CI: verify donation addresses are signed

monero-project · Oct 18, 2024 · 892f77b · 892f77b
1 parent 5d5bf86
commit 892f77b
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/.github/workflows/hashes.yaml b/.github/workflows/hashes.yaml
@@ -5,10 +5,12 @@ on:
     paths:
       - 'downloads/hashes.txt'
       - '_data/downloads.yml'
+      - '_data/contributing.yml'
   pull_request:
     paths:
       - 'downloads/hashes.txt'
       - '_data/downloads.yml'
+      - '_data/contributing.yml'
 jobs:
   validate-hashes:
     name: Validate Hashes
@@ -19,11 +21,39 @@ jobs:
         run: |
           sudo apt-get install -y --no-install-recommends curl gpg jq python3-pip
           sudo pip3 install yq
-      - name: Verify hashes.txt signature
+      - name: Verify hashes.txt + contributing.yml signature
         run: |
           curl -sL https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc |
             gpg --import
           gpg --verify downloads/hashes.txt
+          # signed by myself for testing purposes only
+          curl -sL https://raw.githubusercontent.com/plowsof/pgp/refs/heads/main/plowsofsmol.asc | gpg --import
+          gpg --verify _data/contributing.yml.asc
+      - name: Verify General Fund donation QR's
+        run: |
+          yaml="_data/contributing.yml"
+          get_yaml_value() {
+              awk -v key="$1:" '$1 == key {print $2}' "$yaml"
+          }
+          for coin in xmr btc; do
+              qr_checksum=$(get_yaml_value "qr_${coin}_checksum")
+              qr_filename=$(get_yaml_value "qr_${coin}_filename")
+              qr_content=$(get_yaml_value "qr_${coin}_content")
+              echo "DEBUG: $qr_checksum $qr_filename"
+              echo "DEBUG: $qr_content"
+              # Confirm hashes match
+              echo "$qr_checksum $qr_filename" | sha256sum -c
+              # Scan QR content 
+              qr_scanned=$(zbarimg -q --raw "$qr_filename")
+              # Compare scanned content with expected content
+              if [ "$qr_scanned" = "$qr_content" ]; then
+                  echo "${coin^^} QR code content matches exactly"
+              else
+                  echo "${coin^^} QR code content does not match"
+                  echo "Scanned: $qr_scanned"
+                  echo "Expected: $qr_content"
+              fi
+          done
       - name: Verify filenames
         run: |
           lines="$(grep -v ^# downloads/hashes.txt)"

diff --git a/_data/contributing.yml b/_data/contributing.yml
@@ -0,0 +1,9 @@
+address_xmr: 888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H
+address_btc: 1KTexdemPdxSBcG55heUuTjDRYqbC5ZL8H
+address_openalias: donate.getmonero.org
+view_address: 44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A
+view_key: f359631075708155cc3d92a32b75a7d02a5dcf27756707b47a2b31b21c389501
+qr_xmr_filename: img/donate-monero.png
+qr_xmr_checksum: cf6cb49cf98726a40b860a6bb19df77df724a3e8e1ccb039adf8432de1509911
+qr_btc_filename: img/donate-bitcoin.png
+qr_btc_checksum: ef2b0e59e401caad2393cb11f50dfc29b364e0af0fd5683012fe0abded608655