Remove DCTLENV_PGP env var
parent
650e4cf331
commit
de5cd511d6
17
README.md
17
README.md
|
@ -73,9 +73,9 @@ No SHA256 hashes file available. Skipping SHA256 hash validation
|
|||
Installation of driftctl v0.2.3 successful. To make this your default version, run 'dctlenv use 0.2.3'
|
||||
```
|
||||
|
||||
For signed version of driftctl (starting v0.4.0) you can now install and verify digital signature with dctlenv.
|
||||
For signed version of driftctl (starting v0.10.0) you can now install and verify digital signature with dctlenv.
|
||||
|
||||
You will need first to import the public key of CloudSkiff and then use the environment variable `DCTLENV_PGP`.
|
||||
You just need to import the public key of CloudSkiff and have the gpg binary already installed.
|
||||
|
||||
```console
|
||||
# Import key
|
||||
|
@ -85,15 +85,15 @@ gpg: Total number processed: 1
|
|||
gpg: imported: 1
|
||||
|
||||
# Install and verify signature
|
||||
$ DCTLENV_PGP=1 dctlenv install 0.4.0
|
||||
Installing driftctl v0.4.0
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.4.0/driftctl_darwin_amd64
|
||||
$ dctlenv install 0.10.0
|
||||
Installing driftctl v0.10.0
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_darwin_amd64
|
||||
######################################################################################################################## 100.0%
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.4.0/driftctl_SHA256SUMS
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS
|
||||
SHA256 hash matched!
|
||||
Downloading SHA256 hashes signature file from https://github.com/snyk/driftctl/releases/download/v0.4.0/driftctl_SHA256SUMS.gpg
|
||||
Downloading SHA256 hashes signature file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS.gpg
|
||||
PGP signature matched!
|
||||
Installation of driftctl v0.4.0 successful. To make this your default version, run 'dctlenv use 0.4.0'
|
||||
Installation of driftctl v0.10.0 successful. To make this your default version, run 'dctlenv use 0.10.0'
|
||||
```
|
||||
|
||||
### `dctlenv use [<version>]`
|
||||
|
@ -267,7 +267,6 @@ You can configure how `dctlenv` operates with the following settings:
|
|||
| `DCTLENV_ROOT` | | Defines the directory under which dctlenv resides<br> Current value shown by `dctlenv root` |
|
||||
| `DCTLENV_ARCH` | `amd64` | Architecture other than the default amd64 can be specified |
|
||||
| `DCTLENV_DEBUG` | `0` | Outputs debug information |
|
||||
| `DCTLENV_PGP` | `0` | Verify digital signatures |
|
||||
| `DCTLENV_CURL` | `0` | Curl download progress bar, 0 will run a -# curl and 1 will run a -s curl |
|
||||
|
||||
## Contributors ✨
|
||||
|
|
|
@ -15,3 +15,9 @@ curlw() {
|
|||
curl $TLS_OPT "$@"
|
||||
}
|
||||
export -f curlw
|
||||
|
||||
# Check if one version is lower or equal to another version
|
||||
version_le() {
|
||||
[ "$1" = "`echo -e "$1\n$2" | sort -V | head -n 1`" ]
|
||||
}
|
||||
export -f version_le
|
||||
|
|
|
@ -53,6 +53,14 @@ case "${DCTLENV_CURL:-0}" in
|
|||
;;
|
||||
esac
|
||||
|
||||
# By default we enable the PGP verification unless the
|
||||
# version is below or equal to 0.9.1
|
||||
pgp=1
|
||||
if version_le $version "0.9.1"; then
|
||||
pgp=0
|
||||
fi
|
||||
|
||||
driftctl_key="0xACC776A79C824EBD"
|
||||
driftctl_url="https://github.com/snyk/driftctl/releases/download"
|
||||
|
||||
echo "Installing driftctl v$version"
|
||||
|
@ -72,33 +80,42 @@ if [[ -f "$dst_path/driftctl_SHA256SUMS" ]]; then
|
|||
else
|
||||
echo 'No sha256sum tool available. Skipping SHA256 hash validation'
|
||||
fi
|
||||
if [ "${DCTLENV_PGP:-0}" -eq 0 ]; then
|
||||
if [ $pgp -eq 0 ]; then
|
||||
$(rm "$dst_path/driftctl_SHA256SUMS")
|
||||
fi
|
||||
else
|
||||
echo 'No SHA256 hashes file available. Skipping SHA256 hash validation'
|
||||
fi
|
||||
|
||||
if [ "${DCTLENV_PGP:-0}" -gt 0 ]; then
|
||||
bin_is_verified=0
|
||||
if [ $pgp -eq 1 ]; then
|
||||
gpg_bin="$(command -v gpg 2>/dev/null)"
|
||||
if [[ -n "$gpg_bin" ]]; then
|
||||
# Check if we have the key to verify the signature
|
||||
("$gpg_bin" --list-keys $driftctl_key) &>/dev/null \
|
||||
&& has_key=1 \
|
||||
|| has_key=0
|
||||
if [ $has_key -eq 1 ]; then
|
||||
echo "Downloading SHA256 hashes signature file from $driftctl_url/v$version/driftctl_SHA256SUMS.gpg"
|
||||
$(curlw -s -f -L -o "$dst_path/driftctl_SHA256SUMS.gpg" "$driftctl_url/v$version/driftctl_SHA256SUMS.gpg") || log_debug 'SHA256 hashes signature download failed'
|
||||
|
||||
if [[ -f "$dst_path/driftctl_SHA256SUMS.gpg" ]]; then
|
||||
gpg_bin="$(command -v gpg 2>/dev/null)"
|
||||
if [[ -n "$gpg_bin" ]]; then
|
||||
("$gpg_bin" --verify "$dst_path/driftctl_SHA256SUMS.gpg" "$dst_path/driftctl_SHA256SUMS") &>/dev/null \
|
||||
&& echo "PGP signature matched!" \
|
||||
&& echo "PGP signature matched!" && bin_is_verified=1 \
|
||||
|| log_error 'PGP signature rejected!'
|
||||
else
|
||||
echo 'No gpg tool available. Skipping signature validation'
|
||||
fi
|
||||
$(rm "$dst_path/driftctl_SHA256SUMS.gpg")
|
||||
else
|
||||
echo 'No SHA256 hashes signature file available. Skipping signature validation'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
$(rm "$dst_path/driftctl_SHA256SUMS")
|
||||
fi
|
||||
|
||||
if [ $bin_is_verified -eq 0 ]; then
|
||||
echo 'Unable to verify the authenticity of the binary'
|
||||
fi
|
||||
|
||||
$(mv "$dst_path/driftctl_$os" "$dst_path/driftctl")
|
||||
$(chmod +x "$dst_path/driftctl") || log_error "Fail to make the binary executable"
|
||||
|
||||
|
|
|
@ -6,7 +6,6 @@ setup() {
|
|||
export DCTLENV_TMPDIR="$BATS_TMPDIR/dctlenv"
|
||||
export DCTLENV_TMPDIR="$(mktemp -d "$DCTLENV_TMPDIR.XXX" 2>/dev/null || echo "$DCTLENV_TMPDIR")"
|
||||
export DCTLENV_ROOT="$DCTLENV_TMPDIR"
|
||||
export DCTLENV_PGP=0
|
||||
|
||||
dctlenv-list-remote() {
|
||||
echo "0.1.0
|
||||
|
@ -16,9 +15,15 @@ setup() {
|
|||
0.2.2
|
||||
0.2.3
|
||||
0.3.0
|
||||
0.3.1"
|
||||
0.3.1
|
||||
0.10.0"
|
||||
}
|
||||
export -f dctlenv-list-remote;
|
||||
|
||||
version_le() {
|
||||
[ "$1" = "`echo -e "$1\n$2" | sort -V | head -n 1`" ]
|
||||
}
|
||||
export -f version_le
|
||||
}
|
||||
|
||||
@test "dctlenv install [<version>]: prints an error message if we try to install more than one version" {
|
||||
|
@ -83,6 +88,7 @@ Installing driftctl v0.3.1
|
|||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS
|
||||
No SHA256 hashes file available. Skipping SHA256 hash validation
|
||||
Unable to verify the authenticity of the binary
|
||||
Fail to make the binary executable
|
||||
OUT
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ]
|
||||
|
@ -105,6 +111,7 @@ Installing driftctl v0.3.1
|
|||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS
|
||||
No SHA256 hashes file available. Skipping SHA256 hash validation
|
||||
Unable to verify the authenticity of the binary
|
||||
Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1'
|
||||
OUT
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ]
|
||||
|
@ -148,6 +155,7 @@ Installing driftctl v0.3.1
|
|||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS
|
||||
SHA256 hash matched!
|
||||
Unable to verify the authenticity of the binary
|
||||
Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1'
|
||||
OUT
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ]
|
||||
|
@ -170,6 +178,7 @@ Installing driftctl v0.3.1
|
|||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS
|
||||
SHA256 hash matched!
|
||||
Unable to verify the authenticity of the binary
|
||||
Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1'
|
||||
OUT
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ]
|
||||
|
@ -178,101 +187,112 @@ OUT
|
|||
@test "dctlenv install [<version>]: prints a success message if it can install the latest version" {
|
||||
uname() { echo "Linux"; }; export -f uname;
|
||||
curlw() {
|
||||
mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1"
|
||||
touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64"
|
||||
(cd "$DCTLENV_TMPDIR/versions/0.3.1"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS")
|
||||
mkdir -p "$DCTLENV_TMPDIR/versions/0.10.0"
|
||||
touch "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_linux_amd64"
|
||||
(cd "$DCTLENV_TMPDIR/versions/0.10.0"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS")
|
||||
exit 0
|
||||
}; export -f curlw;
|
||||
gpg() { exit 0; }; export -f gpg;
|
||||
|
||||
run dctlenv install latest
|
||||
|
||||
assert_success
|
||||
assert_output <<OUT
|
||||
Installing driftctl v0.3.1
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS
|
||||
Installing driftctl v0.10.0
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS
|
||||
SHA256 hash matched!
|
||||
Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1'
|
||||
Downloading SHA256 hashes signature file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS.gpg
|
||||
No SHA256 hashes signature file available. Skipping signature validation
|
||||
Unable to verify the authenticity of the binary
|
||||
Installation of driftctl v0.10.0 successful. To make this your default version, run 'dctlenv use 0.10.0'
|
||||
OUT
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ]
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS" ]
|
||||
}
|
||||
|
||||
@test "dctlenv install [<version>]: prints a missing hashes signature file" {
|
||||
uname() { echo "Linux"; }; export -f uname;
|
||||
curlw() {
|
||||
mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1"
|
||||
touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64"
|
||||
(cd "$DCTLENV_TMPDIR/versions/0.3.1"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS")
|
||||
mkdir -p "$DCTLENV_TMPDIR/versions/0.10.0"
|
||||
touch "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_linux_amd64"
|
||||
(cd "$DCTLENV_TMPDIR/versions/0.10.0"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS")
|
||||
exit 0
|
||||
}; export -f curlw;
|
||||
gpg() { exit 0; }; export -f gpg;
|
||||
|
||||
DCTLENV_PGP=1 run dctlenv install 0.3.1
|
||||
run dctlenv install 0.10.0
|
||||
|
||||
assert_success
|
||||
assert_output <<OUT
|
||||
Installing driftctl v0.3.1
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS
|
||||
Installing driftctl v0.10.0
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS
|
||||
SHA256 hash matched!
|
||||
Downloading SHA256 hashes signature file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS.gpg
|
||||
Downloading SHA256 hashes signature file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS.gpg
|
||||
No SHA256 hashes signature file available. Skipping signature validation
|
||||
Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1'
|
||||
Unable to verify the authenticity of the binary
|
||||
Installation of driftctl v0.10.0 successful. To make this your default version, run 'dctlenv use 0.10.0'
|
||||
OUT
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ]
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS.gpg" ]
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS" ]
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS.gpg" ]
|
||||
}
|
||||
|
||||
@test "dctlenv install [<version>]: prints an error message if the PGP signature check fails" {
|
||||
uname() { echo "Linux"; }; export -f uname;
|
||||
curlw() {
|
||||
mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1"
|
||||
touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64"
|
||||
(cd "$DCTLENV_TMPDIR/versions/0.3.1"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS")
|
||||
touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS.gpg"
|
||||
mkdir -p "$DCTLENV_TMPDIR/versions/0.10.0"
|
||||
touch "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_linux_amd64"
|
||||
(cd "$DCTLENV_TMPDIR/versions/0.10.0"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS")
|
||||
touch "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS.gpg"
|
||||
exit 0
|
||||
}; export -f curlw;
|
||||
gpg() { exit 1; }; export -f gpg;
|
||||
gpg() {
|
||||
if [ $1 == "--verify" ]; then
|
||||
exit 1
|
||||
fi
|
||||
exit 0
|
||||
}; export -f gpg;
|
||||
|
||||
DCTLENV_PGP=1 run dctlenv install 0.3.1
|
||||
run dctlenv install 0.10.0
|
||||
|
||||
assert_failure
|
||||
assert_output <<OUT
|
||||
Installing driftctl v0.3.1
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS
|
||||
Installing driftctl v0.10.0
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS
|
||||
SHA256 hash matched!
|
||||
Downloading SHA256 hashes signature file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS.gpg
|
||||
Downloading SHA256 hashes signature file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS.gpg
|
||||
PGP signature rejected!
|
||||
OUT
|
||||
assert [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ]
|
||||
assert [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS.gpg" ]
|
||||
assert [ -e "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS" ]
|
||||
assert [ -e "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS.gpg" ]
|
||||
}
|
||||
|
||||
@test "dctlenv install [<version>]: prints a success message if the PGP signature check matches" {
|
||||
uname() { echo "Linux"; }; export -f uname;
|
||||
curlw() {
|
||||
mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1"
|
||||
touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64"
|
||||
(cd "$DCTLENV_TMPDIR/versions/0.3.1"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS")
|
||||
touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS.gpg"
|
||||
mkdir -p "$DCTLENV_TMPDIR/versions/0.10.0"
|
||||
touch "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_linux_amd64"
|
||||
(cd "$DCTLENV_TMPDIR/versions/0.10.0"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS")
|
||||
touch "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS.gpg"
|
||||
exit 0
|
||||
}; export -f curlw;
|
||||
gpg() { exit 0; }; export -f gpg;
|
||||
|
||||
DCTLENV_PGP=1 run dctlenv install 0.3.1
|
||||
run dctlenv install 0.10.0
|
||||
|
||||
assert_success
|
||||
assert_output <<OUT
|
||||
Installing driftctl v0.3.1
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS
|
||||
Installing driftctl v0.10.0
|
||||
Downloading release tarball from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_linux_amd64
|
||||
Downloading SHA256 hashes file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS
|
||||
SHA256 hash matched!
|
||||
Downloading SHA256 hashes signature file from https://github.com/snyk/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS.gpg
|
||||
Downloading SHA256 hashes signature file from https://github.com/snyk/driftctl/releases/download/v0.10.0/driftctl_SHA256SUMS.gpg
|
||||
PGP signature matched!
|
||||
Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1'
|
||||
Installation of driftctl v0.10.0 successful. To make this your default version, run 'dctlenv use 0.10.0'
|
||||
OUT
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ]
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS.gpg" ]
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS" ]
|
||||
refute [ -e "$DCTLENV_TMPDIR/versions/0.10.0/driftctl_SHA256SUMS.gpg" ]
|
||||
}
|
||||
|
||||
teardown() {
|
||||
|
|
Loading…
Reference in New Issue