Signature verification support

[wchargin]

Bazel release candidates and releases are accompanied by PGP signatures:

$ wget -q 'https://releases.bazel.build/0.20.0/rc1/bazel-0.20.0rc1-darwin-x86_64'
$ wget -q 'https://releases.bazel.build/0.20.0/rc1/bazel-0.20.0rc1-darwin-x86_64.sig'
$ gpg --verify ./bazel-0.20.0rc1-darwin-x86_64.sig
gpg: assuming signed data in './bazel-0.20.0rc1-darwin-x86_64'
gpg: Signature made Mon 05 Nov 2018 06:16:24 AM PST
gpg:                using RSA key 71A1D0EFCFEB6281FD0437C93D5919B448457EE0
gpg: Good signature from "Bazel Developer (Bazel APT repository key) <[email protected]>" [full]
$ wget -q 'https://releases.bazel.build/0.21.0/release/bazel-0.21.0-linux-x86_64'
$ wget -q 'https://releases.bazel.build/0.21.0/release/bazel-0.21.0-linux-x86_64.sig'
$ gpg --verify ./bazel-0.21.0-linux-x86_64.sig
gpg: assuming signed data in './bazel-0.21.0-linux-x86_64'
gpg: Signature made Wed 19 Dec 2018 05:58:23 AM PST
gpg:                using RSA key 71A1D0EFCFEB6281FD0437C93D5919B448457EE0
gpg: Good signature from "Bazel Developer (Bazel APT repository key) <[email protected]>" [full]

Would you be interested in a pull request to make Bazelisk additionally
download and verify these signatures? (Signature verification is fast:
about a second on my machine.)

The Bazel team public key would be hard-coded into the repository, and
we can use

$ gpg --no-default-keyring --keyring ./bazel-release.pub.gpg \
> --trust-model always --verify "${SIGNATURE}" "${BINARY}"

to verify the binary. (This requires the bazel-release.pub.gpg key to
be dearmored, but that’s easy to do.)

[philwo]

Would you be interested in a pull request to make Bazelisk additionally download and verify these signatures?

Absolutely! That sounds like a very useful feature. I'd love to review a PR for this. :)

[wchargin]

Okay, thanks. I’ll take a look and send a PR when I get the chance.

Let me make sure that I understand this project’s constraints: is the
main module supposed to run as a standalone Python script, with no file
dependencies or Python package dependencies (other than those installed
by default), in Python 2 and 3, and in Windows, Mac, and Linux?

[philwo]

Great, thanks!

Yes, the current version has these properties:

• Works with Python 2.7 and Python 3.x.
• Works on Linux, macOS and Windows.
• Doesn't require any packages except what's in the Python standard library.

However:

• I would be OK with dropping Python 2.7 support if it makes things easier or if we can avoid adding a third-party package dependency then.
• Depending on packages (maybe optionally?) might be OK, if it's a reasonable dependency and we can't use something from the standard library. But it's nice that it currently just works without any required deps, so if possible, we should keep it this way.
• Regarding the platforms, we have to support all three. I'm happy to test your PR on platforms you don't easily have access to, if that helps. (I'll also add automatic testing of pull requests on Buildkite soon, so that'll be easier.)

[wchargin]

Submitted #17, preserving all those properties (no new dependencies).

Regarding the platforms, we have to support all three. I'm happy to
test your PR on platforms you don't easily have access to, if that
helps. (I'll also add automatic testing of pull requests on Buildkite
soon, so that'll be easier.)

Yes: if you could please test this on macOS, that’d be great. My
understanding is that macOS does not ship with gpg(1), so it is
important that the fallback behavior be correct, and of course the main
functionality should work for those who have installed GPG.

I see that Windows testing is an “idea for the future” according to the
README, so I’ll let you decide how much testing should be done on that
side of the pond. :-)