+119

appview/commitverify/verify.go

reviewed

··· 1 1 + package commitverify 2 2 + 3 3 + import ( 4 4 + "fmt" 5 5 + "log" 6 6 + 7 7 + "github.com/go-git/go-git/v5/plumbing/object" 8 8 + "tangled.sh/tangled.sh/core/appview/db" 9 9 + "tangled.sh/tangled.sh/core/crypto" 10 10 + "tangled.sh/tangled.sh/core/types" 11 11 + ) 12 12 + 13 13 + type verifiedCommit struct { 14 14 + fingerprint string 15 15 + hash string 16 16 + } 17 17 + 18 18 + type VerifiedCommits map[verifiedCommit]struct{} 19 19 + 20 20 + func (vcs VerifiedCommits) IsVerified(hash string) bool { 21 21 + for vc := range vcs { 22 22 + if vc.hash == hash { 23 23 + return true 24 24 + } 25 25 + } 26 26 + return false 27 27 + } 28 28 + 29 29 + func (vcs VerifiedCommits) Fingerprint(hash string) string { 30 30 + for vc := range vcs { 31 31 + if vc.hash == hash { 32 32 + return vc.fingerprint 33 33 + } 34 34 + } 35 35 + return "" 36 36 + } 37 37 + 38 38 + func GetVerifiedObjectCommits(e db.Execer, emailToDid map[string]string, commits []*object.Commit) (VerifiedCommits, error) { 39 39 + ndCommits := []types.NiceDiff{} 40 40 + for _, commit := range commits { 41 41 + ndCommits = append(ndCommits, ObjectCommitToNiceDiff(commit)) 42 42 + } 43 43 + return GetVerifiedCommits(e, emailToDid, ndCommits) 44 44 + } 45 45 + 46 46 + func GetVerifiedCommits(e db.Execer, emailToDid map[string]string, ndCommits []types.NiceDiff) (VerifiedCommits, error) { 47 47 + vcs := VerifiedCommits{} 48 48 + 49 49 + didPubkeyCache := make(map[string][]db.PublicKey) 50 50 + 51 51 + for _, commit := range ndCommits { 52 52 + c := commit.Commit 53 53 + 54 54 + committerEmail := c.Committer.Email 55 55 + if did, exists := emailToDid[committerEmail]; exists { 56 56 + // check if we've already fetched public keys for this did 57 57 + pubKeys, ok := didPubkeyCache[did] 58 58 + if !ok { 59 59 + // fetch and cache public keys 60 60 + keys, err := db.GetPublicKeysForDid(e, did) 61 61 + if err != nil { 62 62 + log.Printf("failed to fetch pubkey for %s: %v", committerEmail, err) 63 63 + continue 64 64 + } 65 65 + pubKeys = keys 66 66 + didPubkeyCache[did] = pubKeys 67 67 + } 68 68 + 69 69 + // try to verify with any associated pubkeys 70 70 + for _, pk := range pubKeys { 71 71 + if _, ok := crypto.VerifyCommitSignature(pk.Key, commit); ok { 72 72 + 73 73 + fp, err := crypto.SSHFingerprint(pk.Key) 74 74 + if err != nil { 75 75 + log.Println("error computing ssh fingerprint:", err) 76 76 + } 77 77 + fmt.Println(fp) 78 78 + 79 79 + vc := verifiedCommit{fingerprint: fp, hash: c.This} 80 80 + vcs[vc] = struct{}{} 81 81 + break 82 82 + } 83 83 + } 84 84 + 85 85 + } 86 86 + } 87 87 + 88 88 + return vcs, nil 89 89 + } 90 90 + 91 91 + // ObjectCommitToNiceDiff is a compatibility function to convert a 92 92 + // commit object into a NiceDiff structure. 93 93 + func ObjectCommitToNiceDiff(c *object.Commit) types.NiceDiff { 94 94 + var niceDiff types.NiceDiff 95 95 + 96 96 + // set commit information 97 97 + niceDiff.Commit.Message = c.Message 98 98 + niceDiff.Commit.Author = c.Author 99 99 + niceDiff.Commit.This = c.Hash.String() 100 100 + niceDiff.Commit.Committer = c.Committer 101 101 + niceDiff.Commit.Tree = c.TreeHash.String() 102 102 + niceDiff.Commit.PGPSignature = c.PGPSignature 103 103 + 104 104 + changeId, ok := c.ExtraHeaders["change-id"] 105 105 + if ok { 106 106 + niceDiff.Commit.ChangedId = string(changeId) 107 107 + } 108 108 + 109 109 + // set parent hash if available 110 110 + if len(c.ParentHashes) > 0 { 111 111 + niceDiff.Commit.Parent = c.ParentHashes[0].String() 112 112 + } 113 113 + 114 114 + // XXX: Stats and Diff fields are typically populated 115 115 + // after fetching the actual diff information, which isn't 116 116 + // directly available in the commit object itself. 117 117 + 118 118 + return niceDiff 119 119 + }

-52

appview/repo/repo_util.go

reviewed

··· 4 4 "context" 5 5 "crypto/rand" 6 6 "fmt" 7 7 - "log" 8 7 "math/big" 9 8 10 9 "github.com/go-git/go-git/v5/plumbing/object" 11 11 - "tangled.sh/tangled.sh/core/appview/db" 12 12 - "tangled.sh/tangled.sh/core/crypto" 13 13 - "tangled.sh/tangled.sh/core/types" 14 10 ) 15 11 16 12 func uniqueEmails(commits []*object.Commit) []string { ··· 85 89 } 86 90 87 91 return emailToDidOrHandle 88 88 - } 89 89 - 90 90 - func verifiedObjectCommits(r *Repo, emailToDid map[string]string, commits []*object.Commit) (map[string]bool, error) { 91 91 - ndCommits := []types.NiceDiff{} 92 92 - for _, commit := range commits { 93 93 - ndCommits = append(ndCommits, types.ObjectCommitToNiceDiff(commit)) 94 94 - } 95 95 - return verifiedCommits(r, emailToDid, ndCommits) 96 96 - } 97 97 - 98 98 - func verifiedCommits(r *Repo, emailToDid map[string]string, ndCommits []types.NiceDiff) (map[string]bool, error) { 99 99 - hashToVerified := make(map[string]bool) 100 100 - 101 101 - didPubkeyCache := make(map[string][]db.PublicKey) 102 102 - 103 103 - for _, commit := range ndCommits { 104 104 - c := commit.Commit 105 105 - 106 106 - committerEmail := c.Committer.Email 107 107 - if did, exists := emailToDid[committerEmail]; exists { 108 108 - // check if we've already fetched public keys for this did 109 109 - pubKeys, ok := didPubkeyCache[did] 110 110 - if !ok { 111 111 - // fetch and cache public keys 112 112 - keys, err := db.GetPublicKeysForDid(r.db, did) 113 113 - if err != nil { 114 114 - log.Printf("failed to fetch pubkey for %s: %v", committerEmail, err) 115 115 - continue 116 116 - } 117 117 - pubKeys = keys 118 118 - didPubkeyCache[did] = pubKeys 119 119 - } 120 120 - 121 121 - verified := false 122 122 - 123 123 - // try to verify with any associated pubkeys 124 124 - for _, pk := range pubKeys { 125 125 - if _, ok := crypto.VerifyCommitSignature(pk.Key, commit); ok { 126 126 - verified = true 127 127 - break 128 128 - } 129 129 - } 130 130 - 131 131 - hashToVerified[c.This] = verified 132 132 - } 133 133 - } 134 134 - 135 135 - return hashToVerified, nil 136 92 } 137 93 138 94 func randomString(n int) string {

-30

types/diff.go

reviewed

··· 77 77 78 78 return files 79 79 } 80 80 - 81 81 - // ObjectCommitToNiceDiff is a compatibility function to convert a 82 82 - // commit object into a NiceDiff structure. 83 83 - func ObjectCommitToNiceDiff(c *object.Commit) NiceDiff { 84 84 - var niceDiff NiceDiff 85 85 - 86 86 - // set commit information 87 87 - niceDiff.Commit.Message = c.Message 88 88 - niceDiff.Commit.Author = c.Author 89 89 - niceDiff.Commit.This = c.Hash.String() 90 90 - niceDiff.Commit.Committer = c.Committer 91 91 - niceDiff.Commit.Tree = c.TreeHash.String() 92 92 - niceDiff.Commit.PGPSignature = c.PGPSignature 93 93 - 94 94 - changeId, ok := c.ExtraHeaders["change-id"] 95 95 - if ok { 96 96 - niceDiff.Commit.ChangedId = string(changeId) 97 97 - } 98 98 - 99 99 - // set parent hash if available 100 100 - if len(c.ParentHashes) > 0 { 101 101 - niceDiff.Commit.Parent = c.ParentHashes[0].String() 102 102 - } 103 103 - 104 104 - // XXX: Stats and Diff fields are typically populated 105 105 - // after fetching the actual diff information, which isn't 106 106 - // directly available in the commit object itself. 107 107 - 108 108 - return niceDiff 109 109 - }