-
-
Save sethforprivacy/ad5848767d9319520a6905b7111dc021 to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # Download binaryfate's GPG key | |
| wget -q -O binaryfate.asc https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc | |
| # Verify binaryfate's GPG key | |
| echo "1. Verify binaryfate's GPG key: " | |
| gpg --keyid-format long --with-fingerprint binaryfate.asc | |
| # Prompt user to confirm the key matches that posted on https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html | |
| echo | |
| read -p "Does the above output match https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html?" -n 1 -r | |
| echo | |
| if [[ $REPLY =~ ^[Yy]$ ]] | |
| then | |
| # Import binaryfate's GPG key | |
| echo | |
| echo "----------------------------" | |
| echo "2. Import binaryfate's GPG key" | |
| gpg --import binaryfate.asc | |
| fi | |
| # Delete stale .bz2 Monero downloads | |
| rm monero-linux-x64-*.tar.bz2 | |
| # Download hashes.txt | |
| wget -q -O hashes.txt https://getmonero.org/downloads/hashes.txt | |
| # Verify hashes.txt | |
| echo | |
| echo "--------------------" | |
| echo "3. Verify hashes.txt" | |
| gpg --verify hashes.txt | |
| # Download latest 64-bit binaries | |
| echo | |
| echo "-------------------------------------" | |
| echo "4. Download latest Linux binaries" | |
| echo "Downloading..." | |
| wget -q --content-disposition https://downloads.getmonero.org/cli/linux64 | |
| # Verify shasum of downloaded binaries | |
| echo | |
| echo "---------------------------------------" | |
| echo "5. Verify hashes of downloaded binaries" | |
| if shasum -a 256 -c hashes.txt -s --ignore-missing | |
| then | |
| echo | |
| echo "Success: The downloaded binaries verified properly!" | |
| else | |
| echo | |
| echo -e "\e[31mDANGER: The download binaries have been tampered with or corrupted\e[0m" | |
| rm -rf monero-linux-x64-*.tar.bz2 | |
| exit 1 | |
| fi |
How would you propose implementing that?
The current version does properly verify that the hash of the file is in hashes.txt, and errors out if not.
I am just suggesting you use what I put above. If I'm reading your code right, it's not necessarily validating that the hash you generate is equal to the one you made the SHA of. You're just checking that the SHA is in the file. Using shasum to check actually validates that the hash on a line matches the SHA sum of the file that is on the same line.
Running that command when I've forced the SHA hash to not match does not change output at all, as you're just ignoring missing files.
Did you mean to have it be something like:
shasum -a 256 -c hashes.txt --ignore-missing | grep 'FAILED' | wc -l
If I replace line 42 with if shasum -a 256 -c hashes.txt --ignore-missing | grep 'FAILED' | wc -l, I get the following output which works properly:
---------------------------------------
5. Verify hashes of downloaded binaries
shasum: WARNING: 19 lines are improperly formatted
0
Success: The downloaded binaries verified properly!
The --ignore-missing is there because you're only downloading one tar. If you had them all, then you wouldn't need it. The -s causes it to be silent but still output a non-zero exit code on failure. This allows your conditional to still function correctly without polluting the terminal output. What you're suggesting looks like it would work as well but it would probably still output a number and may cause your conditional to always pass since I believe that wc will give you a positive exit code no matter what you do. So that conditional will actually not be good at all now that I'm thinking about it because I think it will always pass
Thanks, that makes sense to me after taking a deeper look at how shasum works 👍
Made the change!
shasum was missing from debian 11 in my case. Installing libdigest-sha-perl solves this.
I'm not sure the hash checking is doing what you think it does. I think it could be improved by making the conditional on line 42 into