legoktm
commented
1 year ago https://github.com/freedomofpress/securedrop-apt-test/pull/188 shows the script in action in CI against the new Linux packages. From the log:
OK: got expected checksum 58c91237ec828dd058730329c4530c597f22edf96f8a4013027bcc622f37c968 for linux-headers-5.15.98-1-grsec-securedrop_5.15.98-1-grsec-securedrop-1_amd64.deb
OK: got expected checksum cb32a3331314c3bc499428c54fc5bc633aac101baac85000ecf1d64f7ebdf51f for linux-headers-5.15.98-1-grsec-workstation_5.15.98-1-grsec-workstation-1_amd64.deb
OK: got expected checksum 55183b23009ae59ecf289e2d4a8016b97b861ec6877afab8a0089603d830e831 for linux-image-5.15.98-1-grsec-securedrop_5.15.98-1-grsec-securedrop-1_amd64.deb
OK: got expected checksum b9c0e2b85269e03989f63623cb87d90e5bd73b4e6d3b01caf6066e57e3973507 for linux-image-5.15.98-1-grsec-workstation_5.15.98-1-grsec-workstation-1_amd64.deb
OK: got expected checksum f2d50860cef1a4ee898bac57b4d5f3c041192d922c420d6593461c3768870db8 for securedrop-grsec_5.15.98-1-grsec-securedrop-1_amd64.deb
OK: got expected checksum e3c87f843af381c32fdbd98614706b8bb2df8d8341e6bd7b1646e359e7bbadba for securedrop-workstation-grsec_5.15.98-1-grsec-workstation-1_amd64.deb
buildinfo files contain package checksums in a machine-readable format, so script checking newly added packages against those.
This will be added to CI for securedrop-apt-test and securedrop-apt-prod.
The main iffy part of this is how it compares against "origin/main", but I think for PRs it'll mostly do the right thing. We only check new packages because old ones don't have buildinfo published. Maybe once we no longer have any legacy cases left, we just check everything in the repository.
Likely there are more checks that could be added, but this is a start.
Refs https://github.com/freedomofpress/securedrop/issues/6356.