Skip to content

Instantly share code, notes, and snippets.

@ClashTheBunny ClashTheBunny/verify.sh
Last active Dec 5, 2015

Embed
What would you like to do?
Verify checksums of Ubuntu or Debian files.
#!/bin/bash
# Install the keys for the distribution (apt-cache search keyring | grep -i pg | grep -i keyring):
# e.g. (Ubuntu): apt-get install debian-archive-keyring debian-keyring ubuntu-keyring ubuntu-extras-keyring
# e.g. (Debian): apt-get install debian-archive-keyring debian-keyring ubuntu-archive-keyring
# Download all of the *SUMS and *SUMS.gpg from the mirror that you use and check them by running verify.sh <file-to-verify>:
# I wanted to verify netboot.tar.gz, so I ran "verify.sh netboot.tar.gz" and got:
# sh ./588e8ff9ca5123edd019/verify.sh netboot.tar.gz
# MD5SUMS.gpg
# gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using DSA key ID 437D05B5
# gpg: Good signature from "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>"
# gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using RSA key ID C0B21F32
# gpg: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>"
# SHA1SUMS.gpg
# gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using DSA key ID 437D05B5
# gpg: Good signature from "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>"
# gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using RSA key ID C0B21F32
# gpg: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>"
# SHA256SUMS.gpg
# gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using DSA key ID 437D05B5
# gpg: Good signature from "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>"
# gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using RSA key ID C0B21F32
# gpg: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>"
# SHA1SUMS:22aa4d98b0cb7e104bb83b6cc9efad49a5d060d9 ./netboot/netboot.tar.gz
# MD5SUMS:fba795b43d8400caef912f91469099d0 ./netboot/netboot.tar.gz
# SHA256SUMS:dd8cdc7138be73618c5b42a2eee80dbdd4e304bbb75abce0954c66b51eb5343f ./netboot/netboot.tar.gz
# Since all of the sum files have a good signature and since the sums match the sum of the file, it's a good
# download as far as I can trust the machine where I'm verifying the data.
# Import the keys into the local user's keychain if needed:
gpg --verify MD5SUMS.gpg MD5SUMS 2>&1 | grep -i "key ID" | sed -e 's/.* key ID //' | xargs gpg --list-keys 2>/dev/null| grep -q "." || dpkg -l | grep -i -- -keyring | grep PG | awk '{print $2}' | while read keyring; do dpkg -L $keyring | grep gpg$ | xargs gpg --import; done
# Verify the checksum files:
for foo in *gpg; do echo $foo; gpg --verify $foo ${foo/.gpg/} 2>&1 | grep -i -e "using .* key" -e "good signature"; done
# Did each SUM file say that it had a good signature from somebody that you trust?
#check the file against the SUM files:
for sum in sha1 md5 sha256; do grep $(${sum}sum $1 | awk '{print $1}') *SUMS; done
for sum in sha1 md5 sha256; do grep $(${sum}sum Packages.xz | awk '{print $1}') Release; done
for foo in sha1 md5 sha256; do grep $(${foo}sum $1 | awk '{print $1}') <(xzcat Packages.xz | grep -A15 $1); done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.