
+tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")"
+trap 'rm -r "$tmp_gpgdir"' EXIT
+
+tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring")
+gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring"
+
+tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring")
+gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
+gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A
+
+gpg "${gpgflags[@]}" --clear-sign <<<"[This is test text used for $project release scripts. $(date --rfc-email)]" |
+	gpg "${tmp_runc_gpgflags[@]}" --verify || bail "Signing key ${keyid:-DEFAULT} is not in trusted $project.keyring list!"
+
+# Make sure the signer is okay with the list of keys in the keyring (once this
+# release is signed, distributions will trust this keyring).
+cat >&2 <<EOF
+== PLEASE VERIFY THE FOLLOWING KEYS ==
+
+The sources for this release will contain the following signing keys as
+"trusted", meaning that distributions may trust the keys to sign future
+releases. Please make sure that only authorised users' keys are listed.
+
+$(gpg "${tmp_runc_gpgflags[@]}" --list-keys)
+
+[ Press ENTER to continue. ]
+EOF
+read -r
 
 # Only needed for local signing -- change the owner since by default it's built
 # inside a container which means it'll have the wrong owner and permissions.
-[ -w "$releasedir" ] || sudo chown -R "$USER:$GROUP" "$releasedir"
+[ -w "$releasedir" ] || sudo chown -R "$(id -u):$(id -g)" "$releasedir"
 
 # Sign everything.
 for bin in "$releasedir/$project".*; do
@@ -106,3 +142,18 @@ done
 gpg "${gpgflags[@]}" --clear-sign --armor \
 	--output "$releasedir/$project.$hashcmd"{.tmp,} &&
 	mv "$releasedir/$project.$hashcmd"{.tmp,}
+
+# Verify that all the signatures and shasum are correct.
+pushd "$releasedir"
+
+# Verify project-signed detached signatures.
+find . -name "$project.*.asc" -print0 | xargs -0 -L1 gpg "${tmp_runc_gpgflags[@]}" --verify --
+
+# Verify shasum.
+"$hashcmd" -c "$project.$hashcmd"
+gpg "${tmp_runc_gpgflags[@]}" --verify "$project.$hashcmd"
+
+# Verify seccomp tarball.
+gpg "${tmp_seccomp_gpgflags[@]}" --verify libseccomp*.asc
+
+popd