diff --git a/.github/workflows/gt-update.yml b/.github/workflows/gt-update.yml index 93189c2..7a452b4 100644 --- a/.github/workflows/gt-update.yml +++ b/.github/workflows/gt-update.yml @@ -5,7 +5,7 @@ # \__/\__/\_, /\___/_//_/\_,_/_/ It is licensed under European Union Public License v. 1.2 # /___/ Please report bugs and contribute back your improvements # -# Version: v1.0.2 +# Version: v1.0.3 ################################### name: "gt update" on: @@ -40,8 +40,8 @@ jobs: echo "public key trusted" && \ mkdir ./gpg && \ gpg --homedir ./gpg --import ./signing-key.public.asc && \ - wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh" && \ - wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh.sig" && \ + wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh" && \ + wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh.sig" && \ gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \ chmod +x ./install.sh && \ echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \ @@ -79,8 +79,8 @@ jobs: echo "public key trusted" && \ mkdir ./gpg && \ gpg --homedir ./gpg --import ./signing-key.public.asc && \ - wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh" && \ - wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh.sig" && \ + wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh" && \ + wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh.sig" && \ gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \ chmod +x ./install.sh && \ echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \ @@ -141,35 +141,32 @@ jobs: set -euo pipefail currentDir="$(pwd)" signingKey=".gt/signing-key.public.asc" - if ! [[ -f "$currentDir/$signingKey" ]]; then - echo "$signingKey does not exist in this repo" - return 0 - fi - - tmpDir=$(mktemp -d -t gt-check-gpg-XXXXXXXXXX) - gpg --homedir "$tmpDir" --import "$currentDir/$signingKey" - - - limitTimestamp=$(date -d "+3 month" +%s) - limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S") - echo "checking if the following public keys defined in $signingKey are valid until $limitDate" - gpg --homedir "$tmpDir" --list-keys \ - --list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \ - --keyid-format LONG - echo "" + if [[ -f "$currentDir/$signingKey" ]]; then + tmpDir=$(mktemp -d -t gt-check-gpg-XXXXXXXXXX) + gpg --homedir "$tmpDir" --import "$currentDir/$signingKey" - expired=0 - while read -r key; do - keyId=$(cut -d ':' -f5 <<<"$key") - expirationTimestamp=$(cut -d ':' -f7 <<<"$key") - if (( expirationTimestamp < $limitTimestamp )); then - expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S") - printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate" - ((++expired)) - fi - done < <(gpg --homedir "$tmpDir" --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)') - [[ $expired -eq 0 ]] + limitTimestamp=$(date -d "+3 month" +%s) + limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S") + echo "checking if the following public keys defined in $signingKey are valid until $limitDate" + gpg --homedir "$tmpDir" --list-keys \ + --list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \ + --keyid-format LONG + echo "" + expired=0 + while read -r key; do + keyId=$(cut -d ':' -f5 <<<"$key") + expirationTimestamp=$(cut -d ':' -f7 <<<"$key") + if (( expirationTimestamp < $limitTimestamp )); then + expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S") + printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate" + ((++expired)) + fi + done < <(gpg --homedir "$tmpDir" --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)') + [[ $expired -eq 0 ]] + else + echo "$signingKey does not exist in this repo, nothing to check" + fi trusted_keys: name: "Check trusted-key(s)" diff --git a/.gt/remotes/gt/pulled.tsv b/.gt/remotes/gt/pulled.tsv index 45c4a76..ae36aa2 100644 --- a/.gt/remotes/gt/pulled.tsv +++ b/.gt/remotes/gt/pulled.tsv @@ -1,3 +1,3 @@ #@ Version: 1.1.0 tag file relativeTarget tagFilter sha512 -v1.0.2 .github/workflows/gt-update.yml ../.github/workflows/gt-update.yml .* 18ccdb1dd544a47a939e342747d9436c5e9e7b121001b0c8f331b7792799c93e172d4ac1cdef1f566d5bad52ac4bc55983c157ae4b7885d63d40fc4a1a71ebb2 +v1.0.3 .github/workflows/gt-update.yml ../.github/workflows/gt-update.yml .* cc2ac667bbc089731622efa32b780bf7c784ba82bccad4d3c7e83becb27b9f744dea3d4ec5a7bfdaf2c500df2d2fdc78a681d8bead19f2c29cd6c7abc09dcb9f