8ba7dc1dc9
Rework the whole trust handling by acquiring the trust status from actual assumptions related to the amount of ownertrust signatures and revocations.
35 lines
1.3 KiB
Python
35 lines
1.3 KiB
Python
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from os import environ
|
|
from pathlib import Path
|
|
from typing import List
|
|
|
|
from .git import git_changed_files
|
|
from .keyring import verify
|
|
from .util import get_parent_cert_paths
|
|
|
|
|
|
def ci(working_dir: Path, keyring_root: Path, project_root: Path) -> None:
|
|
"""Verify certificates against modern expectations using sq-keyring-linter and hokey
|
|
|
|
Currently only newly added certificates will be checked against the expectations as existing
|
|
keys are not all fully compatible with those assumptions.
|
|
New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
|
|
|
|
Parameters
|
|
----------
|
|
working_dir: A directory to use for temporary files
|
|
keyring_root: The keyring root directory to look up username shorthand sources
|
|
project_root: Path to the root of the git repository
|
|
"""
|
|
|
|
ci_merge_request_diff_base = environ.get("CI_MERGE_REQUEST_DIFF_BASE_SHA")
|
|
created, deleted, changed = git_changed_files(
|
|
git_path=project_root, base=f"{ci_merge_request_diff_base}", paths=[Path("keyring")]
|
|
)
|
|
|
|
added_certificates: List[Path] = list(get_parent_cert_paths(paths=created))
|
|
|
|
if added_certificates:
|
|
verify(working_dir=working_dir, keyring_root=keyring_root, sources=added_certificates)
|