CI: verify donation addresses are signed

2025-01-28 18:56:33 +02:00 · 2024-10-16 15:15:16 +01:00 · 2024-10-16 15:15:16 +01:00 · a0d5dd5b8c
commit a0d5dd5b8c
parent 5d5bf86221
2 changed files with 42 additions and 2 deletions
--- a/.github/workflows/hashes.yaml
+++ b/.github/workflows/hashes.yaml
@ -5,10 +5,12 @@ on:
    paths:
      - 'downloads/hashes.txt'
      - '_data/downloads.yml'
+      - '_data/contributing.yml'
  pull_request:
    paths:
      - 'downloads/hashes.txt'
      - '_data/downloads.yml'
+      - '_data/contributing.yml'
 jobs:
  validate-hashes:
    name: Validate Hashes
@ -17,13 +19,40 @@ jobs:
      - uses: actions/checkout@v2
      - name: Install dependencies
        run: |
-          sudo apt-get install -y --no-install-recommends curl gpg jq python3-pip
+          sudo apt-get install -y --no-install-recommends curl gpg jq python3-pip zbar-tools
          sudo pip3 install yq
-      - name: Verify hashes.txt signature
+      - name: Verify hashes.txt + contributing.yml signature
        run: |
          curl -sL https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc |
            gpg --import
          gpg --verify downloads/hashes.txt
+          gpg --verify _data/contributing.yml.asc
+      - name: Verify General Fund donation QR's
+        run: |
+          yaml="_data/contributing.yml"
+          get_yaml_value() {
+              awk -v key="$1:" '$1 == key {print $2}' "$yaml"
+          }
+          for coin in xmr btc; do
+              qr_checksum=$(get_yaml_value "qr_${coin}_checksum")
+              qr_filename=$(get_yaml_value "qr_${coin}_filename")
+              qr_content=$(get_yaml_value "qr_${coin}_content")
+              echo "DEBUG: $qr_checksum $qr_filename"
+              echo "DEBUG: $qr_content"
+              # Confirm hashes match
+              echo "$qr_checksum $qr_filename" | sha256sum -c
+              # Scan QR content 
+              qr_scanned=$(zbarimg -q --raw "$qr_filename")
+              # Compare scanned content with expected content
+              if [ "$qr_scanned" = "$qr_content" ]; then
+                  echo "${coin^^} QR code content matches exactly"
+              else
+                  echo "${coin^^} QR code content does not match"
+                  echo "Scanned: $qr_scanned"
+                  echo "Expected: $qr_content"
+                  exit 1
+              fi
+          done
      - name: Verify filenames
        run: |
          lines="$(grep -v ^# downloads/hashes.txt)"
--- a/_data/contributing.yml
+++ b/_data/contributing.yml
@ -0,0 +1,11 @@
+address_xmr: 888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H
+address_btc: 1KTexdemPdxSBcG55heUuTjDRYqbC5ZL8H
+address_openalias: donate.getmonero.org
+view_address: 44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A
+view_key: f359631075708155cc3d92a32b75a7d02a5dcf27756707b47a2b31b21c389501
+qr_xmr_filename: img/donate-monero.png
+qr_xmr_content: 888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H
+qr_xmr_checksum: cf6cb49cf98726a40b860a6bb19df77df724a3e8e1ccb039adf8432de1509911
+qr_btc_filename: img/donate-bitcoin.png
+qr_btc_content: bitcoin:1FhnVJi2V1k4MqXm2nHoEbY5LV7FPai7bb
+qr_btc_checksum: ef2b0e59e401caad2393cb11f50dfc29b364e0af0fd5683012fe0abded608655