Created
December 21, 2014 21:10
-
-
Save josephbisch/f39427d02366cdbb9c29 to your computer and use it in GitHub Desktop.
A bash script for verify Gitian signatures for Bitcoin Core.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
################################ | |
# Gitian Downloader and Verifier | |
################################ | |
declare -a github_keys=("aschildbach-key.pgp" "bluematt-key.pgp" "cfields-key.pgp" \ | |
"devrandom-key.pgp" "gavinandresen-key.pgp" "laanwj-key.pgp" \ | |
"luke-jr-key.pgp" "michagogo-key.pgp" "sipa-key.pgp" "tcatm-key.pgp" \ | |
"wtogami-key.pgp") | |
#declare -a bitcoin_org_keys=("andreas_schildbach.asc" "gavinandresen.asc" \ | |
# "gmaxwell.asc" "jgarzik-bitpay.asc" "jgarzik-exmulti.asc" "laanwj.asc" \ | |
# "luke-jr.asc" "pieterwuille.asc" "satoshinakamoto.asc" "schneider.asc" | |
declare -a gitian_verifiers=("aschildbach" "cfields" "gavinandresen" \ | |
"laanwj" "michagogo") | |
while getopts h: f; do | |
case $f in | |
h) | |
printf '%s [-h]\n\n' "$(basename $0)" | |
printf 'OPTIONS\n' | |
printf -- '-h\t\tThis text.\n' | |
exit 0 | |
;; | |
esac | |
done | |
# create temp_dir to do all operations in | |
temp_dir=`mktemp -d` && cd $temp_dir | |
printf "temp_dir is $temp_dir\n" | |
# get current version | |
page='https://bitcoin.org/en/download' | |
version=`curl -s $page | sed -rn 's/.*Latest version: [^0-9]*([0-9.]+).*/\1/p'` | |
printf "Version of Bitcoin being downloaded is $version\n" | |
# get binary | |
binary_url="https://bitcoin.org/bin/$version/bitcoin-$version-linux.tar.gz" | |
printf "Download URL of binary is $binary_url\n" | |
wget $binary_url | |
# get sha256sums | |
sha_sums="https://bitcoin.org/bin/$version/SHA256SUMS.asc" | |
printf "Download URL of sha256sums is $sha_sums\n" | |
wget $sha_sums | |
mkdir github_keys && cd github_keys | |
# get signing keys for Bitcoin devs from GitHub | |
base_key_url="https://github.com/bitcoin/bitcoin/raw/master/contrib/gitian-downloader/" | |
for key in "${github_keys[@]}" | |
do | |
key_url=$base_key_url$key | |
printf "Downloading $key signing key from $key_url\n" | |
wget $key_url | |
done | |
cd .. | |
#mkdir bitcoin_org_keys && cd bitcoin_org_keys | |
# get keys for Bitcoin devs from bitcoin.org | |
#base_key_url="https://bitcoin.org/" | |
#for key in "${bitcoin_org_keys[@]}" | |
#do | |
# key_url=$base_key_url$key | |
# printf "Downloading $key key from $key_url\n" | |
# wget $key_url | |
#done | |
#cd .. | |
mkdir gpg-home | |
chmod 700 gpg-home | |
# import github_keys | |
for key in "${github_keys[@]}" | |
do | |
output=`gpg --homedir gpg-home --import github_keys/$key` | |
ret="$?" | |
if [ $ret -ne 0 ]; then | |
printf "Error with importing key $key\n" | |
printf "GPG output:\n" | |
printf "$output" | sed 's/^/\t/g' | |
exit $ret | |
fi | |
done | |
# verify signature on sha256sums | |
output=`gpg --yes --homedir gpg-home --decrypt SHA256SUMS.asc` | |
ret="$?" | |
if [ $ret -ne 0 ]; then | |
if [ $ret -eq 1 ]; then | |
printf "Bad signature\n" | |
elif [ $ret -eq 2 ]; then | |
printf "Unspecified GPG error\n" | |
fi | |
printf "GPG output:\n" | |
printf "$output" | sed 's/^/\t/g' | |
exit $ret | |
fi | |
# get sha256sum of binary | |
filename="bitcoin-$version-linux.tar.gz" | |
sha_regex="((?:\w+\W*){1})\b *bitcoin-0\.9\.3-linux\.tar\.gz" | |
rematch=`echo $output | grep -oP "$sha_regex" | grep -oP "[A-Fa-f0-9]{64}"` | |
printf "sha256sum of $filename is $rematch\n" | |
sha256sum=`sha256sum $filename | grep -oP "[A-Fa-f0-9]{64}"` | |
printf "Calculated sha256sum of $filename is $sha256sum\n" | |
if [ "$sha256sum" == "$rematch" ]; then | |
printf "sha256sum of $filename matches that from decrypted SHA256SUMS.asc\n" | |
else | |
printf "sha256sum of $filename does not match that from decrypted SHA256SUMS.asc\n" | |
exit 1 | |
fi | |
mkdir gitian && cd gitian | |
# get gitian asserts and signatures for current version | |
base_assert_url="https://github.com/bitcoin/gitian.sigs/raw/master/" | |
for verifier in "${gitian_verifiers[@]}" | |
do | |
mkdir $verifier | |
cd $verifier | |
assert_url=$base_assert_url$version"/"$verifier"/bitcoin-build.assert" | |
sig_url=$assert_url".sig" | |
wget $assert_url | |
wget $sig_url | |
cd .. | |
done | |
# check gitian signatures | |
for verifier in "${gitian_verifiers[@]}" | |
do | |
cd $verifier | |
output=`gpg --yes --homedir ../../gpg-home --verify bitcoin-build.assert.sig` | |
ret="$?" | |
if [ $ret -ne 0 ]; then | |
printf "Unspecified GPG error\n" | |
printf "GPG output:\n" | |
printf "$output" | sed 's/^/\t/g' | |
exit $ret | |
fi | |
cd .. | |
done | |
cd .. | |
# everything ran successfully | |
printf "Verification successful, you can use binary $filename in ~/$filename\n" | |
cp $filename ~ | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment