Permalink
Cannot retrieve contributors at this time
executable file
203 lines (170 sloc)
7.41 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| #----------------------------------------------------------------------------- | |
| # verify-gitian-builder-signatures | |
| # -------------------------------- | |
| # Given a directory containing a TBB-3.x tarball, a sha256sums.txt file, and | |
| # several files containing GnuPG signatures from gitian builders, check all | |
| # the signatures against their proper data files. | |
| # | |
| # Can be used within the directory containing the above files: | |
| # | |
| # $ verify-gitian-builder-signatures | |
| # | |
| # or given a directory path: | |
| # | |
| # $ verify-gitian-builder-signatures ~/tbb | |
| # | |
| # :authors: Isis Agora Lovecruft, 0xa3adb67a2cdb8b35 | |
| # :license: MIT licence | |
| # :version: 0.0.1 | |
| #----------------------------------------------------------------------------- | |
| do_extract= | |
| maybe_dir= | |
| bundle_download_dir= | |
| while getopts hxd: f; do | |
| case $f in | |
| h) | |
| printf '%s [-h] [-x] [-d DIRECTORY]\n\n' "$(basename $0)" | |
| printf 'OPTIONS\n' | |
| printf -- '-h\t\tThis cruft.\n' | |
| printf -- '-x\t\tExtract TBB and debug symbols if all signatures ' | |
| printf -- 'check out okay. (Unix only)\n' | |
| printf -- '-d DIRECTORY\tCheck the TBB files in DIRECTORY.\n' | |
| printf -- ' \t\t(default: `%s`)\n\n' "$(pwd)" | |
| exit 0 | |
| ;; | |
| x) do_extract=true ; shift ;; | |
| d) maybe_dir=$OPTARG ;; | |
| # don't we need `shift 2` above? or `shift $(( OPTIND - 1))`? | |
| esac | |
| done | |
| test -z "$maybe_dir" && maybe_dir=`pwd` | |
| if test -d "$maybe_dir" ; then | |
| bundle_download_dir=$maybe_dir | |
| printf "Checking signature files in directory: %s\n" "$bundle_download_dir" | |
| else | |
| printf "Can't find directory '%s'… are you sure it exists?" "$maybe_dir" | |
| exit 1 | |
| fi | |
| sums=$(find . -type f -regextype posix-extended \ | |
| -regex "(.*sha256sums)(-unsigned-build)?(\.txt)" -printf "%f " | tr -d '[[:space:]]') | |
| # TODO: Verify signatures for incremental (.mar) files, they are named like | |
| # (.*sha256sums\.incrementals\.txt)(.*)(\.asc) | |
| gitian_sigs=$(find . -type f -regextype posix-extended \ | |
| -regex "(.*sha256sums)(-unsigned-build)?(\.txt)(.*)(\.asc)" -printf "%f ") | |
| debug_sigs=$(find . -type f -regextype posix-extended \ | |
| -regex ".*(tor-)(browser-)?(.*)(debug)(.*)(\.asc)" -printf "%f ") | |
| debug_files= | |
| tbbs=$(find . -type f -regextype posix-extended \ | |
| -regex ".*([tT]or)(-)?([bB]rowser-)(install)?(.*)(\.)(tar\.xz|dmg|exe){1}" \ | |
| -printf "%f " | tr -d '[[:space:]]') | |
| red="$(tput setaf 1)" | |
| green="$(tput setaf 10)" | |
| lavender="$(tput setaf 13)" | |
| reset="$(tput sgr0)" | |
| CCZE=$(which ccze) | |
| GPG=$(which gpg2) # Default to gpg2, and fallback to gpg if not found. | |
| if test -z "$GPG"; then GPG=$(which gpg); fi | |
| if test -z "$GPG"; then printf "You must have GnuPG installed!\nExiting…\n"; fi | |
| printf "Found Tor Browser files: %s%s%s\n" "$lavender" "$tbbs" "$reset" | |
| printf "――――――――――――――――――――――――\n" | |
| printf "Checking all Gitian Builder signatures on %s…\n\n" "$lavender$sums$reset" | |
| #printf "DEBUG: All gitian builder sigfiles: %s" "${gitian_sigs}" | |
| # Check gitian builder signatures on the sha256sums.txt file first: | |
| for sig in ${gitian_sigs} ; do | |
| psig="$green$sig$reset" # Add some colour | |
| pver="$lavender$sums$reset" | |
| printf "Verifying signature file %s for %s… " "$psig" "$pver" | |
| valid=`gpg2 --quiet --status-fd 1 --verify $sig $sums 2>/dev/null | grep "VALIDSIG"` | |
| returncode="$?" | |
| # Exit noisily if one of the gitian builder signatures was not okay: | |
| if test "$returncode" -ne "0" ; then | |
| printf "\t[%sERROR%s]\n" "$red" "$reset" | |
| printf "Exiting…\n" | |
| exit 2 | |
| elif test "$returncode" -eq "0" -a -n "$valid" ; then | |
| printf "\t[%sOKAY%s]\n" "$green" "$reset" | |
| fi | |
| done | |
| printf "\n%sAll signatures from participating Gitian Builders" "$green" | |
| printf " checked out OKAY!%s\n" "$reset" | |
| printf "――――――――――――――――――――――――\n" | |
| for tbb in ${tbbs} ; do | |
| printf "Checking sha256sum for %s%s%s…" "$lavender" "$tbb" "$reset" | |
| grep "$tbb" "$sums" | sha256sum -c - 2>&1 1>/dev/null | |
| returncode="$?" | |
| # Exit noisily if the sha256sum for the tarball doesn't match the one | |
| # found in sha256sums.txt: | |
| if test "$returncode" -ne "0" ; then | |
| printf "\t[%sERROR%s]\n" "$red" "$reset" | |
| printf "\n%sWARNING%s: The sha256sum of your Tor Browser Bundle, " "$red" "$reset" | |
| printf "'%s', does NOT MATCH the corresponding one " "$tbb" | |
| printf "given in %s!\n\n" "$sums" | |
| printf "Perhaps there was an error downloading it. Please try " | |
| printf "re-downloading $s and running this check again." "$tbb" | |
| printf "\n\n" | |
| exit 2 | |
| elif test "$returncode" -eq "0" ; then | |
| printf "\t[%sOKAY%s]\n" "$green" "$reset" | |
| fi | |
| # Last, check the signature on the TBB tarball itself: | |
| tbb_sigfile="${tbb}.asc" | |
| if test -f "$tbb_sigfile" ; then | |
| printf "Verifying signature %s%s%s… " "$green" "$tbb_sigfile" "$reset" | |
| valid=`gpg2 --quiet --status-fd 1 --verify $tbb_sigfile $tbb_tarball 2>/dev/null | grep "VALIDSIG"` | |
| returncode="$?" | |
| # Exit noisily if the tarball signature wasn't okay: | |
| if test "$returncode" -ne "0" ; then | |
| printf "\t[%sERROR%s]\n" "$red" "$reset" | |
| printf "Exiting…\n" | |
| exit 2 | |
| elif test "$returncode" -eq "0" -a -n "$valid" ; then | |
| printf "\t[%sOKAY%s]\n" "$green" "$reset" | |
| fi | |
| fi | |
| done | |
| printf "\n%sAll sha256sums and signatures for Tor Browser downloads checked " "$green" | |
| printf "out OKAY!%s\n" "$reset" | |
| if test -n "${debug_sigs}" ; then | |
| printf "――――――――――――――――――――――――\n" | |
| printf "Checking all signatures on debug symbols…\n\n" | |
| # And... check the signatures on debug symbol tarballs: | |
| for sig in ${debug_sigs} ; do | |
| psig="$green$sig$reset" # Add some colour | |
| debug_file="${sig%%.asc}" | |
| debug_files="${debug_files} $debug_file" | |
| pver="$lavender$debug_file$reset" | |
| printf "Verifying signature file %s for %s… " "$psig" "$pver" | |
| valid=`gpg2 --quiet --status-fd 1 --verify $sig $debug_file 2>/dev/null | grep "VALIDSIG"` | |
| returncode="$?" | |
| # Exit noisily if one of the debug signatures was not okay: | |
| if test "$returncode" -ne "0" ; then | |
| printf "\t[%sERROR%s]\n" "$red" "$reset" | |
| printf "Exiting…\n" | |
| exit 2 | |
| elif test "$returncode" -eq "0" -a -n "$valid" ; then | |
| printf "\t[%sOKAY%s]\n" "$green" "$reset" | |
| fi | |
| done | |
| printf "\n%sAll signatures for Tor Browser debug symbols downloads checked " "$green" | |
| printf "out OKAY!%s\n" "$reset" | |
| fi | |
| # Exit now if we're not extracting | |
| test -z "$do_extract" && exit 0 | |
| printf "――――――――――――――――――――――――\n" | |
| for tbb in ${tbbs} ; do | |
| printf "Extracting all files for %s%s%s…\n\n" "$lavender" "$tbb" "$reset" | |
| printf "Extracting %s%s%s…\n" "$lavender" "$tbb" "$reset" | |
| tar Jxf "$tbb" | |
| for debugfile in ${debug_files} ; do | |
| printf "Extracting debug symbols from %s%s%s…\n" "$lavender" "$debugfile" "$reset" | |
| unzip -qq "$debugfile" | |
| done | |
| if test -d "Debug" ; then | |
| printf "Moving Debug/ directory to tor-browser_en-US/Debug/ …\n" | |
| mv Debug tor-browser_en-US/ | |
| fi | |
| printf "\n%sExtraction complete!%s\n" "$green" "$reset" | |
| done | |
| printf "――――――――――――――――――――――――\n" | |
| exit 0 |