mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Add a make-signature.sh script.
This commit is contained in:
parent
07888ed8e4
commit
6ccb16438a
77
contrib/make-signature.sh
Executable file
77
contrib/make-signature.sh
Executable file
@ -0,0 +1,77 @@
|
||||
#!/bin/sh
|
||||
|
||||
if test "$1" = "" ; then
|
||||
echo "I need a package as an argument."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PACKAGEFILE=$1
|
||||
|
||||
if test ! -f "$PACKAGEFILE" ; then
|
||||
echo "$PACKAGEFILE is not a file."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DIGESTNAME=sha256
|
||||
DIGESTOUTPUT=`gpg --print-md $DIGESTNAME $PACKAGEFILE`
|
||||
|
||||
RAWDIGEST=`gpg --print-md $DIGESTNAME $PACKAGEFILE | sed -e 's/^[^ ]*: //' `
|
||||
|
||||
# These regexes are a little fragile, but I think they work for us.
|
||||
VERSION=`echo $PACKAGEFILE | sed -e 's/^[a-z\-]*//' -e 's/\.[\.a-z]*$//' `
|
||||
PACKAGE=`echo $PACKAGEFILE | sed -e 's/-[0-9].*//'`
|
||||
SIGFILE_UNSIGNED="$PACKAGE-$VERSION-signature"
|
||||
SIGNATUREFILE="$SIGFILE_UNSIGNED.asc"
|
||||
|
||||
cat >$SIGFILE_UNSIGNED <<EOF
|
||||
This is the signature file for "$PACKAGEFILE",
|
||||
which contains version "$VERSION" of "$PACKAGE".
|
||||
|
||||
Here's how to check this signature.
|
||||
|
||||
1) Make sure that this is really a signature file, and not a forgery,
|
||||
with:
|
||||
|
||||
"gpg --verify $SIGNATUREFILE"
|
||||
|
||||
The key should be one of the keys that signs the Tor release; the
|
||||
official Tor website has more information on those.
|
||||
|
||||
If this step fails, then either you are missing the correct key, or
|
||||
this signature file was not really signed by a Tor packager.
|
||||
Beware!
|
||||
|
||||
2) Make sure that the package you wanted is indeed "$PACKAGE", and that
|
||||
its version you wanted is indeed "$VERSION". If you wanted a
|
||||
different package, or a different version, this signature file is
|
||||
not the right one!
|
||||
|
||||
3) Now that you're sure you have the right signature file, make sure
|
||||
that you got the right package. Check its $DIGESTNAME digest with
|
||||
|
||||
"gpg --print-md $DIGESTNAME $PACKAGEFILE"
|
||||
|
||||
The output should match this, exactly:
|
||||
|
||||
$DIGESTOUTPUT
|
||||
|
||||
Make sure that every part of the output matches: don't just check the
|
||||
first few characters. If the digest does not match, you do not have
|
||||
the right package file. It could even be a forgery.
|
||||
|
||||
Frequentlty asked questions:
|
||||
|
||||
Q: Why not just sign the package file, like you used to do?
|
||||
A: GPG signatures authenticate file contents, but not file names. If
|
||||
somebody gave you a renamed file with a matching renamed signature
|
||||
file, the signature would still be given as "valid".
|
||||
|
||||
--
|
||||
FILENAME: $PACKAGEFILE
|
||||
PACKAGE: $PACKAGE
|
||||
VERSION: $VERSION
|
||||
DIGESTALG: $DIGESTNAME
|
||||
DIGEST: $RAWDIGEST
|
||||
EOF
|
||||
|
||||
gpg --clearsign $SIGFILE_UNSIGNED
|
Loading…
Reference in New Issue
Block a user