Verify signed git tags/commits when cloning Zcash repository
This commit is contained in:
parent
76eb7a3272
commit
a2c4dda3b3
|
@ -42,6 +42,9 @@ gpg_key_id: ''
|
||||||
|
|
||||||
# OPTIONAL set to import your SSH key into the VM. Example: id_rsa, id_ed25519. Assumed to reside in ~/.ssh
|
# OPTIONAL set to import your SSH key into the VM. Example: id_rsa, id_ed25519. Assumed to reside in ~/.ssh
|
||||||
ssh_key_name: ''
|
ssh_key_name: ''
|
||||||
|
|
||||||
|
# Set to true in order to verify signed git tags while cloning Zcash. Developer public keys will be imported to the Vagrant user's GPG keyring.
|
||||||
|
git_verify_sigs: false
|
||||||
```
|
```
|
||||||
|
|
||||||
Make sure VirtualBox, Vagrant and Ansible are installed, and then run:
|
Make sure VirtualBox, Vagrant and Ansible are installed, and then run:
|
||||||
|
|
|
@ -9,3 +9,16 @@ zcash_gitian_sigs_repo: https://github.com/zcash/gitian.sigs
|
||||||
zcash_version: master
|
zcash_version: master
|
||||||
gitian_host_ip: 10.0.2.15
|
gitian_host_ip: 10.0.2.15
|
||||||
lxc_guest_ip: 10.0.3.5
|
lxc_guest_ip: 10.0.3.5
|
||||||
|
zcash_developer_pubkeys:
|
||||||
|
- name: nathan
|
||||||
|
id: ED417FBE79C99E8C
|
||||||
|
- name: daira
|
||||||
|
id: 067F492098CF2762
|
||||||
|
- name: sean
|
||||||
|
id: 95684257D8F8B031
|
||||||
|
- name: jack
|
||||||
|
id: 0EC51FCDA94FB53E
|
||||||
|
- name: simon
|
||||||
|
id: C8F49C081F3AC6C4
|
||||||
|
- name: kevin
|
||||||
|
id: B604C32AD5D7C6D8
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/usr/bin/expect
|
||||||
|
|
||||||
|
set timeout 5
|
||||||
|
spawn /usr/bin/gpg2 --edit-key $argv 0 --yes trust quit
|
||||||
|
expect "Your decision? " { send "5\n" }
|
||||||
|
expect "Do you really want to set this key to ultimate trust? (y/N) " { send "y\n" }
|
||||||
|
interact
|
|
@ -128,12 +128,17 @@
|
||||||
force: yes
|
force: yes
|
||||||
become_user: "{{ gitian_user }}"
|
become_user: "{{ gitian_user }}"
|
||||||
|
|
||||||
|
- include: verify.yml
|
||||||
|
tags: verify
|
||||||
|
when: git_verify_sigs == true
|
||||||
|
|
||||||
- name: Clone git repository for Zcash.
|
- name: Clone git repository for Zcash.
|
||||||
git:
|
git:
|
||||||
repo: "{{ zcash_git_repo_url }}"
|
repo: "{{ zcash_git_repo_url }}"
|
||||||
dest: "/home/{{ gitian_user }}/zcash"
|
dest: "/home/{{ gitian_user }}/zcash"
|
||||||
version: "{{ zcash_version }}"
|
version: "{{ zcash_version }}"
|
||||||
force: yes
|
force: yes
|
||||||
|
verify_commit: "{% if git_verify_sigs == true %}yes{% else %}no{% endif %}"
|
||||||
become_user: "{{ gitian_user }}"
|
become_user: "{{ gitian_user }}"
|
||||||
|
|
||||||
- name: Clone git repository for Gitian signatures.
|
- name: Clone git repository for Gitian signatures.
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
---
|
||||||
|
- name: Install expect and GnuPG v2.
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- expect
|
||||||
|
- gnupg2
|
||||||
|
|
||||||
|
- name: Copy trust-setting script.
|
||||||
|
copy:
|
||||||
|
src: set-trust.exp
|
||||||
|
dest: /usr/local/bin/set-trust.exp
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: Download Zcash developer public keys from website.
|
||||||
|
become: yes
|
||||||
|
get_url:
|
||||||
|
url: "https://z.cash/gpg-pubkeys/{{ item.name }}.asc"
|
||||||
|
dest: "/tmp/{{ item.id }}.asc"
|
||||||
|
owner: "{{ gitian_user }}"
|
||||||
|
group: "{{ gitian_user }}"
|
||||||
|
mode: "0644"
|
||||||
|
with_items: "{{ zcash_developer_pubkeys }}"
|
||||||
|
|
||||||
|
- name: Import Zcash developer public keys.
|
||||||
|
command: "gpg --import /tmp/{{ item.id }}.asc"
|
||||||
|
become_user: "{{ gitian_user }}"
|
||||||
|
with_items: "{{ zcash_developer_pubkeys }}"
|
||||||
|
|
||||||
|
- name: Set Zcash developer public keys to ultimately trusted.
|
||||||
|
command: "set-trust.exp {{ item.id }}"
|
||||||
|
with_items: "{{ zcash_developer_pubkeys }}"
|
||||||
|
become_user: "{{ gitian_user }}"
|
||||||
|
|
Loading…
Reference in New Issue