Merge pull request #5023 from cfromknecht/min-required-sigs-five

scripts/verify-install: require 5 of 7 signatures before accepting
This commit is contained in:
Conner Fromknecht 2021-02-15 12:17:36 -08:00 committed by GitHub
commit fd3dd2cfff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -172,6 +172,22 @@ for signature in $SIGNATURES; do
((NUM_CHECKS=NUM_CHECKS+1))
done
# We want at least five signatures (out of seven public keys) that sign the
# hashes of the binaries we have installed. If we arrive here without exiting,
# it means no signature manifests were uploaded (yet) with the correct naming
# pattern.
MIN_REQUIRED_SIGNATURES=5
if [[ $NUM_CHECKS -lt $MIN_REQUIRED_SIGNATURES ]]; then
echo "ERROR: Not enough valid signatures found!"
echo " Valid signatures found: $NUM_CHECKS"
echo " Valid signatures required: $MIN_REQUIRED_SIGNATURES"
echo
echo " Make sure the release $LND_VERSION contains the required "
echo " number of signatures on the manifest, or wait until more "
echo " signatures have been added to the release."
exit 1
fi
# Then make sure that the hash of the installed binaries can be found in the
# manifest that we now have verified the signatures for.
if ! grep -q "^$LND_SUM" "$MANIFEST"; then
@ -193,16 +209,4 @@ if ! grep -q "^$LNCLI_SUM" "$MANIFEST"; then
fi
echo ""
echo "Verified lnd and lncli hashes against $MANIFEST"
# We want at least one signature that signs the hashes of the binaries we have
# installed. If we arrive here without exiting, it means no signature manifests
# were uploaded (yet) with the correct naming pattern.
if [[ $NUM_CHECKS -lt 1 ]]; then
echo "ERROR: No valid signatures found!"
echo "Make sure the release $LND_VERSION contains any signatures for the manifest."
exit 1
fi
echo ""
echo "SUCCESS! Verified lnd and lncli against $NUM_CHECKS developer signature(s)."
echo "SUCCESS! Verified lnd and lncli against $MANIFEST signed by $NUM_CHECKS developers."