aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIan Stakenvicius <axs@gentoo.org>2016-04-27 10:43:07 -0400
committerIan Stakenvicius <axs@gentoo.org>2016-04-27 10:43:10 -0400
commit279a7ebed5c004e1da3df8fa77c783a1e42ab955 (patch)
treed78d900dbfcbd0f3aef4df0cca1869be322e25aa
parentApply system-harfbuzz support to firefox and thunderbird-45.0 (diff)
downloadmozilla-279a7ebed5c004e1da3df8fa77c783a1e42ab955.tar.gz
mozilla-279a7ebed5c004e1da3df8fa77c783a1e42ab955.tar.bz2
mozilla-279a7ebed5c004e1da3df8fa77c783a1e42ab955.zip
added script that helps with verifying SHA512 hashes of distfiles against upstream
The script also checks the signature of the SHA512SUMS file is valid, though the trust of the mozilla key used is entirely up to the user to verify and validate.
-rwxr-xr-xscripts/verify_distfiles.sh63
1 files changed, 63 insertions, 0 deletions
diff --git a/scripts/verify_distfiles.sh b/scripts/verify_distfiles.sh
new file mode 100755
index 00000000..b4186200
--- /dev/null
+++ b/scripts/verify_distfiles.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# Script to check distfiles against SHA512SUMS in upstream repo
+# Note - your gpg setup needs to have the mozilla release key imported for signature verification
+# Author: Ian Stakenvicius
+# 2016-03-10
+
+check_distfiles() {
+ local myver myname tmp
+ myname=$(qatom $1 |awk '{print $2}')
+ mybasename=${myname/-bin/}
+ if grep 'MOZ_ESR=""' $1 &>/dev/null || [[ -n $(grep -L MOZ_ESR $1) ]] ; then
+ myver=$(qatom $1 |awk '{print $3}')
+ else
+ myver=$(qatom $1 |awk '{print $3 "esr"}')
+ fi
+
+ sigfile=$(mktemp)
+ wget -O ${sigfile}.asc -q https://archive.mozilla.org/pub/${mybasename}/releases/${myver}/SHA512SUMS.asc
+ wget -O ${sigfile} -q https://archive.mozilla.org/pub/${mybasename}/releases/${myver}/SHA512SUMS
+ gpg --verify ${sigfile}.asc ${sigfile} || exit 1
+
+ grep -e "^DIST ${mybasename}-${myver}[-\.]" \
+ -e "^DIST ${myname}_.*-${myver}[-\.]" \
+ Manifest
+ exit 1
+
+ grep -e "^DIST ${myname}-${myver}[-\.]" \
+ -e "^DIST ${mybasename}_.*-${myver}[-\.]" \
+ Manifest |grep -v -- "${myname}-.*-patches-" |awk '{print $7}' |while read ech ; do
+ tmp=$(grep ${ech} Manifest |awk '{print $2}')
+ if grep $ech ${sigfile} &>/dev/null ; then
+ echo -n $tmp
+ grep ${ech} ${sigfile} |awk '{print " -> " $2 " OK"}'
+ else
+ echo -n "ERROR - no file with sum ${ech} found -- ${tmp}"
+ exit 1
+ fi
+ done
+ rm -f ${sigfile}.asc ${sigfile}
+}
+
+
+if [[ ! -e Manifest ]]; then
+ echo "ERROR - must be run in the directory of the package (with ebuilds and Manifest)"
+ echo "USAGE: $0 [ebuild file(s)]"
+ exit 1
+fi
+
+ebuild_list=( "$@" )
+if [ "$#" -eq 0 ]; then
+ echo "No arguments specified, verifying all ebuilds in current directory"
+ ebuild_list=( *.ebuild )
+fi
+
+for ebuild in "${ebuild_list[@]}"; do
+ echo "Checking $ebuild"
+ if [[ -e $ebuild ]]; then
+ check_distfiles $ebuild
+ else
+ echo "ERROR - $ebuild does not exist, skipping"
+ fi
+done