feat(git-node): verify tag signature during release promotion (#879)

nodejs · Dec 20, 2024 · 4bd6820 · 4bd6820
1 parent e90258c
commit 4bd6820
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/lib/promote_release.js b/lib/promote_release.js
@@ -131,6 +131,7 @@ export default class ReleasePromotion extends Session {
       throw new Error('Aborted');
     }
     await this.secureTagRelease();
+    await this.verifyTagSignature();
 
     // Set up for next release.
     cli.startSpinner('Setting up for next release');
@@ -223,6 +224,28 @@ export default class ReleasePromotion extends Session {
         this.isLTS ? '=false' : ''} --title=${JSON.stringify(this.releaseTitle)} --notes-file -`);
   }
 
+  async verifyTagSignature() {
+    const { cli, version } = this;
+    const [needle, haystack] = await Promise.all([forceRunAsync(
+      'git', ['--no-pager',
+        'log', '-1',
+        `refs/tags/v${version}`,
+        '--format=* **%an** <<%ae>>\n  `%GF`'
+      ], { captureStdout: true }), fs.readFile('README.md')]);
+    if (haystack.includes(needle)) {
+      return;
+    }
+    cli.warn('Tag was signed with an undocumented identity/key pair!');
+    cli.info('Expected to find the following entry in the README:');
+    cli.info(needle);
+    cli.info('If you are using a subkey, it might be OK.');
+    cli.info(`Otherwise consider removing the tag (git tag -d v${version
+             }), check your local config, and start the process over.`);
+    if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
+      throw new Error('Aborted');
+    }
+  }
+
   async verifyPRAttributes() {
     const { cli, prid, owner, repo, req } = this;