fix: bake gpg keys in (#3318)

jdx · Dec 4, 2024 · dfd8bd7 · dfd8bd7
1 parent 62b3e7e
commit dfd8bd7
Show file tree

Hide file tree

Showing 10 changed files with 535 additions and 30 deletions.
diff --git a/src/assets/gpg/node.asc b/src/assets/gpg/node.asc
diff --git a/src/assets/gpg/swift.asc b/src/assets/gpg/swift.asc
@@ -0,0 +1,90 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBGGJWe0BEADGVbVhCEWnCMdAoxCaUaCPNomG5wdzw+sgx8FvqCFiGqYq/qzN
+ckaydk+XWfiDT/Vo/NjMYnUJ0+gdSua1X0IUGqQlATYhKSGTHqgab4nwDCym0nFl
+SBHPDgmMTNO57dHSGYduPjuisuhq7i0pybyn/oXuHAW5SIlz7bfpaz2jzFDY4xEP
+TXImllHOmTxBsDdwv2J+H158w1NSHJoHeXpPIse3VHlcwJVNeGYMiDx4Qw9TfaL5
+fI7GgjbcELCXw/pGjbiz/JFX7Fzm4snesnqwIG3TN4kH3BdKRNMFnyN3zNZxQTaZ
+LNCr3NCzhmmWTjeX5VSu6C+W8wuYRAThqJ42HpPR78zgv6pMnHgdhqquqAfL/Oid
+XlISbQ4bSdc1y8xkLb86pzwzrLV3LmHjJ3NAi9U1QXygW0ikTgbB9LPzaTSGVU+y
+0PMQ6JrRfSvyt5G7RmVzqm1ro8fkmeZBjNUf7GXCldn9linbhKzh/IvvPTYeNhIK
+T99giWSChvZyR950vE5a4WEYKV3taJRLCqXHH1d7FKC080pvPR9VsqWB/thQ48Vr
+dPleEa6O9IFMDudpOfsXTnHtnO7wKssN9RtxpotRukIhLGWxjHED3Rrt93T+IMQz
+kpKz+Tcz/koM8SuAcYX15N/jeW8BzgA6Y6ODI/OSAMBzMQUYME5S7F7xOwARAQAB
+tEZTd2lmdCBBdXRvbWF0aWMgU2lnbmluZyBLZXkgIzQgPHN3aWZ0LWluZnJhc3Ry
+dWN0dXJlQGZvcnVtcy5zd2lmdC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgL
+BRYCAwEAAh4BAheAFiEE6BPIkoIKb6E3VbJo8WffGs+c4GkFAmVN6ZMFCQeG9qYA
+CgkQ8WffGs+c4Glz3BAAl1MjB02h+TNnnmHg0RWSGUzIBpFEXQ8ojoQFhudloVlu
+2zkdTzznXXpmuBH4QQTI0igPQyVQkOEXPAP05geeqOvlGm4wnwtw486Q5vTGxgn1
++WjS3OMHFFS4y0GiOciRtu6WhwFOv6c2eSLIOmoDDvsb4js+YqtZ3fFcim/6gmRX
+cKsEWzFyIcAxgm8iDks/sdqX2XQhkBuZ1bs3mOGGZnj8N2reNv0POJ/QTg9s5ydI
+2NylO66kDmsNu7z5jkLg/Ol7eGuYvzwKIvdasHU2kd9gCPX/6B7mmUSK8LIiD9UN
+D6wetgkT/ov9XhYWWKZxYM2sPJVhVRLkMZkNjxSS7GRWeYgkfca+xE2xm8KgbnpZ
+CC2F4b9g9tCLH5LW93SXL2pdurimE9pa26A0t8C7/CBwV2YkvUP3oBIVKH+vEB+m
+tS9H/VVaoflL/UPBPV7k1Nd8pgDxfUx+hDGW6wNrMyJSvykypWte5Xrk5q/TVTuZ
+wOZVyyH6mMxWPKyYiUU6rcFu9kMkRNodBB6E/IT/oQ2EFCBAbKAGeMWii4OJtwfu
+3W1lC4GFNCE5Ae6V5ew++5GjN+5fVJnjyY0rbKvLPHa+y0Rkojw+w6avXKmCF4JR
+iPwYZF0RD0fuidRNNDG8HIZZq9fTuC2RWpdAk403/j9ary56FYxsYqyZ5saMn4w=
+=RrPQ
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBFyUJhwBEADDBN6jVDScsgzfQDxSQga0Og4O3N/nIquwi/DGOgsAsTMWcVA1
+gmRJb792vWa9CmnHILl3ap8zObDSbcXg90nx+eCzWJjG+Ud5c7xuam96NR8ntKmU
+8+BbH/dp8zc9WJB37TiWcaLsddrn58zfm7Ml6P9M48WAeRJX8nxVBTw1SjXJurW0
+Ab8LOgfb60I09Skq72Ud7HaYJOG03iNTf6qLlF977OQsHCb21BnKSAmJqapUS96/
+VOngz7TBzYz4rntfetb8hg28WtUl1s5BQzWaFunkP03b8mPh3PL1SZxutwViVWBu
+hf9kJtx/MLb79fnuJEOus1FvDqJdpd83H+XmXMIDYWgcBIBVrLT5HDtRerjF178H
+okb1F+gboGIqhnx25xTPIYctSHPgJRScZp4WKrqQLKswAmSL4YJXnkXSff05l4gE
+WXQpEMLBZa46qmu8lj8HfoZSbP9lfvEtZ6A+Q3sfh3gjYPv7e6n37x22tSgvyzCb
+jHU1pA2rv10AHK7EIeEQElN+zCyAbmKuhPBiCyxDFg5Dx3xNkYwg9szBJ0KleVD4
++Y3PZJ4N+u+SSATYnHGtmzvkhiNtqJCCwuaqY+jjVObzzqvLLtGjtjxNUWi2X4He
+q+r2fubjCOW14UnQ06qfr3mVUSmuLSKs8BD8qTGuqlgcenGsY0bk0qUPcwARAQAB
+tD5Td2lmdCA1LnggUmVsZWFzZSBTaWduaW5nIEtleSA8c3dpZnQtaW5mcmFzdHJ1
+Y3R1cmVAc3dpZnQub3JnPokCPAQTAQoAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIe
+AQIXgAUCZBiLlAUJC0bMeAAKCRCSXMHM7T0VYSogD/i38g/nf1JSDrWMWVKLzTWA
+MO9V9JR1wcxx3YNQmGPzUv+gdXgOv8kWSKSJ5zopTrWJg/AJ6etShX7HpjXeHULp
+aJGLohlMQuPCqD2+HvxpY67iA9i49owkzQI4gSIC6UwtCluWQCgcz2qE5zBWB1nK
+ImegSYn9mHIooJ9em4UwHdEDztWPYeB192M+Eq1+HK3BlEFDrMxWdzVuEQ+oGslm
+4Z5apV+r65fQa9T4rRxOpau8T9tKpXfaw+IzUDUE4PRTOyOkR8AOFm9hIg5KlV9z
+1bhDRS4Xpb6i3H91OyGROoB6QsTCmVGnSw35bzYjlOc5I1bAtqJu3EC30gV97kCj
+btm/cQLb+su/DEwjp4/lRtQagmRmHUuvJyPA+WNNiPYY/Ldzfy3w/SK4eJqM3Ctv
+iEs+btFLg4yXCBmL6UFZ4rmZ++x11DoW9l63b/9PJYPASXBGXamqsrMvX+IozjQ1
+CzlI8Pi5XwZfa/yAMiNXTveKItZJFUl4L4xMz2Fk6q8vByb5P2TziooTNtpjJedg
++W2ZNKatqZtvqowJlr9utWmogInrlv+YSLXN43kVt/X+Dbi1qzIE0FnApLPJEw+x
+nuahcoGN56UfxsdlmMDQ1QWs0Zp1DzXGOwAo9ciEIxrqlxR7N8rMluDv9vltVnZZ
+1p6hhnwu6nXqf83I5GJK
+=77jt
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBGbolYEBEADEvoijjZaq+5hLyiOHMns6+i/1mxczO5g9ZuXANYMI5uKXNgED
+dWoJRJV1DKwY+1f9oBdcEctD0um4LY6346p38SJOurk/zRqlEx25sAq0bbOn0epE
+BrOkHnmgBp+C5gWgrk+gKGjOXw63m2ipKp5joxP7QI7iplb7LRHnqOWqVFPF6c+A
+y5zq7/FFfECwHYdkS3IV8uYG0qPmKDYoJgqCbySGzbHTiawFt8OJS5xYqzhXrClh
+KMJf6orq8gNF4eBwa6FkyJFyPf/s8mbW3wREirL9DFinurMK68pUA7SDxLsegGgt
+2PVse5o+1TVcKTDTCV0v5gmiQyXIUzvB87GaJLVIEIwYb08jtSBMvVLdVIpWv6RJ
+bi7za2LvfaCBcpSAbqCtoq/lk9NYrXs8uiENxW0srIWoKoe6Gfvz0XvJEjJPIMNH
+cy/42Nt3kgn6V3lHTioTPhxyEJ8AZ+s7yIeVR5fYuxdlVwe6zhiwvGtjWLmjTZBY
+RbXayDV3ekNL3rEQ4qhXrvcmW0/v7n+vzf6a7Wog6R4pHr67BafM3v9M6jpu4Lqk
+mLyXU/lX1+VTzKz7vDCz8CXafYUP8wFYGGW73xzd6Kho8vya1E4WNg+UPnYcu2SV
+TkQe50I2Ik95QEAEdG3DJrLiGuLwH170KgeMYpWffNLtUNH1oCkh1lj8jQARAQAB
+tEVTd2lmdCA2LnggUmVsZWFzZSBTaWduaW5nIEtleSA8c3dpZnQtaW5mcmFzdHJ1
+Y3R1cmVAZm9ydW1zLnN3aWZ0Lm9yZz6JAj0EEwEKACcFAmbolYECGwMFCQPCZwAF
+CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ74CoZrR6mB/DIhAAnSHnGfRpr/0A
+98dWa2uM2tt4oGT1+SN+va544/vu6CAc9jhvS871GvHe25B5HL5S6MDF3dim3oQe
+zIGaIx3DUhbb0/JLeayL3NfhbCed5DX0W1XIQtksjYuHnvBRD+zrhcTQKqumR+LU
+NVOh6l4o2Ko+aAYc8mIm+HufryRKJSWup1ZnExEdcZZEzyY4kT0H1fxAIWWU3NI1
+LDtq1O0Wl5CTUHU7mI/h2eWrxFDg4SmfV9dv4uBXyvxherHEhImJXceQ4ZkxvYGF
+amXjlNzIr8c6y/IE8Q775nkfG5+4Gt+bGIJqxeSzfc4wq+txMa85TtRpgSthgqFi
++yQx5qghs3y8Pqj3kDatJB41oQZ221WbBRc2uvFDMWUaOtJ/pRymCN54FUwxUm6U
+aM4VTWbGw0es1QRO+Px25Thoh8a5a3Fu0s9fa1sDJOUYSc7vfyRUfqNOVv5g8rnS
+sPTmOGGjrjxWHA0oL7B5hxCR+/jBhw+6mLu18qwGI7YpgyZYSzowPY+LrMm/J973
+SyUtlCb2o42WhDR9FsX0AGvLhZpxy4Q7br7Pa2RXwmWEaxZik0iQ2Sg4pEvL5tVd
+aFIUvVsFlayfXSBCZVjH0uyh0Vkk1ERZpSmxkRWgzp5MRIfkP5eh9009uhEUmxHV
+Yih/un915S6ObH32x1IbJfi0cGK1NUA=
+=sWSN
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/src/env.rs b/src/env.rs
@@ -124,6 +124,9 @@ pub static MISE_BIN_NAME: Lazy<&str> = Lazy::new(|| filename(&ARGV0));
 pub static MISE_LOG_FILE: Lazy<Option<PathBuf>> = Lazy::new(|| var_path("MISE_LOG_FILE"));
 pub static MISE_LOG_FILE_LEVEL: Lazy<Option<LevelFilter>> = Lazy::new(log_file_level);
 
+pub static HTTP_PROXY: Lazy<Option<String>> =
+    Lazy::new(|| var("https_proxy").or_else(|_| var("http_proxy")).ok());
+
 pub static __USAGE: Lazy<Option<String>> = Lazy::new(|| var("__USAGE").ok());
 
 // true if running inside a shim

diff --git a/src/git.rs b/src/git.rs
@@ -1,4 +1,4 @@
-use std::env;
+use crate::env;
 use std::fmt::Debug;
 use std::path::{Path, PathBuf};
 
@@ -260,11 +260,11 @@ impl Git {
     }
 }
 
-fn get_fetch_options() -> Result<git2::FetchOptions<'static>> {
+fn get_fetch_options() -> Result<FetchOptions<'static>> {
     let mut fetch_options = FetchOptions::new();
-    if let Ok(proxy_url) = env::var("https_proxy").or_else(|_| env::var("http_proxy")) {
+    if let Some(proxy_url) = env::HTTP_PROXY.as_ref() {
         let mut proxy_options = ProxyOptions::new();
-        proxy_options.url(&proxy_url);
+        proxy_options.url(proxy_url);
         fetch_options.proxy_options(proxy_options);
     }
     Ok(fetch_options)

diff --git a/src/gpg.rs b/src/gpg.rs
@@ -0,0 +1,20 @@
+use crate::cmd::CmdLineRunner;
+use crate::install_context::InstallContext;
+use crate::Result;
+
+pub fn add_keys_node(ctx: &InstallContext) -> Result<()> {
+    add_keys(ctx, include_str!("assets/gpg/node.asc"))
+}
+
+pub fn add_keys_swift(ctx: &InstallContext) -> Result<()> {
+    add_keys(ctx, include_str!("assets/gpg/swift.asc"))
+}
+
+fn add_keys(ctx: &InstallContext, keys: &str) -> Result<()> {
+    CmdLineRunner::new("gpg")
+        .arg("--quiet")
+        .arg("--import")
+        .stdin_string(keys)
+        .with_pr(ctx.pr.as_ref())
+        .execute()
+}
diff --git a/src/main.rs b/src/main.rs
@@ -39,6 +39,7 @@ mod fake_asdf;
 mod file;
 mod git;
 pub(crate) mod github;
+mod gpg;
 mod hash;
 mod hook_env;
 mod hooks;
@@ -70,6 +71,7 @@ mod versions_host;
 mod watch_files;
 
 pub(crate) use crate::exit::exit;
+pub(crate) use crate::result::Result;
 pub(crate) use crate::toolset::install_state;
 use crate::ui::multi_progress_report::MultiProgressReport;
 

diff --git a/src/plugins/core/node.rs b/src/plugins/core/node.rs
@@ -10,7 +10,7 @@ use crate::http::{HTTP, HTTP_FETCH};
 use crate::install_context::InstallContext;
 use crate::toolset::ToolVersion;
 use crate::ui::progress_report::SingleReport;
-use crate::{env, file, hash, http, plugins};
+use crate::{env, file, gpg, hash, http, plugins};
 use eyre::{bail, ensure, Result};
 use serde_derive::Deserialize;
 use std::collections::BTreeMap;
@@ -205,21 +205,7 @@ impl NodePlugin {
         let sig_file = shasums_file.with_extension("asc");
         let sig_url = format!("{}.sig", self.shasums_url(v)?);
         HTTP.download_file(sig_url, &sig_file, Some(ctx.pr.as_ref()))?;
-        CmdLineRunner::new("gpg")
-            .arg("--keyserver")
-            .arg("hkps://keys.openpgp.org")
-            .arg("--recv-keys")
-            .arg("--quiet")
-            .arg("C0D6248439F1D5604AAFFB4021D900FFDB233756") // Antoine du Hamel
-            .arg("DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7") // Juan José Arboleda
-            .arg("CC68F5A3106FF448322E48ED27F5E38D5B0A215F") // Marco Ippolito
-            .arg("8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600") // Michaël Zasso
-            .arg("890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4") // Rafael Gonzaga
-            .arg("C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C") // Richard Lau
-            .arg("108F52B48DB57BB0CC439B2997B01419BD92F80A") // Ruy Adorno
-            .arg("A363A499291CBBC940DD62E41F10027AF002F8B0") // Ulises Gascón
-            .with_pr(ctx.pr.as_ref())
-            .execute()?;
+        gpg::add_keys_node(ctx)?;
         CmdLineRunner::new("gpg")
             .arg("--quiet")
             .arg("--trust-model")

diff --git a/src/plugins/core/swift.rs b/src/plugins/core/swift.rs
@@ -6,7 +6,7 @@ use crate::http::HTTP;
 use crate::install_context::InstallContext;
 use crate::toolset::ToolVersion;
 use crate::ui::progress_report::SingleReport;
-use crate::{env, file, github, plugins};
+use crate::{env, file, github, gpg, plugins};
 use eyre::Result;
 use std::path::{Path, PathBuf};
 use tempfile::tempdir_in;
@@ -109,15 +109,7 @@ impl SwiftPlugin {
                 .println("gpg not found, skipping verification".to_string());
             return Ok(());
         }
-        self.gpg(ctx)
-            .arg("--quiet")
-            .arg("--keyserver")
-            .arg("hkp://keyserver.ubuntu.com")
-            .arg("--recv-keys")
-            .arg("E813 C892 820A 6FA1 3755 B268 F167 DF1A CF9C E069")
-            .arg("A62A E125 BBBF BB96 A6E0 42EC 925C C1CC ED3D 1561")
-            .arg("52BB 7E3D E28A 71BE 22EC 05FF EF80 A866 B47A 981F")
-            .execute()?;
+        gpg::add_keys_swift(ctx)?;
         let sig_path = PathBuf::from(format!("{}.sig", tarball_path.to_string_lossy()));
         HTTP.download_file(format!("{}.sig", url(tv)), &sig_path, Some(ctx.pr.as_ref()))?;
         self.gpg(ctx)

diff --git a/tasks.md b/tasks.md
@@ -71,6 +71,10 @@ run a command inside of development docker container
 
 - **Usage**: `docs:setup`
 
+## `fetch-gpg-keys`
+
+- **Usage**: `fetch-gpg-keys`
+
 ## `filetask`
 
 - **Usage**: `filetask [-f --force] [-u --user <user>] [file] [arg_with_default]`

diff --git a/xtasks/fetch-gpg-keys b/xtasks/fetch-gpg-keys
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euxo pipefail
+
+NODE_FINGERPRINTS=(
+  "C0D6248439F1D5604AAFFB4021D900FFDB233756" # Antoine du Hamel
+  "DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7" # Juan José Arboleda
+  "CC68F5A3106FF448322E48ED27F5E38D5B0A215F" # Marco Ippolito
+  "8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600" # Michaël Zasso
+  "890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4" # Rafael Gonzaga
+  "C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C" # Richard Lau
+  "108F52B48DB57BB0CC439B2997B01419BD92F80A" # Ruy Adorno
+  "A363A499291CBBC940DD62E41F10027AF002F8B0" # Ulises Gascón
+)
+
+rm -rf src/assets/gpg
+mkdir -p src/assets/gpg
+for fingerprint in "${NODE_FINGERPRINTS[@]}"; do
+  curl -fLSs "https://keys.openpgp.org/vks/v1/by-fingerprint/$fingerprint" >> "src/assets/gpg/node.asc"
+done
+curl -fLSs "https://swift.org/keys/automatic-signing-key-4.asc" >> src/assets/gpg/swift.asc
+curl -fLSs "https://swift.org/keys/release-key-swift-5.x.asc" >> src/assets/gpg/swift.asc
+curl -fLSs "https://swift.org/keys/release-key-swift-6.x.asc" >> src/assets/gpg/swift.asc