-
Notifications
You must be signed in to change notification settings - Fork 2
/
verify.sh.clt
78 lines (64 loc) · 3.07 KB
/
verify.sh.clt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/sh
set -x
# Red Light Green Light validate.sh version <%= @ rlgl-version %>
# This validate feature is provided in source form for transparency
# and audit purposes.
# This script performs three important validations:
#
# - validate the server signature of the report using the server's
# public key
#
# - validate the client signature of the report using the client's
# public key
#
# - validate the transparency log entry for this report using
# rekor-cli
# ---- Identify the document for which we are performing validation -----------
DOC=<%= @ id %>
# ---- Error handling ---------------------------------------------------------
set -e
error_exit()
{
echo ERROR: ${1:-"Unknown Error"} 1>&2
exit 1
}
# ---- Verify that all required programs are installed ------------------------
awk --help > /dev/null 2>&1 || error_exit "Cannot run awk. Please install it."
for PROGRAM in "rekor-cli version" "openssl version" "curl --help" "grep --help" "base64 --help"; do
$PROGRAM > /dev/null 2>&1 || error_exit "Cannot run $(echo ${PROGRAM} | awk '{ printf $1 }'). Please install it."
done
# ---- Create names of temporary files and ensure deletion on exit ------------
TMPDIR="$(mktemp -d)"
trap 'rm -rf -- "$TMPDIR"' EXIT
DOCUMENT=${TMPDIR}/${DOC}
DIGEST=${TMPDIR}/${DOC}.digest
SERVER_PUBKEY=${TMPDIR}/rlgl.pem
SERVER_SIGNATURE=${TMPDIR}/${DOC}.digest.sig
CLIENT_SIGNATURE=${TMPDIR}/${DOC}.digest.csig
# ---- Download all artifacts -------------------------------------------------
curl -s <%= @ server-uri %>/pubkey > ${SERVER_PUBKEY}
curl -s <%= @ server-uri %>/doc?id=${DOC} > ${DOCUMENT}
cat ${DOCUMENT} | openssl dgst -sha3-256 - | awk '{ printf $2 }' > ${DIGEST}
curl -s <%= @ server-uri %>/doc?id=${DOC}.sig | base64 -d > ${SERVER_SIGNATURE}
curl -s <%= @ server-uri %>/doc?id=${DOC}.csig | base64 -d > ${CLIENT_SIGNATURE}
# ---- Validate the server signature of the document digest -------------------
echo Checking document server signature: $(openssl dgst -sha256 -verify ${SERVER_PUBKEY} -signature ${SERVER_SIGNATURE} ${DIGEST})
# ---- Checking client signature ----------------------------------------------
if [ -z "$RLGL_CLIENT_PUBKEY" ]; then
echo "Checking document client signature : Set the environment RLGL_CLIENT_PUBKEY to point at your public key"
else
echo "Checking document client signature :" $(cat ${DOCUMENT} | openssl dgst -sha3-256 -verify ${RLGL_CLIENT_PUBKEY} -signature ${CLIENT_SIGNATURE})
fi
# ---- Look up this document in rekor and print out the record ----------------
echo DEBUG
echo == DIGEST ====================================
cat ${DIGEST}
echo == SERVER_SIGNATURE ==========================
cat ${SERVER_SIGNATURE}
echo == SERVER_PUBKEY =============================
cat ${SERVER_PUBKEY}
echo ==============================================
# ---- Look up this document in rekor and print out the record ----------------
echo Searching for sigstore record:
HASH=$(rekor-cli verify --artifact ${DIGEST} --signature ${SERVER_SIGNATURE} --public-key ${SERVER_PUBKEY} --pki-format x509 | grep "Entry Hash:" | awk '{ printf $3 }')
rekor-cli get --uuid $HASH