You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

verify.sh 5.0KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177
  1. #!/bin/bash
  2. # Copyright (c) 2016 The Starwels developers
  3. # Distributed under the MIT software license, see the accompanying
  4. # file COPYING or http://www.opensource.org/licenses/mit-license.php.
  5. ### This script attempts to download the signature file SHA256SUMS.asc from
  6. ### github.com/starwels and github.com/starwels and compares them.
  7. ### It first checks if the signature passes, and then downloads the files specified in
  8. ### the file, and checks if the hashes of these files match those that are specified
  9. ### in the signature file.
  10. ### The script returns 0 if everything passes the checks. It returns 1 if either the
  11. ### signature check or the hash check doesn't pass. If an error occurs the return value is 2
  12. function clean_up {
  13. for file in $*
  14. do
  15. rm "$file" 2> /dev/null
  16. done
  17. }
  18. WORKINGDIR="/tmp/starwels_verify_binaries"
  19. TMPFILE="hashes.tmp"
  20. SIGNATUREFILENAME="SHA256SUMS.asc"
  21. RCSUBDIR="test"
  22. HOST1="https://github.com/starwels"
  23. HOST2="https://github.com/starwels"
  24. BASEDIR="/bin/"
  25. VERSIONPREFIX="starwels-"
  26. RCVERSIONSTRING="rc"
  27. if [ ! -d "$WORKINGDIR" ]; then
  28. mkdir "$WORKINGDIR"
  29. fi
  30. cd "$WORKINGDIR" || exit 1
  31. #test if a version number has been passed as an argument
  32. if [ -n "$1" ]; then
  33. #let's also check if the version number includes the prefix 'starwels-',
  34. # and add this prefix if it doesn't
  35. if [[ $1 == "$VERSIONPREFIX"* ]]; then
  36. VERSION="$1"
  37. else
  38. VERSION="$VERSIONPREFIX$1"
  39. fi
  40. STRIPPEDLAST="${VERSION%-*}"
  41. #now let's see if the version string contains "rc" or a platform name (e.g. "osx")
  42. if [[ "$STRIPPEDLAST-" == "$VERSIONPREFIX" ]]; then
  43. BASEDIR="$BASEDIR$VERSION/"
  44. else
  45. # let's examine the last part to see if it's rc and/or platform name
  46. STRIPPEDNEXTTOLAST="${STRIPPEDLAST%-*}"
  47. if [[ "$STRIPPEDNEXTTOLAST-" == "$VERSIONPREFIX" ]]; then
  48. LASTSUFFIX="${VERSION##*-}"
  49. VERSION="$STRIPPEDLAST"
  50. if [[ $LASTSUFFIX == *"$RCVERSIONSTRING"* ]]; then
  51. RCVERSION="$LASTSUFFIX"
  52. else
  53. PLATFORM="$LASTSUFFIX"
  54. fi
  55. else
  56. RCVERSION="${STRIPPEDLAST##*-}"
  57. PLATFORM="${VERSION##*-}"
  58. VERSION="$STRIPPEDNEXTTOLAST"
  59. fi
  60. BASEDIR="$BASEDIR$VERSION/"
  61. if [[ $RCVERSION == *"$RCVERSIONSTRING"* ]]; then
  62. BASEDIR="$BASEDIR$RCSUBDIR.$RCVERSION/"
  63. fi
  64. fi
  65. else
  66. echo "Error: need to specify a version on the command line"
  67. exit 2
  68. fi
  69. #first we fetch the file containing the signature
  70. WGETOUT=$(wget -N "$HOST1$BASEDIR$SIGNATUREFILENAME" 2>&1)
  71. #and then see if wget completed successfully
  72. if [ $? -ne 0 ]; then
  73. echo "Error: couldn't fetch signature file. Have you specified the version number in the following format?"
  74. echo "[$VERSIONPREFIX]<version>-[$RCVERSIONSTRING[0-9]] (example: ${VERSIONPREFIX}0.10.4-${RCVERSIONSTRING}1)"
  75. echo "wget output:"
  76. echo "$WGETOUT"|sed 's/^/\t/g'
  77. exit 2
  78. fi
  79. WGETOUT=$(wget -N -O "$SIGNATUREFILENAME.2" "$HOST2$BASEDIR$SIGNATUREFILENAME" 2>&1)
  80. if [ $? -ne 0 ]; then
  81. echo "github.com/starwels failed to provide signature file, but github.com/starwels did?"
  82. echo "wget output:"
  83. echo "$WGETOUT"|sed 's/^/\t/g'
  84. clean_up $SIGNATUREFILENAME
  85. exit 3
  86. fi
  87. SIGFILEDIFFS="$(diff $SIGNATUREFILENAME $SIGNATUREFILENAME.2)"
  88. if [ "$SIGFILEDIFFS" != "" ]; then
  89. echo "github.com/starwels and github.com/starwels signature files were not equal?"
  90. clean_up $SIGNATUREFILENAME $SIGNATUREFILENAME.2
  91. exit 4
  92. fi
  93. #then we check it
  94. GPGOUT=$(gpg --yes --decrypt --output "$TMPFILE" "$SIGNATUREFILENAME" 2>&1)
  95. #return value 0: good signature
  96. #return value 1: bad signature
  97. #return value 2: gpg error
  98. RET="$?"
  99. if [ $RET -ne 0 ]; then
  100. if [ $RET -eq 1 ]; then
  101. #and notify the user if it's bad
  102. echo "Bad signature."
  103. elif [ $RET -eq 2 ]; then
  104. #or if a gpg error has occurred
  105. echo "gpg error. Do you have the Starwels binary release signing key installed?"
  106. fi
  107. echo "gpg output:"
  108. echo "$GPGOUT"|sed 's/^/\t/g'
  109. clean_up $SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
  110. exit "$RET"
  111. fi
  112. if [ -n "$PLATFORM" ]; then
  113. grep $PLATFORM $TMPFILE > "$TMPFILE-plat"
  114. TMPFILESIZE=$(stat -c%s "$TMPFILE-plat")
  115. if [ $TMPFILESIZE -eq 0 ]; then
  116. echo "error: no files matched the platform specified" && exit 3
  117. fi
  118. mv "$TMPFILE-plat" $TMPFILE
  119. fi
  120. #here we extract the filenames from the signature file
  121. FILES=$(awk '{print $2}' "$TMPFILE")
  122. #and download these one by one
  123. for file in $FILES
  124. do
  125. echo "Downloading $file"
  126. wget --quiet -N "$HOST1$BASEDIR$file"
  127. done
  128. #check hashes
  129. DIFF=$(diff <(sha256sum $FILES) "$TMPFILE")
  130. if [ $? -eq 1 ]; then
  131. echo "Hashes don't match."
  132. echo "Offending files:"
  133. echo "$DIFF"|grep "^<"|awk '{print "\t"$3}'
  134. exit 1
  135. elif [ $? -gt 1 ]; then
  136. echo "Error executing 'diff'"
  137. exit 2
  138. fi
  139. if [ -n "$2" ]; then
  140. echo "Clean up the binaries"
  141. clean_up $FILES $SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
  142. else
  143. echo "Keep the binaries in $WORKINGDIR"
  144. clean_up $TMPFILE
  145. fi
  146. echo -e "Verified hashes of \n$FILES"
  147. exit 0