mirror of
https://github.com/genodelabs/genode.git
synced 2024-12-29 10:08:53 +00:00
9b22983e58
The signature verification tool uses gpg to verify the detached signature of the given file. It also tries to obtain the signing key if it is not part of the local key ring. Signature verification implies the verification of the integrity and authenticity of a given file. Issue #748
132 lines
2.4 KiB
Bash
Executable File
132 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# \brief Signature verification tool
|
|
# \author Stephan Müller
|
|
# \date 2013-05-24
|
|
#
|
|
|
|
# Script to be invoked as
|
|
# $0 <file to be checked> <signature file> <source pubkeys>
|
|
#
|
|
# The source pubkey(s) is some ID that can be handled by gpg --search-keys
|
|
# or --recv-keys
|
|
# The special keyword of GNU as source pubkey implies the downloading of the GNU
|
|
# key ring.
|
|
#
|
|
# Script returns 0 on success. Any other value is a failure.
|
|
|
|
FILE=$1
|
|
SIGFILE=$2
|
|
shift;shift;
|
|
PUBKEYSRC=$@
|
|
|
|
#
|
|
# Probe if a default keyserver is configured by the user. If not, fall back to
|
|
# a predefined key server.
|
|
#
|
|
KEYSERVER=""
|
|
if ! $(cat $HOME/.gnupg/gpg.conf | grep -v '^#.*' | grep -q keyserver); then
|
|
KEYSERVER="--keyserver hkp://keys.gnupg.net"
|
|
fi
|
|
|
|
# Get a particular key
|
|
# \param key fingerprint to obtain
|
|
get_gpg_key()
|
|
{
|
|
key=$1
|
|
|
|
# check if key is present
|
|
gpg --list-key $key > /dev/null 2>&1
|
|
if [ $? -eq 0 ];then
|
|
return
|
|
fi
|
|
size=$(echo -n $key |wc -m)
|
|
if [ "$size" -eq 40 ]
|
|
then
|
|
# we have a full fingerprint
|
|
gpg $KEYSERVER --recv-keys $key
|
|
else
|
|
# we have some other ID
|
|
gpg $KEYSERVER --search-keys $key
|
|
fi
|
|
}
|
|
|
|
GNUURL="ftp://ftp.gnu.org/gnu/gnu-keyring.gpg"
|
|
get_gnu_keys()
|
|
{
|
|
sigfile=$1
|
|
sigdir=$(dirname $sigfile)
|
|
|
|
if [ ! -d "$sigdir" ]
|
|
then
|
|
echo "Directory $sigdir does not exist"
|
|
exit 1
|
|
fi
|
|
|
|
targetfile=$(basename $GNUURL)
|
|
if [ ! -f "$sigdir/$targetfile" ]
|
|
then
|
|
wget -c -P $sigdir $GNUURL
|
|
fi
|
|
}
|
|
|
|
# Get all keys handed in
|
|
# \param array of keys to be searched
|
|
get_all_keys()
|
|
{
|
|
keys=$@
|
|
|
|
for i in $keys
|
|
do
|
|
get_gpg_key $i
|
|
done
|
|
}
|
|
|
|
# Verify the file
|
|
# \param file to be verified
|
|
# \param signature file
|
|
#
|
|
# function causes script to exit:
|
|
# return 0 implies all passed
|
|
# any other return code implies failure
|
|
verify_file()
|
|
{
|
|
file=$1
|
|
sigfile=$2
|
|
|
|
gpgargs=""
|
|
targetfile=$(basename $GNUURL)
|
|
sigdir=$(dirname $sigfile)
|
|
if [ -f "$sigdir/$targetfile" ]
|
|
then
|
|
gpgargs="--keyring $sigdir/$targetfile"
|
|
fi
|
|
|
|
if [ -z "$file" -o ! -f "$file" ]
|
|
then
|
|
echo "File $file not found"
|
|
exit 1
|
|
fi
|
|
if [ -z "$sigfile" -o ! -f "$sigfile" ]
|
|
then
|
|
echo "Signature file $sigfile not found"
|
|
exit 1
|
|
fi
|
|
gpg --verify $gpgargs $sigfile $file
|
|
if [ $? -ne 0 ]
|
|
then
|
|
echo "Signature check of file $file failed"
|
|
exit 1
|
|
fi
|
|
echo "Signature check of file $file passed"
|
|
exit 0
|
|
}
|
|
|
|
if [ "$PUBKEYSRC" = "GNU" ]
|
|
then
|
|
get_gnu_keys $SIGFILE
|
|
else
|
|
get_all_keys "$PUBKEYSRC"
|
|
fi
|
|
verify_file $FILE $SIGFILE
|