Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(releasing): adding SHA512 and RSA signature validation script to verify releases #26278

Merged
merged 4 commits into from
Dec 18, 2023
Merged

feat(releasing): adding SHA512 and RSA signature validation script to verify releases #26278

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
93156b2
feat(releasing): adding a SHA512 and
rusackas Dec 14, 2023
bf2f6c9
linting
rusackas Dec 14, 2023
8d3d642
improved typing
rusackas Dec 14, 2023
396d064
more supporting scripts
rusackas Dec 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
linting
  • Loading branch information
@rusackas
rusackas committed Dec 14, 2023
commit bf2f6c9b6e23fdcab7a8fadb04f4b67a9b475122
27 changes: 18 additions & 9 deletions RELEASING/verify_release.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,28 @@
import re
import subprocess
import sys
import re

import requests

# Part 1: Verify SHA512 hash - this is the same as running `shasum -a 512 {release}` and comparing it against `{release}.sha512`


def get_sha512_hash(filename):
"""Run the shasum command on the file and return the SHA512 hash."""
result = subprocess.run(['shasum', '-a', '512', filename], stdout=subprocess.PIPE)
result = subprocess.run(["shasum", "-a", "512", filename], stdout=subprocess.PIPE)
sha512_hash = result.stdout.decode().split()[0]
return sha512_hash


def read_sha512_file(filename):
"""Read the corresponding .sha512 file and process its contents."""
sha_filename = filename + '.sha512'
with open(sha_filename, 'r') as file:
sha_filename = filename + ".sha512"
with open(sha_filename) as file:
lines = file.readlines()
processed_sha = ''.join(lines[1:]).replace(' ', '').replace('\n', '').lower()
processed_sha = "".join(lines[1:]).replace(" ", "").replace("\n", "").lower()
return processed_sha


def verify_sha512(filename):
"""Verify if the SHA512 hash of the file matches with the hash in the .sha512 file."""
sha512_hash = get_sha512_hash(filename)
Expand All @@ -29,15 +33,19 @@ def verify_sha512(filename):
else:
return "SHA failed"


# Part 2: Verify RSA key - this is the same as running `gpg --verify {release}.asc {release}` and comparing the RSA key and email address against the KEYS file


def get_gpg_info(filename):
"""Run the GPG verify command and extract RSA key and email address."""
asc_filename = filename + '.asc'
result = subprocess.run(['gpg', '--verify', asc_filename, filename], stderr=subprocess.PIPE, stdout=subprocess.PIPE)
asc_filename = filename + ".asc"
result = subprocess.run(
["gpg", "--verify", asc_filename, filename], capture_output=True
)
output = result.stderr.decode()

rsa_key = re.search(r'RSA key ([0-9A-F]+)', output)
rsa_key = re.search(r"RSA key ([0-9A-F]+)", output)
email = re.search(r'issuer "([^"]+)"', output)

rsa_key_result = rsa_key.group(1) if rsa_key else None
Expand All @@ -54,7 +62,7 @@ def get_gpg_info(filename):

def verify_rsa_key(rsa_key, email):
"""Fetch the KEYS file and verify if the RSA key and email match."""
url = 'https://downloads.apache.org/superset/KEYS'
url = "https://downloads.apache.org/superset/KEYS"
response = requests.get(url)
if response.status_code == 200:
if rsa_key not in response.text:
Expand Down Expand Up @@ -83,6 +91,7 @@ def verify_sha512_and_rsa(filename):
else:
print("GPG verification failed: RSA key or email not found")


if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python script.py <filename>")
Expand Down
Loading