diff options
Diffstat (limited to '')
| -rwxr-xr-x | validate-checksum | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/validate-checksum b/validate-checksum new file mode 100755 index 0000000..383ed1f --- /dev/null +++ b/validate-checksum @@ -0,0 +1,78 @@ +#!/bin/sh +signature_key=3683C4B70CFA859F0173F2CCE0DD13EBFC7D5E3E + +set -e + +usage () { + printf 'usage: %s hasher file\n' "$0" >&2 + exit 1 +} + +get_algo () { + if test "$1" = sha224sum; then echo SHA224 + elif test "$1" = sha256sum; then echo SHA256 + elif test "$1" = sha384sum; then echo SHA384 + elif test "$1" = sha512sum; then echo SHA512 + elif test "$1" = sha512-224sum; then echo SHA512/224 + elif test "$1" = sha512-256sum; then echo SHA512/256 + elif test "$1" = sha3-224sum; then echo SHA3-224 + elif test "$1" = sha3-256sum; then echo SHA3-256 + elif test "$1" = sha3-384sum; then echo SHA3-384 + elif test "$1" = sha3-512sum; then echo SHA3-512 + elif test "$1" = b2sum; then echo BLAKE2b + else + false + fi +} + +signature_key="$(printf '%s\n' "${signature_key}" | tr -d ' ')" + +hasher="$(printf '%s\n' "$1" | sed 's/s$//')" +file="$2" + +if ! algo="$(get_algo "${hasher}")" || test ! -f "${file}"; then + usage +fi + + +hash="$(${hasher} -- "${file}" | cut -d ' ' -f 1 | tr 'A-F' 'a-f')" + +pkgname="$(basename -- "${file}" | sed -n 's/-[^-]*\.tar\.gz$//p')" +pkgver="$(basename -- "${file}" | sed -n 's/^.*-\([^-]*\)\.tar\.gz$/\1/p')" + +if test -z "${pkgname}" || test -z "${pkgver}"; then + usage +fi + +url="https://maandree.se/rel/$pkgname/$pkgver.html" + +page="$(curl -sL "${url}")" +sigpage="$(curl -sL "${url}.sig")" + + +sigkey="$(curl -L -- "https://maandree.se/.signkey")" +if test ! "${sigkey}" = "${signature_key}"; then + printf '\n\033[1m%s\033[m,' 'Expected signature keyfile seems to be out of date' >&2 + printf ' %s' 'have a look at https://maandree.se/ to find the newest and verify that it' >&2 + printf ' %s' 'has been signed by the previous key, continue until you find and old key' >&2 + printf ' %s' 'in the signature chain that is signed by '"${signature_key}"' (or older' >&2 + printf ' %s' 'that you trust). Once verified, update `signature_key` at the top of' >&2 + printf ' %s' 'this file to be the newest key, which should be '"${sigkey}"', and' >&2 + printf ' %s' 'import it into your key collection of PGP keys.' >&2 + printf '\n' >&2 + exit 1 +fi + +sigtest="$(printf '%s\n' "${page}" | (printf '%s\n' "${sigpage}" | gpg --status-fd=8 --verify - /dev/fd/9) 9<&0 8>&1 1>&2)" +if ! printf '%s\n' "${sigtest}" | grep -q '^\[GNUPG:\] VALIDSIG'" ${sigkey} "; then + printf '\n\033[1m%s\033[m\n' 'The release metadata page seems to be signed with an unexpected key.' >&2 + exit 1 +fi + +if ! printf '%s\n' "${page}" | sed 's/<[^>]*>//g' | grep -q '^\s*'"$algo"' checksum: '"${hash}"'\s*$'; then + printf '\n\033[1m%s\033[m\n' 'Checksum not whitelisted' >&2 + exit 1 +fi + +printf '\nChecksum OK:\n' >&2 +printf '%s\n' "${hash}" |