Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
executable file 204 lines (170 sloc) 7.41 KB
#!/usr/bin/env bash
#-----------------------------------------------------------------------------
# verify-gitian-builder-signatures
# --------------------------------
# Given a directory containing a TBB-3.x tarball, a sha256sums.txt file, and
# several files containing GnuPG signatures from gitian builders, check all
# the signatures against their proper data files.
#
# Can be used within the directory containing the above files:
#
# $ verify-gitian-builder-signatures
#
# or given a directory path:
#
# $ verify-gitian-builder-signatures ~/tbb
#
# :authors: Isis Agora Lovecruft, 0xa3adb67a2cdb8b35
# :license: MIT licence
# :version: 0.0.1
#-----------------------------------------------------------------------------
do_extract=
maybe_dir=
bundle_download_dir=
while getopts hxd: f; do
case $f in
h)
printf '%s [-h] [-x] [-d DIRECTORY]\n\n' "$(basename $0)"
printf 'OPTIONS\n'
printf -- '-h\t\tThis cruft.\n'
printf -- '-x\t\tExtract TBB and debug symbols if all signatures '
printf -- 'check out okay. (Unix only)\n'
printf -- '-d DIRECTORY\tCheck the TBB files in DIRECTORY.\n'
printf -- ' \t\t(default: `%s`)\n\n' "$(pwd)"
exit 0
;;
x) do_extract=true ; shift ;;
d) maybe_dir=$OPTARG ;;
# don't we need `shift 2` above? or `shift $(( OPTIND - 1))`?
esac
done
test -z "$maybe_dir" && maybe_dir=`pwd`
if test -d "$maybe_dir" ; then
bundle_download_dir=$maybe_dir
printf "Checking signature files in directory: %s\n" "$bundle_download_dir"
else
printf "Can't find directory '%s'… are you sure it exists?" "$maybe_dir"
exit 1
fi
sums=$(find . -type f -regextype posix-extended \
-regex "(.*sha256sums)(-unsigned-build)?(\.txt)" -printf "%f " | tr -d '[[:space:]]')
# TODO: Verify signatures for incremental (.mar) files, they are named like
# (.*sha256sums\.incrementals\.txt)(.*)(\.asc)
gitian_sigs=$(find . -type f -regextype posix-extended \
-regex "(.*sha256sums)(-unsigned-build)?(\.txt)(.*)(\.asc)" -printf "%f ")
debug_sigs=$(find . -type f -regextype posix-extended \
-regex ".*(tor-)(browser-)?(.*)(debug)(.*)(\.asc)" -printf "%f ")
debug_files=
tbbs=$(find . -type f -regextype posix-extended \
-regex ".*([tT]or)(-)?([bB]rowser-)(install)?(.*)(\.)(tar\.xz|dmg|exe){1}" \
-printf "%f " | tr -d '[[:space:]]')
red="$(tput setaf 1)"
green="$(tput setaf 10)"
lavender="$(tput setaf 13)"
reset="$(tput sgr0)"
CCZE=$(which ccze)
GPG=$(which gpg2) # Default to gpg2, and fallback to gpg if not found.
if test -z "$GPG"; then GPG=$(which gpg); fi
if test -z "$GPG"; then printf "You must have GnuPG installed!\nExiting…\n"; fi
printf "Found Tor Browser files: %s%s%s\n" "$lavender" "$tbbs" "$reset"
printf "――――――――――――――――――――――――\n"
printf "Checking all Gitian Builder signatures on %s…\n\n" "$lavender$sums$reset"
#printf "DEBUG: All gitian builder sigfiles: %s" "${gitian_sigs}"
# Check gitian builder signatures on the sha256sums.txt file first:
for sig in ${gitian_sigs} ; do
psig="$green$sig$reset" # Add some colour
pver="$lavender$sums$reset"
printf "Verifying signature file %s for %s… " "$psig" "$pver"
valid=`gpg2 --quiet --status-fd 1 --verify $sig $sums 2>/dev/null | grep "VALIDSIG"`
returncode="$?"
# Exit noisily if one of the gitian builder signatures was not okay:
if test "$returncode" -ne "0" ; then
printf "\t[%sERROR%s]\n" "$red" "$reset"
printf "Exiting…\n"
exit 2
elif test "$returncode" -eq "0" -a -n "$valid" ; then
printf "\t[%sOKAY%s]\n" "$green" "$reset"
fi
done
printf "\n%sAll signatures from participating Gitian Builders" "$green"
printf " checked out OKAY!%s\n" "$reset"
printf "――――――――――――――――――――――――\n"
for tbb in ${tbbs} ; do
printf "Checking sha256sum for %s%s%s…" "$lavender" "$tbb" "$reset"
grep "$tbb" "$sums" | sha256sum -c - 2>&1 1>/dev/null
returncode="$?"
# Exit noisily if the sha256sum for the tarball doesn't match the one
# found in sha256sums.txt:
if test "$returncode" -ne "0" ; then
printf "\t[%sERROR%s]\n" "$red" "$reset"
printf "\n%sWARNING%s: The sha256sum of your Tor Browser Bundle, " "$red" "$reset"
printf "'%s', does NOT MATCH the corresponding one " "$tbb"
printf "given in %s!\n\n" "$sums"
printf "Perhaps there was an error downloading it. Please try "
printf "re-downloading $s and running this check again." "$tbb"
printf "\n\n"
exit 2
elif test "$returncode" -eq "0" ; then
printf "\t[%sOKAY%s]\n" "$green" "$reset"
fi
# Last, check the signature on the TBB tarball itself:
tbb_sigfile="${tbb}.asc"
if test -f "$tbb_sigfile" ; then
printf "Verifying signature %s%s%s… " "$green" "$tbb_sigfile" "$reset"
valid=`gpg2 --quiet --status-fd 1 --verify $tbb_sigfile $tbb_tarball 2>/dev/null | grep "VALIDSIG"`
returncode="$?"
# Exit noisily if the tarball signature wasn't okay:
if test "$returncode" -ne "0" ; then
printf "\t[%sERROR%s]\n" "$red" "$reset"
printf "Exiting…\n"
exit 2
elif test "$returncode" -eq "0" -a -n "$valid" ; then
printf "\t[%sOKAY%s]\n" "$green" "$reset"
fi
fi
done
printf "\n%sAll sha256sums and signatures for Tor Browser downloads checked " "$green"
printf "out OKAY!%s\n" "$reset"
if test -n "${debug_sigs}" ; then
printf "――――――――――――――――――――――――\n"
printf "Checking all signatures on debug symbols…\n\n"
# And... check the signatures on debug symbol tarballs:
for sig in ${debug_sigs} ; do
psig="$green$sig$reset" # Add some colour
debug_file="${sig%%.asc}"
debug_files="${debug_files} $debug_file"
pver="$lavender$debug_file$reset"
printf "Verifying signature file %s for %s… " "$psig" "$pver"
valid=`gpg2 --quiet --status-fd 1 --verify $sig $debug_file 2>/dev/null | grep "VALIDSIG"`
returncode="$?"
# Exit noisily if one of the debug signatures was not okay:
if test "$returncode" -ne "0" ; then
printf "\t[%sERROR%s]\n" "$red" "$reset"
printf "Exiting…\n"
exit 2
elif test "$returncode" -eq "0" -a -n "$valid" ; then
printf "\t[%sOKAY%s]\n" "$green" "$reset"
fi
done
printf "\n%sAll signatures for Tor Browser debug symbols downloads checked " "$green"
printf "out OKAY!%s\n" "$reset"
fi
# Exit now if we're not extracting
test -z "$do_extract" && exit 0
printf "――――――――――――――――――――――――\n"
for tbb in ${tbbs} ; do
printf "Extracting all files for %s%s%s…\n\n" "$lavender" "$tbb" "$reset"
printf "Extracting %s%s%s…\n" "$lavender" "$tbb" "$reset"
tar Jxf "$tbb"
for debugfile in ${debug_files} ; do
printf "Extracting debug symbols from %s%s%s…\n" "$lavender" "$debugfile" "$reset"
unzip -qq "$debugfile"
done
if test -d "Debug" ; then
printf "Moving Debug/ directory to tor-browser_en-US/Debug/ …\n"
mv Debug tor-browser_en-US/
fi
printf "\n%sExtraction complete!%s\n" "$green" "$reset"
done
printf "――――――――――――――――――――――――\n"
exit 0