Fix signature verification

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# Reviews are required by
+#
+# - @pennylane-hq/electronic-invoicing-core as main usage of this branch is for the invoicing-hub repository,
+# maintained by this squad
+
+* @pennylane-hq/electronic-invoicing-core

.github/RECOMMENDED_CODEOWNERS

@@ -0,0 +1,5 @@
+# It is recommended to receive reviews from
+#
+# - @pennylane-hq/security as main this gem is a security layer and should be modified carefully
+
+* @pennylane-hq/security

.github/workflows/ci.yml

@@ -5,6 +5,26 @@ on:
   - pull_request
 
 jobs:
+  license_checks:
+    name: License checks
+    runs-on: ubuntu-latest
+    env:
+      RAILS_ENV: test
+    steps:
+      - uses: actions/checkout@v5
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.4.7
+          bundler-cache: true # bundle installs and caches dependencies
+      - name: Run license checks
+        run: |
+          bundle exec license_finder || (cat <<-END && exit 1)
+
+            You seem to be introducing a new license into our stack, please reach out to
+            #licenses-tech-stack on slack to get guidance on the topic.
+          END
+
   test:
     runs-on: ubuntu-latest
     strategy:
@@ -14,11 +34,25 @@ jobs:
     env:
       RAILS_ENV: test
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true # bundle installs and caches dependencies
       - name: Run tests
         run: bundle exec rake --trace
+
+  summary:
+    name: CI Summary
+    runs-on: ubuntu-latest
+    needs:
+      - test
+      - license_checks
+    if: always()
+
+    steps:
+      - name: Successful builds?
+        run: |
+          if ${{ needs.test.result != 'success' }}; then exit 1; fi
+          if ${{ needs.license_checks.result != 'success' }}; then exit 1; fi

.gitignore

@@ -1,5 +1,4 @@
 .DS_Store
-doc
 coverage
 pkg
 *~

.pre-commit-config.yaml

@@ -0,0 +1,39 @@
+repos:
+  - repo: local
+    hooks:
+      - id: do_not_commit
+        name: Break on DO NOT COMMIT comment
+        language: pygrep
+        entry: (?i)(NOT.{,3}COMMIT)
+        exclude: (?x)(.pre-commit-config.yaml)$
+      - id: rubocop
+        name: Rubocop
+        language: system
+        entry: bundle exec rubocop
+        require_serial: true # for proper cache behavior
+        files: (?x)(
+          \.(rb|rake)$|Gemfile$|Rakefile|.irbrc$)
+        args:
+          - --autocorrect
+          - --color
+          - --server
+          - --config=.rubocop.yml
+      - id: encrypted_ssh_keys
+        name: Encrypted SSH keys
+        language: system
+        entry: .pre-commit/check_ssh_keys_passphrase.sh
+        pass_filenames: false
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+      - id: trailing-whitespace
+
+  - repo: https://github.com/tdeo/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+      - id: end-of-file-fixer
+
+  - repo: https://github.com/pennylane-hq/pre-commit-hooks
+    rev: d8b38e22631ed3597b2c8277f64cbd60afc1515a
+    hooks:
+      - id: actionlint

.pre-commit/check_ssh_keys_passphrase.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+exitcode=0
+SSH_KEYS_DIR="$HOME"/.ssh/
+
+while IFS= read -r keyfile
+do
+    (grep -l "OPENSSH PRIVATE" "$keyfile" 2>/dev/null | grep -v personal 1>/dev/null 2>&1) || continue
+    if ssh-keygen -y -P "" -f "$keyfile" 1>/dev/null 2>&1 ; then
+        echo SSH key with no passphrase: "$keyfile"
+        exitcode=1
+    fi
+done < <(find "$SSH_KEYS_DIR" -maxdepth 1 -type f 2> /dev/null)
+
+if [ $exitcode == 1 ]; then
+    cat << EOF
+
+At least one of your SSH keys doesn't have a passphrase. For security reasons,
+a passphrase is needed on all non-personal SSH keys. Please refer to the 'Signed commits'
+section of the 'Repositories hardening' page on Notion for more information:
+https://www.notion.so/scribetech/Repositories-hardening-1cfc3cfcebe842bc88c3ac4fae4a0506
+EOF
+fi
+
+exit $exitcode