From 7ce23412c023e396c46459aabf25b29a8e6595ef Mon Sep 17 00:00:00 2001 From: Patrick Cao Huu Thien Date: Fri, 18 Oct 2024 02:24:40 +0200 Subject: [PATCH] add gpg verify with automatic import pub key --- shasumscript | 62 ++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 53 insertions(+), 9 deletions(-) diff --git a/shasumscript b/shasumscript index e692c1d..f4a3fdb 100755 --- a/shasumscript +++ b/shasumscript @@ -13,7 +13,7 @@ err() { error "$*"; exit 1; } usage() { echo "Usage: $(basename "$0") [-V | -h] ";echo " -V: Show version"; echo " -h: Show this help"; } err_usage() { error "$*"; usage; exit 1; } step () { err="$?"; c=32; t=OK; test "$err" = 0 || { c=31; t=FAILED; }; printf "* %s \e[%dm%s\e[0m\n" "$*" "$c" "$t"; } -compress() { cat | gzip -9 | base64; } +compress() { cat | gzip -9 | base64 -w0; } VERSION="0.0.1" @@ -27,9 +27,19 @@ test -e "$file" || err "File not found: $file" sha="$(shasum -a 256 "$file" | cut -d' ' -f1)" || err "Failed to calculate SHA256 checksum" step "Checksum" -bin=$(cat "$file" | compress) +bin=$(compress < "$file") step "Compress" +defkey=$(gpgconf --list-options gpg | awk -F: '$1 == "default-key" {print $10}' | tr -dc 'A-Z0-9') +step "GPG default key" +if test -n "$defkey" +then + pub=$(gpg --export --output - "$defkey" | compress) + step "Public key" + sig=$(gpg --detach-sig --output - "$file" | compress) + step "Signature" +fi + newfile="${file}_sha256" cat < "$newfile" @@ -37,28 +47,62 @@ cat < "$newfile" # script generated by shasumscript at $(date) # # This script self-checkssum it's content and exit on error -# The real script can be found after line 22. +# The real script can be found after line 37. # # License: GNU GPL3 # Author: Patrick Cao Huu Thien -tmpexe="\$(mktemp)" -trap 'rm -f "\$tmpexe"' EXIT +set -e -cat "\$0" | sed '1,21d' | base64 -d 2>/dev/null| gunzip 2>/dev/null > "\$tmpexe" -test "\$(shasum -a 256 "\$tmpexe" | cut -d' ' -f1)" = "$sha" || { +sig="$sig" +pub="$pub" +tmpexe="\$(mktemp)" +tmpsig="\$(mktemp)" +tmppub="\$(mktemp)" +trap 'rm -f "\$tmpexe" "\$tmpsig" "\$tmppub"' EXIT + +cat "\$0" | sed '1,36d' | base64 -d 2>/dev/null| gunzip 2>/dev/null > "\$tmpexe" +test "\$(sha256sum "\$tmpexe" | cut -d' ' -f1)" = "$sha" || { echo "Checksum mismatch!" >&2 exit 1 } +txt='Checksum';printf -- "\r- \$txt";sleep 0.1;printf -- "\r/";sleep 0.1;printf -- "\r|";sleep 0.1;printf -- "\r\\\\";sleep 0.1;printf -- "\r \e[32m%s OK\e[0m" "\$txt";sleep 0.3 +EOT +step "pre-script" +if test -n "$defkey" +then +cat <> "$newfile" +echo "\$sig" | base64 -d 2>/dev/null | gunzip 2>/dev/null > "\$tmpsig" +echo "\$pub" | base64 -d 2>/dev/null | gunzip 2>/dev/null > "\$tmppub" +gpg --verify -q --keyring "\$tmppub" "\$tmpsig" "\$tmpexe" 2>&1 | grep -q 'Good signature' || { + echo "Signature mismatch!" >&2 + exit 1 +} +txt='Verification';printf -- "\r- \$txt";sleep 0.1;printf -- "\r/";sleep 0.1;printf -- "\r|";sleep 0.1;printf -- "\r\\\\";sleep 0.1;printf -- "\r \e[32m%s OK\e[0m" "\$txt";sleep 0.3 +EOT +step "verify-script" +else +cat <> "$newfile" + +# +# No public key available +# +# skip GPG verification +# + +EOT +step "no-verify-script" +fi +cat <> "$newfile" +printf "\r \r" sh "\$tmpexe" "\$@" exit EOT -step "pre-script" echo "$bin" >> "$newfile" -step "post-script" +step "binary" chmod +x "$newfile" step "make it executable"