Last active
September 2, 2020 11:39
-
-
Save nolim1t/fbcc27a97f501750fffe63ccf5f9b948 to your computer and use it in GitHub Desktop.
Dont trust, verify! How to make sure we all files are not tamped by and signed by one of the release maintainers.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hello World |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
d2a84f4b8b650937ec8f73cd8be2c74add5a911ba64df27458ed8229da804a26 test.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-----BEGIN PGP SIGNATURE----- | |
iQIzBAABCAAdFiEEksL5+RunkK1CmZ/Q9ih7gsyEvL0FAl9PgGIACgkQ9ih7gsyE | |
vL20Mw//dtDboYt34uHQnz/I7Fwfut3CLb/nJaSCCh+RHzRWWdGqOMAsPwyqyGIW | |
fj8HpsFoNXFT639Lr5gLbxbXR6bxt82Lb72BFBB4mk4i1OFb+L21cc1dav7RfyGh | |
0L3k22rCDPt5Y3RiFNmhuRk6gP4EW7IR96WelGlxNHdwIgsWMG7fWwsp6ADxL5zp | |
5vp5a0MML5aYI8lxNqu+MCiVo5A1KgesVsa5ywgwUjJosIi1thEdVAuan69wVu4h | |
3c8b4G3pCO6mT/S3+lwRonOzozNVoyMR25PVTs9mU6YYQpUv2AxUaDo3vVPObccH | |
tWT+bnwEFT75HKhzg5LgJuhFVQqyiZnp3BhK1faOCPtHjmjavzuGI+ncN98NbXDX | |
Z+63hNzpfUQJOGQRVp9Hect0Us7y3InW+t0Jexft7fDfjwLN6p+Nr1P/kB8KM9EA | |
L6h2elEqg6lyfPbSfgf7aWstXAjgWsmiEPY30Xjdmc/RhT1Ji07zG3su1j3dlIFN | |
nl3bpTO/XB9nZzlgBTB528/4zDPfMar0Lf3EqjV310a0TPC2jmOIZtuAIQd4TzKw | |
Kgb3tcSe2J0yyh9eXjWg3dL6aWYGsZo6SZEZYPWPgh/VUbTAn8rY/b2dt3J+VyZ5 | |
XrI9rC5LZLYj3lSEU7f86bJLrFRdijQ0eRp3RMwj/kvTUSGE1bw= | |
=Xfbz | |
-----END PGP SIGNATURE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | |
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | |
# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR | |
# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, | |
# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR | |
# OTHER DEALINGS IN THE SOFTWARE. | |
check_dependencies () { | |
for cmd in "$@"; do | |
if ! command -v $cmd >/dev/null 2>&1; then | |
echo "This script requires \"${cmd}\" to be installed" | |
exit 1 | |
fi | |
done | |
} | |
check_dependencies sha256sum getopts gpg | |
while getopts f:h flag | |
do | |
case "${flag}" in | |
f) FILENAME=${OPTARG};; | |
h) | |
echo "Usage: " | |
echo " verify.sh -h Displays this help message" | |
echo " verify.sh -f <filename> Checks sha256sum of a file" | |
exit 0 | |
;; | |
\?) | |
echo "Invalid option. Try -h for options" | |
exit 1 | |
;; | |
:) | |
echo "Invalid Option: -$OPTARG requires an argument" 1>&2 | |
exit 1 | |
;; | |
esac | |
done | |
if [ -z $FILENAME ]; then | |
echo "Error: Must specify a filename with the -f flag" | |
exit 1 | |
fi | |
if [ ! -f $FILENAME ]; then | |
echo "Filename ${FILENAME} does not exist!" | |
exit 1 | |
fi | |
SHA256SUM=$(cat $FILENAME | sha256sum | awk '{print $1}') | |
SHA256SUMFILE=$(cat "${FILENAME}.sha256" | awk '{print $1}') | |
# 64-bit key ID (You can get it from gpg --keyid-format LONG --list-keys) | |
GPGKEY="F6287B82CC84BCBD" | |
gpg --keyserver keyserver.ubuntu.com --recv-key $GPGKEY | |
if [ $SHA256SUM == $SHA256SUMFILE ]; then | |
echo "OK" | |
# Do PGP verify | |
# gpg --armor --output test.txt.sha256.asc --detach-sig test.txt.sha256 | |
# side note: signing gpg --armor --output test.txt.sha256.asc --detach-sig test.txt.sha256 | |
if [ -f $(echo "${FILENAME}.sha256.asc") ]; then | |
gpg --verify ${FILENAME}.sha256.asc | |
exit 0 | |
else | |
echo "GPG signed file doesn't exist! Maintainer needs to sign with output and --detach-sig option" | |
exit 1 | |
fi | |
else | |
echo "Not ok" | |
echo "Filename Hash ${SHA256SUM} but got ${SHA256SUMFILE} for the hash file. Please check" | |
exit 1 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment