From a0d5dd5b8c1a90af8ab378affae368dcc031ef73 Mon Sep 17 00:00:00 2001
From: plowsof <plowsof@protonmail.com>
Date: Wed, 16 Oct 2024 15:15:16 +0100
Subject: [PATCH] CI: verify donation addresses are signed

---
 .github/workflows/hashes.yaml | 33 +++++++++++++++++++++++++++++++--
 _data/contributing.yml        | 11 +++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 _data/contributing.yml

diff --git a/.github/workflows/hashes.yaml b/.github/workflows/hashes.yaml
index faace9e9..1f40be36 100644
--- a/.github/workflows/hashes.yaml
+++ b/.github/workflows/hashes.yaml
@@ -5,10 +5,12 @@ on:
     paths:
       - 'downloads/hashes.txt'
       - '_data/downloads.yml'
+      - '_data/contributing.yml'
   pull_request:
     paths:
       - 'downloads/hashes.txt'
       - '_data/downloads.yml'
+      - '_data/contributing.yml'
 jobs:
   validate-hashes:
     name: Validate Hashes
@@ -17,13 +19,40 @@ jobs:
       - uses: actions/checkout@v2
       - name: Install dependencies
         run: |
-          sudo apt-get install -y --no-install-recommends curl gpg jq python3-pip
+          sudo apt-get install -y --no-install-recommends curl gpg jq python3-pip zbar-tools
           sudo pip3 install yq
-      - name: Verify hashes.txt signature
+      - name: Verify hashes.txt + contributing.yml signature
         run: |
           curl -sL https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc |
             gpg --import
           gpg --verify downloads/hashes.txt
+          gpg --verify _data/contributing.yml.asc
+      - name: Verify General Fund donation QR's
+        run: |
+          yaml="_data/contributing.yml"
+          get_yaml_value() {
+              awk -v key="$1:" '$1 == key {print $2}' "$yaml"
+          }
+          for coin in xmr btc; do
+              qr_checksum=$(get_yaml_value "qr_${coin}_checksum")
+              qr_filename=$(get_yaml_value "qr_${coin}_filename")
+              qr_content=$(get_yaml_value "qr_${coin}_content")
+              echo "DEBUG: $qr_checksum $qr_filename"
+              echo "DEBUG: $qr_content"
+              # Confirm hashes match
+              echo "$qr_checksum $qr_filename" | sha256sum -c
+              # Scan QR content 
+              qr_scanned=$(zbarimg -q --raw "$qr_filename")
+              # Compare scanned content with expected content
+              if [ "$qr_scanned" = "$qr_content" ]; then
+                  echo "${coin^^} QR code content matches exactly"
+              else
+                  echo "${coin^^} QR code content does not match"
+                  echo "Scanned: $qr_scanned"
+                  echo "Expected: $qr_content"
+                  exit 1
+              fi
+          done
       - name: Verify filenames
         run: |
           lines="$(grep -v ^# downloads/hashes.txt)"
diff --git a/_data/contributing.yml b/_data/contributing.yml
new file mode 100644
index 00000000..155f60fd
--- /dev/null
+++ b/_data/contributing.yml
@@ -0,0 +1,11 @@
+address_xmr: 888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H
+address_btc: 1KTexdemPdxSBcG55heUuTjDRYqbC5ZL8H
+address_openalias: donate.getmonero.org
+view_address: 44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A
+view_key: f359631075708155cc3d92a32b75a7d02a5dcf27756707b47a2b31b21c389501
+qr_xmr_filename: img/donate-monero.png
+qr_xmr_content: 888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H
+qr_xmr_checksum: cf6cb49cf98726a40b860a6bb19df77df724a3e8e1ccb039adf8432de1509911
+qr_btc_filename: img/donate-bitcoin.png
+qr_btc_content: bitcoin:1FhnVJi2V1k4MqXm2nHoEbY5LV7FPai7bb
+qr_btc_checksum: ef2b0e59e401caad2393cb11f50dfc29b364e0af0fd5683012fe0abded608655