make-signature.sh 2.2 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
  1. #!/bin/sh
  2. set -eu
  3. if test "$1" = "" ; then
  4. echo "I need a package as an argument."
  5. exit 1
  6. fi
  7. PACKAGEFILE=$1
  8. if test ! -f "$PACKAGEFILE" ; then
  9. echo "$PACKAGEFILE is not a file."
  10. exit 1
  11. fi
  12. DIGESTNAME=sha256
  13. DIGESTOUTPUT=`gpg --print-md $DIGESTNAME $PACKAGEFILE`
  14. RAWDIGEST=`gpg --print-md $DIGESTNAME $PACKAGEFILE | sed -e 's/^[^ ]*: //' `
  15. # These regexes are a little fragile, but I think they work for us.
  16. VERSION=`echo $PACKAGEFILE | sed -e 's/^[a-z\-]*//' -e 's/\.[\.a-z]*$//' `
  17. PACKAGE=`echo $PACKAGEFILE | sed -e 's/-[0-9].*//'`
  18. SIGFILE_UNSIGNED="$PACKAGE-$VERSION-signature"
  19. SIGNATUREFILE="$SIGFILE_UNSIGNED.asc"
  20. cat >$SIGFILE_UNSIGNED <<EOF
  21. This is the signature file for "$PACKAGEFILE",
  22. which contains version "$VERSION" of "$PACKAGE".
  23. Here's how to check this signature.
  24. 1) Make sure that this is really a signature file, and not a forgery,
  25. with:
  26. "gpg --verify $SIGNATUREFILE"
  27. The key should be one of the keys that signs the Tor release; the
  28. official Tor website has more information on those.
  29. If this step fails, then either you are missing the correct key, or
  30. this signature file was not really signed by a Tor packager.
  31. Beware!
  32. 2) Make sure that the package you wanted is indeed "$PACKAGE", and that
  33. its version you wanted is indeed "$VERSION". If you wanted a
  34. different package, or a different version, this signature file is
  35. not the right one!
  36. 3) Now that you're sure you have the right signature file, make sure
  37. that you got the right package. Check its $DIGESTNAME digest with
  38. "gpg --print-md $DIGESTNAME $PACKAGEFILE"
  39. The output should match this, exactly:
  40. $DIGESTOUTPUT
  41. Make sure that every part of the output matches: don't just check the
  42. first few characters. If the digest does not match, you do not have
  43. the right package file. It could even be a forgery.
  44. Frequently asked questions:
  45. Q: Why not just sign the package file, like you used to do?
  46. A: GPG signatures authenticate file contents, but not file names. If
  47. somebody gave you a renamed file with a matching renamed signature
  48. file, the signature would still be given as "valid".
  49. --
  50. FILENAME: $PACKAGEFILE
  51. PACKAGE: $PACKAGE
  52. VERSION: $VERSION
  53. DIGESTALG: $DIGESTNAME
  54. DIGEST: $RAWDIGEST
  55. EOF
  56. gpg --clearsign $SIGFILE_UNSIGNED