Allow Bors to sign commits

.env_armhf

@@ -0,0 +1 @@
+DOCKERIZE_ARCH=armhf

Dockerfile

@@ -1,4 +1,4 @@
-ARG ELIXIR_VERSION=1.12.0
+ARG ELIXIR_VERSION=1.13.0
 ARG SOURCE_COMMIT
 
 FROM elixir:${ELIXIR_VERSION} as builder
@@ -41,10 +41,14 @@ RUN if [ -d .git ]; then \
 ####
 
 FROM debian:buster-slim
-RUN apt-get update -q && apt-get --no-install-recommends install -y git-core libssl1.1 curl apt-utils ca-certificates
+RUN apt-get update -q && \
+    apt-get --no-install-recommends install -y \
+    git-core libssl1.1 curl apt-utils ca-certificates gpg
 
-ENV DOCKERIZE_VERSION=v0.6.0
-RUN curl -Ls https://github.com/bors-ng/dockerize/releases/download/v0.7.9/dockerize-linux-amd64-v0.7.9.tar.gz | \
+ARG DOCKERIZE_VERSION=v0.7.9
+ARG DOCKERIZE_ARCH=amd64
+
+RUN curl -Ls https://github.com/bors-ng/dockerize/releases/download/${DOCKERIZE_VERSION}/dockerize-linux-${DOCKERIZE_ARCH}-${DOCKERIZE_VERSION}.tar.gz | \
     tar xzv -C /usr/local/bin
 
 ADD ./script/docker-entrypoint /usr/local/bin/bors-ng-entrypoint

config/test.exs

@@ -28,4 +28,6 @@ config :bors, :server, BorsNG.GitHub.ServerMock
 config :bors, :oauth2, BorsNG.GitHub.OAuth2Mock
 config :bors, :is_test, true
 
+config :bors, :test_gpg_key_id, {:system, "BORS_TEST_GPG_KEY_ID", ""}
+
 config :bors, :celebrate_new_year, false

docker-compose.yml

@@ -0,0 +1,31 @@
+version: "2"
+services:
+  bors:
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+      args:
+        - DOCKERIZE_ARCH=$DOCKERIZE_ARCH
+    image: bors-ng:local
+    ports:
+      - "4000:4000"
+    tty: true
+    env_file:
+      - .env_docker
+    restart: always
+    depends_on:
+      - postgres
+  postgres:
+    image: postgres:10.5
+    restart: always
+    volumes:
+      - db_data:/var/lib/postgresql/data
+    environment:
+      # Make sure the [censored] password here matches the one in the DATABASE_URL
+      POSTGRES_PASSWORD: "7vMibEOXo1kp3bQImeTmwA"
+      POSTGRES_DB: "bors"
+volumes:
+  db_data:
+networks:
+  default:
+    driver: bridge

lib/github/github.ex

@@ -192,35 +192,44 @@ defmodule BorsNG.GitHub do
     commit
   end
 
-  @spec synthesize_commit!(tconn, %{
-          branch: bitstring,
-          tree: bitstring,
-          parents: [bitstring],
-          commit_message: bitstring,
-          committer: tcommitter | nil
-        }) :: binary
-  def synthesize_commit!(repo_conn, info) do
+  @spec synthesize_commit!(
+          tconn,
+          %{
+            branch: bitstring,
+            tree: bitstring,
+            parents: [bitstring],
+            commit_message: bitstring,
+            committer: tcommitter | nil
+          },
+          bitstring | nil
+        ) :: binary
+  def synthesize_commit!(repo_conn, info, signing_key \\ nil) do
     {:ok, sha} =
       GenServer.call(
         BorsNG.GitHub,
-        {:synthesize_commit, repo_conn, {info}},
+        {:synthesize_commit, repo_conn, {info, signing_key}},
         Confex.fetch_env!(:bors, :api_github_timeout)
       )
 
     sha
   end
 
-  @spec create_commit!(tconn, %{
-          tree: bitstring,
-          parents: [bitstring],
-          commit_message: bitstring,
-          committer: tcommitter | nil
-        }) :: binary
-  def create_commit!(repo_conn, info) do
+  @spec create_commit!(
+          tconn,
+          %{
+            tree: bitstring,
+            parents: [bitstring],
+            commit_message: bitstring,
+            author: tcommitter | nil,
+            committer: tcommitter | nil
+          },
+          bitstring | nil
+        ) :: binary
+  def create_commit!(repo_conn, info, signing_key \\ nil) do
     {:ok, sha} =
       GenServer.call(
         BorsNG.GitHub,
-        {:create_commit, repo_conn, {info}},
+        {:create_commit, repo_conn, {info, signing_key}},
         Confex.fetch_env!(:bors, :api_github_timeout)
       )
 

lib/github/github/server.ex

@@ -282,21 +282,49 @@ defmodule BorsNG.GitHub.Server do
            tree: tree,
            parents: parents,
            commit_message: commit_message,
+           author: author,
            committer: committer
-         }}
+         }, signing_key}
       ) do
     msg = %{parents: parents, tree: tree, message: commit_message}
 
     msg =
       if is_nil(committer) do
         msg
       else
-        Map.put(msg, "author", %{
+        Map.put(msg, :committer, %{
           name: committer.name,
           email: committer.email
         })
       end
 
+    msg =
+      if is_nil(author) do
+        msg
+      else
+        Map.put(msg, :author, author)
+      end
+
+    msg =
+      cond do
+        is_nil(signing_key) ->
+          Logger.debug("Not signing commit in create_commit because signing_key is nil")
+          msg
+
+        is_nil(author) ->
+          Logger.debug("Not signing commit in create_commit because author is nil")
+          msg
+
+        is_nil(committer) ->
+          Logger.debug("Not signing commit in create_commit because committer is nil")
+          msg
+
+        true ->
+          msg
+          |> GitHub.Signature.add_timestamp(DateTime.utc_now())
+          |> GitHub.Signature.sign!(signing_key)
+      end
+
     resp =
       repo_conn
       |> post!("git/commits", Poison.encode!(msg))
@@ -333,18 +361,36 @@ defmodule BorsNG.GitHub.Server do
            parents: parents,
            commit_message: commit_message,
            committer: committer
-         }}
+         }, signing_key}
       ) do
     msg = %{parents: parents, tree: tree, message: commit_message}
 
     msg =
       if is_nil(committer) do
         msg
       else
-        Map.put(msg, "author", %{
+        msg
+        |> Map.put(:author, %{
           name: committer.name,
           email: committer.email
         })
+        |> Map.put(:committer, committer)
+      end
+
+    msg =
+      cond do
+        is_nil(signing_key) ->
+          Logger.debug("Not signing commit in synthesize_commit because signing_key is nil")
+          msg
+
+        is_nil(committer) ->
+          Logger.debug("Not signing commit in synthesize_commit because committer is nil")
+          msg
+
+        true ->
+          msg
+          |> GitHub.Signature.add_timestamp(DateTime.utc_now())
+          |> GitHub.Signature.sign!(signing_key)
       end
 
     repo_conn

lib/github/github/server_mock.ex

@@ -366,7 +366,7 @@ defmodule BorsNG.GitHub.ServerMock do
            parents: parents,
            commit_message: commit_message,
            committer: _committer
-         }},
+         }, _signing_key},
         state
       ) do
     with {:ok, repo} <- Map.fetch(state, repo_conn),

lib/github/github/signature.ex

@@ -0,0 +1,133 @@
+require Logger
+
+defmodule BorsNG.GitHub.Signature do
+  @moduledoc """
+  Provides the ability to sign commits using gpg2.
+  """
+
+  @type tcommit_no_ts :: %{
+          parents: [binary],
+          tree: binary,
+          message: binary,
+          author: %{name: binary, email: binary},
+          committer: %{name: binary, email: binary}
+        }
+
+  @type tcommit :: %{
+          parents: [binary],
+          tree: binary,
+          message: binary,
+          author: %{name: binary, email: binary, date: binary},
+          committer: %{name: binary, email: binary, date: binary}
+        }
+
+  @type tcommit_sig :: %{
+          parents: [binary],
+          tree: binary,
+          message: binary,
+          author: %{name: binary, email: binary, date: binary},
+          committer: %{name: binary, email: binary, date: binary},
+          signature: binary
+        }
+
+  @spec add_timestamp(tcommit_no_ts, DateTime.t()) :: tcommit
+  def add_timestamp(commit, dt) do
+    ts = DateTime.to_iso8601(dt)
+
+    commit
+    |> Map.put(:author, Map.put(commit[:author], :date, ts))
+    |> Map.put(:committer, Map.put(commit[:committer], :date, ts))
+  end
+
+  @spec format_commit(tcommit) :: binary
+  def format_commit(commit) do
+    {:ok, author_date, _} = DateTime.from_iso8601(commit[:author][:date])
+    author_ts = DateTime.to_unix(author_date, :second) |> Integer.to_string()
+    {:ok, committer_date, _} = DateTime.from_iso8601(commit[:committer][:date])
+    committer_ts = DateTime.to_unix(committer_date, :second) |> Integer.to_string()
+
+    gpg_sig =
+      case Map.fetch(commit, :signature) do
+        {:ok, sig} ->
+          lines =
+            String.split(sig, "\n")
+            |> Enum.intersperse("\n ")
+            |> Enum.to_list()
+
+          ["gpgsig ", lines, "\n"]
+
+        :error ->
+          []
+      end
+
+    IO.iodata_to_binary([
+      ["tree ", commit[:tree], "\n"],
+      Enum.map(commit[:parents], fn parent -> ["parent ", parent, "\n"] end),
+      [
+        "author ",
+        commit[:author][:name],
+        " <",
+        commit[:author][:email],
+        "> ",
+        author_ts,
+        " +0000\n"
+      ],
+      [
+        "committer ",
+        commit[:committer][:name],
+        " <",
+        commit[:committer][:email],
+        "> ",
+        committer_ts,
+        " +0000\n"
+      ],
+      gpg_sig,
+      "\n",
+      commit[:message]
+    ])
+  end
+
+  @spec sign!(tcommit, binary) :: tcommit_sig
+  def sign!(commit, key_id) do
+    Logger.info("Signing commit #{inspect(commit)} with key #{inspect(key_id)}")
+
+    path = System.find_executable("gpg")
+
+    if is_nil(path) do
+      throw(:missing_gpg)
+    end
+
+    commit_to_sign = format_commit(commit)
+    Logger.debug("Commit to sign: #{inspect(commit_to_sign)}")
+
+    tmp_dir = System.tmp_dir!()
+    tmp_filename = Path.join(tmp_dir, "bors_commit_signing.#{commit[:tree]}.txt")
+    sig_filename = Path.join(tmp_dir, "bors_commit_signing.#{commit[:tree]}.txt.asc")
+
+    try do
+      _ = File.rm(sig_filename)
+      File.write!(tmp_filename, commit_to_sign, [:write, :binary, :sync])
+
+      args = [
+        "--batch",
+        "--with-colons",
+        "--status-fd",
+        "2",
+        "--armor",
+        "--local-user",
+        key_id,
+        "--detach-sign",
+        tmp_filename
+      ]
+
+      Logger.debug("Calling #{path} #{Enum.join(args, " ")}")
+      {output, 0} = System.cmd(path, args)
+      Logger.debug("Output from gpg: #{inspect(output)}")
+      sig = File.read!(sig_filename)
+      Map.put(commit, :signature, sig)
+    after
+      _ = File.rm(tmp_filename)
+      _ = File.rm(sig_filename)
+    end
+  end
+end