diff options
Diffstat (limited to 'validate-checksum')
| l---------[-rwxr-xr-x] | validate-checksum | 81 |
1 files changed, 1 insertions, 80 deletions
diff --git a/validate-checksum b/validate-checksum index ccb3e0a..4d71bc5 100755..120000 --- a/validate-checksum +++ b/validate-checksum @@ -1,80 +1 @@ -#!/bin/sh -signature_key=3683C4B70CFA859F0173F2CCE0DD13EBFC7D5E3E - -set -e - -usage () { - printf 'usage: %s hasher file\n' "$0" >&2 - exit 1 -} - -get_algo () { - if test "$1" = sha224sum; then echo SHA224 - elif test "$1" = sha256sum; then echo SHA256 - elif test "$1" = sha384sum; then echo SHA384 - elif test "$1" = sha512sum; then echo SHA512 - elif test "$1" = sha512-224sum; then echo SHA512/224 - elif test "$1" = sha512-256sum; then echo SHA512/256 - elif test "$1" = sha3-224sum; then echo SHA3-224 - elif test "$1" = sha3-256sum; then echo SHA3-256 - elif test "$1" = sha3-384sum; then echo SHA3-384 - elif test "$1" = sha3-512sum; then echo SHA3-512 - elif test "$1" = b2sum; then echo BLAKE2b - else - false - fi -} - -signature_key="$(printf '%s\n' "${signature_key}" | tr -d ' ')" - -hasher="$(printf '%s\n' "$1" | sed 's/s$//')" -file="$2" - -if ! algo="$(get_algo "${hasher}")" || test ! -f "${file}"; then - usage -fi - - -hash="$(${hasher} -- "${file}" | cut -d ' ' -f 1 | tr A-F a-f)" - -pkgname="$(basename -- "${file}" | sed -n 's/-[^-]*\.tar\.gz$//p')" -pkgver="$(basename -- "${file}" | sed -n 's/^.*-\([^-]*\)\.tar\.gz$/\1/p')" - -if test -z "${pkgname}" || test -z "${pkgver}"; then - usage -fi - -url="https://maandree.se/rel/$pkgname/$pkgver.html" - -page="$(curl -sL -- "${url}")" -sigpage="$(curl -sL -- "${url}.sig")" - - -sigkey="$(curl -L -- "https://maandree.se/.signkey")" -if test ! "${sigkey}" = "${signature_key}"; then - printf '\n\033[1m%s\033[m,' 'Expected signature keyfile seems to be out of date' >&2 - printf ' %s' 'have a look at https://maandree.se/ to find the newest and verify that it' >&2 - printf ' %s' 'has been signed by the previous key, continue until you find and old key' >&2 - printf ' %s' 'in the signature chain that is signed by '"${signature_key}"' (or older' >&2 - printf ' %s' 'that you trust). Once verified, update `signature_key` at the top of' >&2 - printf ' %s' 'this file to be the newest key, which should be '"${sigkey}"', and' >&2 - printf ' %s' 'import it into your key collection of PGP keys.' >&2 - printf '\n' >&2 - exit 1 -fi - -sigtest="$(printf '%s\n' "${page}" | (printf '%s\n' "${sigpage}" | gpg --status-fd=8 --verify - /dev/fd/9) 9<&0 8>&1 1>&2)" -if ! printf '%s\n' "${sigtest}" | grep -q '^\[GNUPG:\] VALIDSIG'" ${sigkey} "; then - printf '\n\033[1m%s\033[m\n' 'The release metadata page seems to be signed with an unexpected key.' >&2 - exit 1 -fi - -if ! printf '%s\n' "${page}" | sed 's/<[^>]*>//g' | grep -q '^\s*'"$algo"' checksum: '"${hash}"'\s*$'; then - printf '\n\033[1m%s\033[m\n' 'Checksum not whitelisted' >&2 - exit 1 -fi - -if test -t 1; then - printf '\nChecksum OK:\n' -fi -printf '%s\n' "${hash}" +.release-scripts/validate-checksum
\ No newline at end of file |