Skip to content

CI: add pgp keys expiry check #10112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 15, 2025
Merged

CI: add pgp keys expiry check #10112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
29bfeb2
scripts: add pgp keys expire check
GustavoStingelin Aug 14, 2025
7ba28c4
CI: add pgp keys expire check
GustavoStingelin Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,22 @@ env:
GO_VERSION: 1.23.12

jobs:
########################
# Check release signing keys
########################
pgp-key-expiration-check:
name: Check release signing key expirations
runs-on: ubuntu-latest
steps:
- name: Git checkout
uses: actions/checkout@v4

- name: Check PGP key expirations
run: scripts/check-pgp-expiry.sh

########################
# Create release
########################
main:
name: Release build
runs-on: ubuntu-latest
Expand Down
129 changes: 129 additions & 0 deletions scripts/check-pgp-expiry.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
#!/bin/bash

# Validates PGP keys in the scripts/keys directory by checking their expiration
# status and signing capabilities. It iterates through all .asc files and uses
# GPG to parse key information.

set -euo pipefail
shopt -s nullglob

error() {
RED='\033[0;31m'
NC='\033[0m' # No Color
echo -e "${RED}ERROR: $1${NC}"
exit_code=1
}

# Check if a key has expired or is expiring soon
# Args: $1 = expiry timestamp, $2 = key_info
# Returns: 0 if key is valid or has no expiry, 1 if expired/expiring soon
check_key_expiry() {
local expiry="$1"
local key_info="$2"

# If expiry is empty, the key does not expire.
if [[ -z "$expiry" ]]; then
echo "INFO: $key_info does not expire"
return 0
fi

# Convert expiry timestamp to human readable date for logging.
local expiry_date
if ! expiry_date=$(date -d "@$expiry" "+%Y-%m-%d" 2>/dev/null \
|| date -r "$expiry" "+%Y-%m-%d" 2>/dev/null); then
error "Invalid expiry timestamp for $key_info $expiry"
return 1
fi

if (( expiry < $(date +%s) )); then
echo "WARN: $key_info has already expired ($expiry_date)"
return 1
fi

if (( expiry < EXPIRE_THRESHOLD )); then
echo "WARN: $key_info expires soon ($expiry_date)"
return 1
fi

echo "INFO: $key_info is valid until $expiry_date"
return 0
}

echo
echo "Starting PGP key validation..."

KEY_DIR="./scripts/keys"
if [[ ! -d "$KEY_DIR" ]]; then
error "Directory $KEY_DIR does not exist"
exit $exit_code
fi

key_files=("$KEY_DIR"/*.asc)
if (( ${#key_files[@]} == 0 )); then
error "No PGP keys found in $KEY_DIR"
exit $exit_code
fi

# 2 weeks = 14 days * (24 hours * 60 minutes * 60 seconds).
EXPIRE_THRESHOLD=$(($(date +%s) + 14 * 86400))
exit_code=0

echo "Found ${#key_files[@]} key file(s) in $KEY_DIR"
echo

for key_file in "${key_files[@]}"; do
echo "────────────────────────────────────────────────────────────────────"
echo "Checking $(basename "$key_file")..."

gpg_output=$(gpg --with-colons --import-options show-only \
--import "$key_file" 2>&1 | grep -E '^(pub|sub):')

key_name=$(basename "$key_file")

# Parse GPG output line by line to find key type, id, expiry and
# capabilities.
valid_sign_key_found=false
while IFS=: read -r type _ _ _ id _ expiry _ _ _ _ capabilities _; do
if [[ "$valid_sign_key_found" == true ]]; then
# If we already found a valid signing key, skip further checks for
# this keychain.
break
fi

key_info="$type:$id ($capabilities)"

# Check primary key expiry.
if [[ "$type" == "pub" ]] &&
! check_key_expiry "$expiry" "$key_info"; then
error "$key_info primary key is invalid"
break
fi

# Filter out keys that cannot sign releases.
if ! [[ "$capabilities" =~ [sS] ]]; then
continue
fi

# Check sub key expiry.
if [[ "$type" == "sub" ]] &&
! check_key_expiry "$expiry" "$key_info"; then
continue
fi

# If we reach here, we have a valid signing key.
valid_sign_key_found=true
done <<< "$gpg_output"

if [[ "$valid_sign_key_found" == false ]]; then
error "$key_name does not have any valid sign key"
fi
done

echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
if [[ $exit_code -eq 0 ]]; then
echo "All PGP keys are valid and ready for use!"
else
error "Some PGP keys have issues that need attention."
fi

exit $exit_code
Loading