From ff32bba077c4a9ad6d4de6c10d6c83de12c3dd38 Mon Sep 17 00:00:00 2001
From: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
Date: Tue, 5 May 2020 12:12:45 -0500
Subject: [PATCH] use a temporary gpg keyring

Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
---
 scripts/get-helm-3 | 56 +++++++++++++++++++++++++++++++++-------------
 1 file changed, 40 insertions(+), 16 deletions(-)

diff --git a/scripts/get-helm-3 b/scripts/get-helm-3
index 4c7d4f56b..ae53f92c7 100755
--- a/scripts/get-helm-3
+++ b/scripts/get-helm-3
@@ -66,7 +66,7 @@ runAsRoot() {
 }
 
 # verifySupported checks that the os/arch combination is supported for
-# binary builds.
+# binary builds, as well whether or not necessary tools are present.
 verifySupported() {
   local supported="darwin-386\ndarwin-amd64\nlinux-386\nlinux-amd64\nlinux-arm\nlinux-arm64\nlinux-ppc64le\nwindows-386\nwindows-amd64"
   if ! echo "${supported}" | grep -q "${OS}-${ARCH}"; then
@@ -79,6 +79,25 @@ verifySupported() {
     echo "Either curl or wget is required"
     exit 1
   fi
+
+  if [ "${VERIFY_CHECKSUM}" == "true" ] && [ "${HAS_OPENSSL}" != "true" ]; then
+    echo "In order to verify checksum, openssl must first be installed."
+    echo "Please install openssl or set VERIFY_CHECKSUM=false in your environment."
+    exit 1
+  fi
+
+  if [ "${VERIFY_SIGNATURES}" == "true" ]; then
+    if [ "${HAS_GPG}" != "true" ]; then
+      echo "In order to verify signatures, gpg must first be installed."
+      echo "Please install gpg or set VERIFY_SIGNATURES=false in your environment."
+      exit 1
+    fi
+    if [ "${OS}" != "linux" ]; then
+      echo "Signature verification is currently only supported on Linux."
+      echo "Please set VERIFY_SIGNATURES=false or verify the signatures manually."
+      exit 1
+    fi
+  fi
 }
 
 # checkDesiredVersion checks if the desired version is available.
@@ -157,11 +176,6 @@ installFile() {
 
 # verifyChecksum verifies the SHA256 checksum of the binary package.
 verifyChecksum() {
-  if [ "${HAS_OPENSSL}" != "true" ]; then
-    echo "In order to verify checksum, openssl must first be installed."
-    echo "Please install openssl or set VERIFY_CHECKSUM=false in your environment."
-    exit 1
-  fi
   printf "Verifying checksum... "
   local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}')
   local expected_sum=$(cat ${HELM_SUM_FILE})
@@ -172,19 +186,27 @@ verifyChecksum() {
   echo "Done."
 }
 
-# verifySignatures obtains the signature .asc files from the GitHub release,
-# then verifies that the release artifacts were signed by a trusted key.
+# verifySignatures obtains the latest KEYS file from GitHub master branch
+# as well as the signature .asc files from the specific GitHub release,
+# then verifies that the release artifacts were signed by a maintainer's key.
 verifySignatures() {
-  if [ "${HAS_GPG}" != "true" ]; then
-    echo "In order to verify signatures, gpg must first be installed."
-    echo "Please install gpg or set VERIFY_SIGNATURES=false in your environment."
-    exit 1
-  fi
   printf "Verifying signatures... "
+  local keys_filename="KEYS"
+  local github_keys_url="https://raw.githubusercontent.com/helm/helm/master/${keys_filename}"
+  if [ "${HAS_CURL}" == "true" ]; then
+    curl -SsL "${github_keys_url}" -o "${HELM_TMP_ROOT}/${keys_filename}"
+  elif [ "${HAS_WGET}" == "true" ]; then
+    wget -q -O "${github_keys_url}" "${HELM_TMP_ROOT}/${keys_filename}"
+  fi
+  local gpg_keyring="${HELM_TMP_ROOT}/keyring.gpg"
+  local gpg_homedir="${HELM_TMP_ROOT}/gnupg"
+  mkdir -p -m 0700 "${gpg_homedir}"
   local gpg_stderr_device="/dev/null"
   if [ "${DEBUG}" == "true" ]; then
     gpg_stderr_device="/dev/stderr"
   fi
+  gpg --batch --quiet --homedir="${gpg_homedir}" --import "${HELM_TMP_ROOT}/${keys_filename}" 2> "${gpg_stderr_device}"
+  gpg --batch --no-default-keyring --keyring "${gpg_homedir}/pubring.kbx" --export > "${gpg_keyring}"
   local github_release_url="https://github.com/helm/helm/releases/download/${TAG}"
   if [ "${HAS_CURL}" == "true" ]; then
     curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
@@ -193,14 +215,16 @@ verifySignatures() {
     wget -q -O "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
     wget -q -O "${github_release_url}/${TAG}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc"
   fi
-  local error_text="Double-check the PGP key provided. If you think this is a security issue,"
+  local error_text="If you think this might be a potential security issue,"
   error_text="${error_text}\nplease see here: https://github.com/helm/community/blob/master/SECURITY.md"
-  if ! gpg --verify "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}"; then
+  local num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
+  if [[ ${num_goodlines_sha} -lt 2 ]]; then
     echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!"
     echo -e "${error_text}"
     exit 1
   fi
-  if ! gpg --verify "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}"; then
+  local num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
+  if [[ ${num_goodlines_tar} -lt 2 ]]; then
     echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!"
     echo -e "${error_text}"
     exit 1