validate-checksum


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

#!/bin/sh
signature_key=3683C4B70CFA859F0173F2CCE0DD13EBFC7D5E3E

set -e

usage () {
	printf 'usage: %s hasher file\n' "$0" >&2
	exit 1
}

get_algo () {
	if   test "$1" = sha224sum;     then echo SHA224
	elif test "$1" = sha256sum;     then echo SHA256
	elif test "$1" = sha384sum;     then echo SHA384
	elif test "$1" = sha512sum;     then echo SHA512
	elif test "$1" = sha512-224sum; then echo SHA512/224
	elif test "$1" = sha512-256sum; then echo SHA512/256
	elif test "$1" = sha3-224sum;   then echo SHA3-224
	elif test "$1" = sha3-256sum;   then echo SHA3-256
	elif test "$1" = sha3-384sum;   then echo SHA3-384
	elif test "$1" = sha3-512sum;   then echo SHA3-512
	elif test "$1" = b2sum;         then echo BLAKE2b
	else
		false
	fi
}

signature_key="$(printf '%s\n' "${signature_key}" | tr -d ' ')"

hasher="$(printf '%s\n' "$1" | sed 's/s$//')"
file="$2"

if ! algo="$(get_algo "${hasher}")" ||  test ! -f "${file}"; then
	usage
fi


hash="$(${hasher} -- "${file}" | cut -d ' ' -f 1 | tr 'A-F' 'a-f')"

pkgname="$(basename -- "${file}" | sed -n 's/-[^-]*\.tar\.gz$//p')"
pkgver="$(basename -- "${file}" | sed -n 's/^.*-\([^-]*\)\.tar\.gz$/\1/p')"

if test -z "${pkgname}" || test -z "${pkgver}"; then
	usage
fi

url="https://maandree.se/rel/$pkgname/$pkgver.html"

page="$(curl -sL "${url}")"
sigpage="$(curl -sL "${url}.sig")"


sigkey="$(curl -L -- "https://maandree.se/.signkey")"
if test ! "${sigkey}" = "${signature_key}"; then
	printf '\n\033[1m%s\033[m,' 'Expected signature keyfile seems to be out of date' >&2
	printf ' %s' 'have a look at https://maandree.se/ to find the newest and verify that it' >&2
	printf ' %s' 'has been signed by the previous key, continue until you find and old key' >&2
	printf ' %s' 'in the signature chain that is signed by '"${signature_key}"' (or older' >&2
	printf ' %s' 'that you trust). Once verified, update `signature_key` at the top of' >&2
	printf ' %s' 'this file to be the newest key, which should be '"${sigkey}"', and' >&2
	printf ' %s' 'import it into your key collection of PGP keys.' >&2
	printf '\n' >&2
	exit 1
fi

sigtest="$(printf '%s\n' "${page}" | (printf '%s\n' "${sigpage}" | gpg --status-fd=8 --verify - /dev/fd/9) 9<&0 8>&1 1>&2)"
if ! printf '%s\n' "${sigtest}" | grep -q '^\[GNUPG:\] VALIDSIG'" ${sigkey} "; then
	printf '\n\033[1m%s\033[m\n' 'The release metadata page seems to be signed with an unexpected key.' >&2
	exit 1
fi

if ! printf '%s\n' "${page}" | sed 's/<[^>]*>//g' | grep -q '^\s*'"$algo"' checksum: '"${hash}"'\s*$'; then
	printf '\n\033[1m%s\033[m\n' 'Checksum not whitelisted' >&2
	exit 1
fi

printf '\nChecksum OK:\n' >&2
printf '%s\n' "${hash}"