infra/keys
9
0
Fork 1
Code Issues Pull requests Activity Actions

script bugfixes
Some checks failed
/ Verify SSH keys (pull_request) Failing after 28s
Details

Browse source 
- author casing
- trailing newline to make git recognize keys correctly
This commit is contained in:
kleines Filmröllchen 2025-02-05 00:10:36 +01:00
parent b3a5c69e04
commit 3b5981d9cd
Signed by: filmroellchen
SSH key fingerprint: SHA256:UMhcHaeI+VGsiUL2Drpw3aj1iRiQUlx8nxZqUPvoaVw
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
verify.py
View file

@ -33,9 +33,10 @@ def last_commit_for(dir: Path, ref: git.Reference):
def keylist_to_principals(keyfile_text: str, email: str) -> str: def keylist_to_principals(keyfile_text: str, email: str) -> str:
# trailing newline, otherwise git may get confused and reject the key
return "\n".join( return "\n".join(
f"{email} {public_key}" for public_key in keyfile_text.splitlines() f"{email} {public_key}" for public_key in keyfile_text.splitlines()
) ) + "\n"
def get_forgejo_keys(username: str) -> str: def get_forgejo_keys(username: str) -> str:
@ -53,7 +54,8 @@ def verify_dir(dir: Path, ref: git.Reference):
raise Exception("Missing keyfile") raise Exception("Missing keyfile")
commit = last_commit_for(dir, ref) commit = last_commit_for(dir, ref)
log.debug(f"Found last commit: {commit.name_rev}") log.debug(f"Found last commit: {commit.name_rev}")
if commit.author.name != username: # ignore author casing
if commit.author.name.lower() != username.lower():
raise Exception( raise Exception(
f"Commit author {commit.author.name} is not the owner of this directory." f"Commit author {commit.author.name} is not the owner of this directory."
) )
@ -80,9 +82,10 @@ def verify_dir(dir: Path, ref: git.Reference):
config.set_value("gpg.ssh", "allowedSignersFile", temp_keyfile.name) config.set_value("gpg.ssh", "allowedSignersFile", temp_keyfile.name)
temp_keyfile_contents = keylist_to_principals(remote_keys, email) temp_keyfile_contents = keylist_to_principals(remote_keys, email)
log.debug(f"temp keyfile:\n{temp_keyfile_contents}")
temp_keyfile.write(temp_keyfile_contents) temp_keyfile.write(temp_keyfile_contents)
temp_keyfile.flush() temp_keyfile.flush()
log.debug(f"temp keyfile:\n{Path(temp_keyfile.name).read_text()}")
# Check whether one of the user keys signed this commit. # Check whether one of the user keys signed this commit.
# throws an exception automatically if verification fails, nothing else to do # throws an exception automatically if verification fails, nothing else to do
ref.repo.git.verify_commit("--raw", commit.hexsha) ref.repo.git.verify_commit("--raw", commit.hexsha)