add gpg verify with automatic import pub key

This commit is contained in:
Patrick Cao Huu Thien 2024-10-18 02:24:40 +02:00
parent 10a92d2456
commit 7ce23412c0
Signed by untrusted user who does not match committer: pcao
GPG Key ID: B57DBE40C72FBCF4
1 changed files with 53 additions and 9 deletions

View File

@ -13,7 +13,7 @@ err() { error "$*"; exit 1; }
usage() { echo "Usage: $(basename "$0") [-V | -h] <file>";echo " -V: Show version"; echo " -h: Show this help"; } usage() { echo "Usage: $(basename "$0") [-V | -h] <file>";echo " -V: Show version"; echo " -h: Show this help"; }
err_usage() { error "$*"; usage; exit 1; } err_usage() { error "$*"; usage; exit 1; }
step () { err="$?"; c=32; t=OK; test "$err" = 0 || { c=31; t=FAILED; }; printf "* %s \e[%dm%s\e[0m\n" "$*" "$c" "$t"; } step () { err="$?"; c=32; t=OK; test "$err" = 0 || { c=31; t=FAILED; }; printf "* %s \e[%dm%s\e[0m\n" "$*" "$c" "$t"; }
compress() { cat | gzip -9 | base64; } compress() { cat | gzip -9 | base64 -w0; }
VERSION="0.0.1" VERSION="0.0.1"
@ -27,9 +27,19 @@ test -e "$file" || err "File not found: $file"
sha="$(shasum -a 256 "$file" | cut -d' ' -f1)" || err "Failed to calculate SHA256 checksum" sha="$(shasum -a 256 "$file" | cut -d' ' -f1)" || err "Failed to calculate SHA256 checksum"
step "Checksum" step "Checksum"
bin=$(cat "$file" | compress) bin=$(compress < "$file")
step "Compress" step "Compress"
defkey=$(gpgconf --list-options gpg | awk -F: '$1 == "default-key" {print $10}' | tr -dc 'A-Z0-9')
step "GPG default key"
if test -n "$defkey"
then
pub=$(gpg --export --output - "$defkey" | compress)
step "Public key"
sig=$(gpg --detach-sig --output - "$file" | compress)
step "Signature"
fi
newfile="${file}_sha256" newfile="${file}_sha256"
cat <<EOT > "$newfile" cat <<EOT > "$newfile"
@ -37,28 +47,62 @@ cat <<EOT > "$newfile"
# script generated by shasumscript at $(date) # script generated by shasumscript at $(date)
# #
# This script self-checkssum it's content and exit on error # This script self-checkssum it's content and exit on error
# The real script can be found after line 22. # The real script can be found after line 37.
# #
# License: GNU GPL3 # License: GNU GPL3
# Author: Patrick Cao Huu Thien # Author: Patrick Cao Huu Thien
tmpexe="\$(mktemp)" set -e
trap 'rm -f "\$tmpexe"' EXIT
cat "\$0" | sed '1,21d' | base64 -d 2>/dev/null| gunzip 2>/dev/null > "\$tmpexe" sig="$sig"
test "\$(shasum -a 256 "\$tmpexe" | cut -d' ' -f1)" = "$sha" || { pub="$pub"
tmpexe="\$(mktemp)"
tmpsig="\$(mktemp)"
tmppub="\$(mktemp)"
trap 'rm -f "\$tmpexe" "\$tmpsig" "\$tmppub"' EXIT
cat "\$0" | sed '1,36d' | base64 -d 2>/dev/null| gunzip 2>/dev/null > "\$tmpexe"
test "\$(sha256sum "\$tmpexe" | cut -d' ' -f1)" = "$sha" || {
echo "Checksum mismatch!" >&2 echo "Checksum mismatch!" >&2
exit 1 exit 1
} }
txt='Checksum';printf -- "\r- \$txt";sleep 0.1;printf -- "\r/";sleep 0.1;printf -- "\r|";sleep 0.1;printf -- "\r\\\\";sleep 0.1;printf -- "\r \e[32m%s OK\e[0m" "\$txt";sleep 0.3
EOT
step "pre-script"
if test -n "$defkey"
then
cat <<EOT >> "$newfile"
echo "\$sig" | base64 -d 2>/dev/null | gunzip 2>/dev/null > "\$tmpsig"
echo "\$pub" | base64 -d 2>/dev/null | gunzip 2>/dev/null > "\$tmppub"
gpg --verify -q --keyring "\$tmppub" "\$tmpsig" "\$tmpexe" 2>&1 | grep -q 'Good signature' || {
echo "Signature mismatch!" >&2
exit 1
}
txt='Verification';printf -- "\r- \$txt";sleep 0.1;printf -- "\r/";sleep 0.1;printf -- "\r|";sleep 0.1;printf -- "\r\\\\";sleep 0.1;printf -- "\r \e[32m%s OK\e[0m" "\$txt";sleep 0.3
EOT
step "verify-script"
else
cat <<EOT >> "$newfile"
#
# No public key available
#
# skip GPG verification
#
EOT
step "no-verify-script"
fi
cat <<EOT >> "$newfile"
printf "\r \r"
sh "\$tmpexe" "\$@" sh "\$tmpexe" "\$@"
exit exit
EOT EOT
step "pre-script"
echo "$bin" >> "$newfile" echo "$bin" >> "$newfile"
step "post-script" step "binary"
chmod +x "$newfile" chmod +x "$newfile"
step "make it executable" step "make it executable"