Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 220 lines (198 sloc) 6.99 KB
#!/bin/bash
# Attempts to verify that the latest build corresponds to the bytecode.
# Main requirement is to run the script on a system using the same Java compiler as the system that released it.
# For builds by toad, this is Sun 1.6.0_26 (sun-java6-jdk; 6.26-0squeeze1) on Debian Squeeze.
# For builds by operhiem1 build 1473 or later, this is openjdk-7-jdk 7u101-2.6.6-1~deb8u1 on Debian Jessie.
# TODO: update environment description
# Uses lib-pyFreenet to fetch the in-Freenet JAR over FCP,
# and so requires Python and lib-pyFreenet. (fcpget)
# Load configuration and utility functions.
source freenet-scripts-common || exit
## TODO MAJOR: Get the latest build number from somewhere other than the repository, e.g. Freenet, announcements, etc.
## TODO MAJOR: Verify the installers
## TODO: Automatically download freenet-ext.jar if not present, in a secure fashion.
## TODO: Deal with freenet-ext.jar updating automatically.
## TODO: Verify freenet-ext.jar itself.
## TODO: Hard-code the certificate for SSL see the code in update.sh in app-new_installer
## TODO: Detect who released it and complain if not the same compiler? Or even install several copies?
## TODO: Allow choosing Freenet jar sources: at least one of website, freenet.
## TODO: Also verify consistency of source archives.
# Avoid specifying this message multiple places. TODO: This may make more sense as a function?
failureWarning="FAILED TO VERIFY. If you determine that this failure is not due to build environent differences, then the source files used to build the published version of Freenet are different from the published source files. The build has been compromised. Take care to only run version of Freenet with published, reviewable source code, as compromised versions of Freenet could easily contain back doors."
# Exit with an error if freenet-ext does not exist.
if [[ ! -e "$freenetExtPath" ]]; then
echo "The path \"$freenetExtPath\" does not exist."
exit 10
fi
if ! fcpget --version; then
echo "fcpget - part of lib-pyFreenet - is not installed."
exit 10
fi
while :
do
case $1 in
--help | -h | -\?)
cat <<EOF
--tag TAG specifies build tag to checkout.
--tmpbase PATH specifies temporary directory. Default /tmp/
EOF
exit 0
;;
--tag)
gitVersion="$2"
shift 2
;;
--tmpbase)
tmpBase="$2"
shift 2
;;
--) # End of all options
shift
break
;;
-*)
echo "Unknown option: $1"
exit 1
;;
*) # No more options; stop parsing.
break
;;
esac
done
if [[ -z "$tmpBase" ]]; then
tmpBase="/tmp/"
fi
tmpDir=$(mktemp -d --tmpdir=$tmpBase)
echo Using "$tmpDir"
cd "$fredDir"
if ! git remote update; then
echo Unable to update git repository.
exit 13
fi
# The tag was not specified so autodetect.
if [[ -z "$gitVersion" ]]; then
getBuildInfo
else
getTagInfo $gitVersion
fi
echo Using build "$gitVersion"
cd "$tmpDir"
if ! git clone "$fredDir" fred; then
echo Unable to clone repo.
exit 14
fi
cd fred
if ! git checkout "$gitVersion"; then
echo Unable to checkout build tag.
exit 14
fi
if ! git tag -v "$gitVersion"; then
echo Failed to verify tag "$gitVersion"
exit 11
fi
echo Build number $buildNumber
if ! cp "$freenetExtPath" lib/freenet/freenet-ext.jar; then
echo Unable to copy freenet-ext.jar from "$freenetExtPath"
exit 12
fi
if ! ./gradlew --offline assemble; then
echo Unable to build from repository.
exit 8
fi
cd ..
mkdir unpacked-built
if ! unzip "fred/dist/freenet.jar" -d unpacked-built > /dev/null; then
echo Failed to unpack built jar
exit 9
fi
jarUrl="https://github.com/freenet/fred/releases/download/build01480/freenet-build01480.jar"
signatureUrl="$jarUrl.sig"
if ! wget "$signatureUrl" -O freenet.jar.sig; then
echo Unable to fetch signature "$signatureUrl" from the official Freenet repository.
exit 4
fi
if ! wget "$jarUrl" -O freenet.jar; then
echo Unable to fetch jar file "$jarUrl" from the official Freenet repository.
exit 5;
fi
if ! gpg --logger-fd 1 --verify freenet.jar.sig freenet.jar; then
echo "Unable to verify signature on jar"
exit 6;
fi
# Check that the website and hosted versions are identical.
# TODO: Detect update USK from node config
key="SSK@O~UmMwTeDcyDIW-NsobFBoEicdQcogw7yrLO2H-sJ5Y,JVU4L7m9mNppkd21UNOCzRHKuiTucd6Ldw8vylBOe5o,AQACAAE/jar-$buildNumber"
# old key:
# SSK@sabn9HY9MKLbFPp851AO98uKtsCtYHM9rqB~A5cCGW4,3yps2z06rLnwf50QU4HvsILakRBYd4vBlPtLv0elUts,AQACAAE/jar-$buildNumber"
echo "" ; echo "Downloading from freenet - this can take a moment... key: $key"
fcpget --verbose --fcpHost="$fcpHost" --fcpPort="$fcpPort" "$key" inserted-freenet.jar
if [ ! -e "inserted-freenet.jar" ]; then
echo "Unable to fetch freenet.jar from Freenet."
exit 12
fi
echo "Downloaded file: "
sha512sum inserted-freenet.jar
echo "Comparing: "
if ! cmp freenet.jar inserted-freenet.jar; then
echo ""
echo ""
echo "ERROR - VERIFICATION FAILED"
echo FAILED TO VERIFY: The freenet.jar from the website and the
echo freenet.jar fetched from Freenet are different.
echo "Website jar SHA512: $(sha512sum freenet.jar)"
echo "Inserted jar SHA512: $(sha512sum inserted-freenet.jar)"
echo ""
echo "$failureWarning"
exit 11
else
echo ""
echo freenet.jar from the website and fetched from Freenet are the same.
echo "So far OK..."
fi
mkdir unpacked-official
if ! unzip freenet.jar -d unpacked-official > /dev/null; then
echo Failed to unpack official released jar
exit 7;
fi
# Ready to do the comparison
(cd unpacked-official; find -type f) | sort > unpacked-official.list
(cd unpacked-built; find -type f) | sort > unpacked-built.list
if ! cmp unpacked-official.list unpacked-built.list; then
echo FAILED TO VERIFY: Different files in official vs built
echo Files in official but not in built are marked as +
echo Files in built but not in official are marked with -
diff -u unpacked-built.list unpacked-official.list
echo ""
echo "$failureWarning"
exit 9
fi
while read x; do
if ! cmp "unpacked-official/$x" "unpacked-built/$x"; then
if [[ "$x" = "./META-INF/MANIFEST.MF" ]]; then
echo "Manifest file is different; this is expected."
echo "Please review the differences:"
diff "unpacked-official/$x" "unpacked-built/$x"
else
echo "File is different: $x"
echo "$x" >> "differences"
fi
fi
done < unpacked-official.list
summary() {
echo "Tag $gitVersion / build $buildNumber"
echo "Official jar SHA512: $(sha512sum freenet.jar)"
echo "Official jar signature SHA512: $(sha512sum freenet.jar.sig)"
echo "Git repository is at object $commitID"
}
if [[ -s "differences" ]]; then
echo VERIFY FAILED: FILES ARE DIFFERENT:
cat differences
summary
echo ""
echo "$failureWarning"
exit 10
fi
echo "Verification successful."
summary
cd ..
rm -Rf "$tmpDir"