diff options
| author | Mattias Andrée <m@maandree.se> | 2025-02-27 22:46:22 +0100 | 
|---|---|---|
| committer | Mattias Andrée <m@maandree.se> | 2025-02-27 22:46:22 +0100 | 
| commit | 7031307bba82993830b2391cefc96fd132b4e064 (patch) | |
| tree | 8f6601da186197948ecebf066f28fdcb6bbfee61 /validate-checksum | |
| download | release-scripts-7031307bba82993830b2391cefc96fd132b4e064.tar.gz release-scripts-7031307bba82993830b2391cefc96fd132b4e064.tar.bz2 release-scripts-7031307bba82993830b2391cefc96fd132b4e064.tar.xz | |
First import of scripts
Signed-off-by: Mattias Andrée <m@maandree.se>
Diffstat (limited to '')
| -rwxr-xr-x | validate-checksum | 89 | 
1 files changed, 89 insertions, 0 deletions
| diff --git a/validate-checksum b/validate-checksum new file mode 100755 index 0000000..6155620 --- /dev/null +++ b/validate-checksum @@ -0,0 +1,89 @@ +#!/bin/sh +signature_key=3683C4B70CFA859F0173F2CCE0DD13EBFC7D5E3E + + +# Copyright © 2025  Mattias Andrée (m@maandree.se) +#  +# Copying and distribution of this script, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved.  This script is offered as-is, +# without any warranty. + + +set -e + +usage () { +	printf 'usage: %s hasher file\n' "$0" >&2 +	exit 1 +} + +get_algo () { +	if   test "$1" = sha224sum;     then echo SHA224 +	elif test "$1" = sha256sum;     then echo SHA256 +	elif test "$1" = sha384sum;     then echo SHA384 +	elif test "$1" = sha512sum;     then echo SHA512 +	elif test "$1" = sha512-224sum; then echo SHA512/224 +	elif test "$1" = sha512-256sum; then echo SHA512/256 +	elif test "$1" = sha3-224sum;   then echo SHA3-224 +	elif test "$1" = sha3-256sum;   then echo SHA3-256 +	elif test "$1" = sha3-384sum;   then echo SHA3-384 +	elif test "$1" = sha3-512sum;   then echo SHA3-512 +	elif test "$1" = b2sum;         then echo BLAKE2b +	else +		false +	fi +} + +signature_key="$(printf '%s\n' "${signature_key}" | tr -d ' ')" + +hasher="$(printf '%s\n' "$1" | sed 's/s$//')" +file="$2" + +if ! algo="$(get_algo "${hasher}")" ||  test ! -f "${file}"; then +	usage +fi + + +hash="$(${hasher} -- "${file}" | cut -d ' ' -f 1 | tr 'A-F' 'a-f')" + +pkgname="$(basename -- "${file}" | sed -n 's/-[^-]*\.tar\.gz$//p')" +pkgver="$(basename -- "${file}" | sed -n 's/^.*-\([^-]*\)\.tar\.gz$/\1/p')" + +if test -z "${pkgname}" || test -z "${pkgver}"; then +	usage +fi + +url="https://maandree.se/rel/$pkgname/$pkgver.html" + +page="$(curl -sL "${url}")" +sigpage="$(curl -sL "${url}.sig")" + + +sigkey="$(curl -L -- "https://maandree.se/.signkey")" +if test ! "${sigkey}" = "${signature_key}"; then +	printf '\n\033[1m%s\033[m,' 'Expected signature keyfile seems to be out of date' >&2 +	printf ' %s' 'have a look at https://maandree.se/ to find the newest and verify that it' >&2 +	printf ' %s' 'has been signed by the previous key, continue until you find and old key' >&2 +	printf ' %s' 'in the signature chain that is signed by '"${signature_key}"' (or older' >&2 +	printf ' %s' 'that you trust). Once verified, update `signature_key` at the top of' >&2 +	printf ' %s' 'this file to be the newest key, which should be '"${sigkey}"', and' >&2 +	printf ' %s' 'import it into your key collection of PGP keys.' >&2 +	printf '\n' >&2 +	exit 1 +fi + +sigtest="$(printf '%s\n' "${page}" | (printf '%s\n' "${sigpage}" | gpg --status-fd=8 --verify - /dev/fd/9) 9<&0 8>&1 1>&2)" +if ! printf '%s\n' "${sigtest}" | grep -q '^\[GNUPG:\] VALIDSIG'" ${sigkey} "; then +	printf '\n\033[1m%s\033[m\n' 'The release metadata page seems to be signed with an unexpected key.' >&2 +	exit 1 +fi + +if ! printf '%s\n' "${page}" | sed 's/<[^>]*>//g' | grep -q '^\s*'"$algo"' checksum: '"${hash}"'\s*$'; then +	printf '\n\033[1m%s\033[m\n' 'Checksum not whitelisted' >&2 +	exit 1 +fi + +if test -t 1; then +	printf '\nChecksum OK:\n' +fi +printf '%s\n' "${hash}" | 
