Verifies signatures in CI

[emkll]

very simple scripts that iterates through files in the workstation repo and verifies their signature. Specifies --test in this repo as this is the dev repo signed with the test key.

Note that the repo as initially cloned does not have git lfs hooks enabled due to circle re-writing the git urls per the gitconfig. We reclone via HTTPS inside the checked out repo to avoid having to deal with rewriting remote urls in the repo git config in the circle container.

Test plan

• Should we even do this? Every clone is 3GB (and growing), will this pose an issue for our LFS bandwith quota?
• Is ci passing on this branch?
• The public keys are correct
• Verify that we are running CI per-PR (on push, to reduce git-lfs bandwidth)
• Is ci failing on the branch where i have commited an unsigned rpm ? https://circleci.com/gh/freedomofpress/securedrop-workstation-dev-rpm-packages-lfs/8

[conorsch]

Looking good. Haven't done an in-depth functional review, since I'd prefer to shake out RPM nightly implications such as freedomofpress/securedrop-workstation#406 (comment) before deciding what the sig verification story needs to look like.

Every clone is 3GB

On a full copy of this repo, I'm seeing 5207MB. However, if I clone with --depth=1, I see 1627MB. So perhaps we should consider shallow clones in CI, since we only care about verifying sigs on new artifacts.

[emkll]

Thanks @conorsch , updated with shallow clone and rebased on latest master. I've also opened freedomofpress/securedrop-builder#135 to reduce lfs usage for nightlies as well.

[conorsch]

Looks good. Left some comments throughout targeting some cleanups, mostly to make the verification more resilient in the face of user error, as well as solidify our approach to using git-lfs in CircleCI.

Most of these approaches are optional; however, wanted you to review the comments before clicking merge, in case the changes apply to other repos, such as packaging.

[conorsch]

From CircleCI docs:

If you require doing git over HTTPS you should not use this step as it configures git to checkout over ssh.

Since there's a git clone --depth=1 in the subsequent tasks, I believe we want to remove the "checkout" step entirely—we could probably remove the "workaround for git-lfs" task, as well.

[emkll]

@conorsch thanks for the review, all great points. All comments have been addressed, commit squashed, ready for re-review

[conorsch]

Fantastic, much obliged!

Local review of script functionality checks out, confirmed test/prod pubkeys are what we expect.