diff options
author | Ian Stakenvicius <axs@gentoo.org> | 2016-04-27 10:43:07 -0400 |
---|---|---|
committer | Ian Stakenvicius <axs@gentoo.org> | 2016-04-27 10:43:10 -0400 |
commit | 279a7ebed5c004e1da3df8fa77c783a1e42ab955 (patch) | |
tree | d78d900dbfcbd0f3aef4df0cca1869be322e25aa | |
parent | Apply system-harfbuzz support to firefox and thunderbird-45.0 (diff) | |
download | mozilla-279a7ebed5c004e1da3df8fa77c783a1e42ab955.tar.gz mozilla-279a7ebed5c004e1da3df8fa77c783a1e42ab955.tar.bz2 mozilla-279a7ebed5c004e1da3df8fa77c783a1e42ab955.zip |
added script that helps with verifying SHA512 hashes of distfiles against upstream
The script also checks the signature of the SHA512SUMS file is valid, though the trust
of the mozilla key used is entirely up to the user to verify and validate.
-rwxr-xr-x | scripts/verify_distfiles.sh | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/scripts/verify_distfiles.sh b/scripts/verify_distfiles.sh new file mode 100755 index 00000000..b4186200 --- /dev/null +++ b/scripts/verify_distfiles.sh @@ -0,0 +1,63 @@ +#!/bin/sh + +# Script to check distfiles against SHA512SUMS in upstream repo +# Note - your gpg setup needs to have the mozilla release key imported for signature verification +# Author: Ian Stakenvicius +# 2016-03-10 + +check_distfiles() { + local myver myname tmp + myname=$(qatom $1 |awk '{print $2}') + mybasename=${myname/-bin/} + if grep 'MOZ_ESR=""' $1 &>/dev/null || [[ -n $(grep -L MOZ_ESR $1) ]] ; then + myver=$(qatom $1 |awk '{print $3}') + else + myver=$(qatom $1 |awk '{print $3 "esr"}') + fi + + sigfile=$(mktemp) + wget -O ${sigfile}.asc -q https://archive.mozilla.org/pub/${mybasename}/releases/${myver}/SHA512SUMS.asc + wget -O ${sigfile} -q https://archive.mozilla.org/pub/${mybasename}/releases/${myver}/SHA512SUMS + gpg --verify ${sigfile}.asc ${sigfile} || exit 1 + + grep -e "^DIST ${mybasename}-${myver}[-\.]" \ + -e "^DIST ${myname}_.*-${myver}[-\.]" \ + Manifest + exit 1 + + grep -e "^DIST ${myname}-${myver}[-\.]" \ + -e "^DIST ${mybasename}_.*-${myver}[-\.]" \ + Manifest |grep -v -- "${myname}-.*-patches-" |awk '{print $7}' |while read ech ; do + tmp=$(grep ${ech} Manifest |awk '{print $2}') + if grep $ech ${sigfile} &>/dev/null ; then + echo -n $tmp + grep ${ech} ${sigfile} |awk '{print " -> " $2 " OK"}' + else + echo -n "ERROR - no file with sum ${ech} found -- ${tmp}" + exit 1 + fi + done + rm -f ${sigfile}.asc ${sigfile} +} + + +if [[ ! -e Manifest ]]; then + echo "ERROR - must be run in the directory of the package (with ebuilds and Manifest)" + echo "USAGE: $0 [ebuild file(s)]" + exit 1 +fi + +ebuild_list=( "$@" ) +if [ "$#" -eq 0 ]; then + echo "No arguments specified, verifying all ebuilds in current directory" + ebuild_list=( *.ebuild ) +fi + +for ebuild in "${ebuild_list[@]}"; do + echo "Checking $ebuild" + if [[ -e $ebuild ]]; then + check_distfiles $ebuild + else + echo "ERROR - $ebuild does not exist, skipping" + fi +done |