首页 发现 帮助
登录
sengler
/
tor-parallel-relay-conn
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 6a6e3adf01
分支列表 标签列表
tor-parallel...
/
contrib
/
make-signature.sh

make-signature.sh 2.2 KB
文件历史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. #!/bin/sh
    2. 

  2. 

  3. if test "$1" = "" ; then
    4. 

  4.     echo "I need a package as an argument."
    5. 

  5.     exit 1
    6. 

  6. fi
    7. 

  7. 

  8. PACKAGEFILE=$1
    9. 

  9. 

  10. if test ! -f "$PACKAGEFILE" ; then
    11. 

  11.     echo "$PACKAGEFILE is not a file."
    12. 

  12.     exit 1
    13. 

  13. fi
    14. 

  14. 

  15. DIGESTNAME=sha256
    16. 

  16. DIGESTOUTPUT=`gpg --print-md $DIGESTNAME $PACKAGEFILE`
    17. 

  17. 

  18. RAWDIGEST=`gpg --print-md $DIGESTNAME $PACKAGEFILE | sed -e 's/^[^ ]*: //' `
    19. 

  19. 

  20. # These regexes are a little fragile, but I think they work for us.
    21. 

  21. VERSION=`echo $PACKAGEFILE | sed -e 's/^[a-z\-]*//' -e 's/\.[\.a-z]*$//' `
    22. 

  22. PACKAGE=`echo $PACKAGEFILE | sed -e 's/-[0-9].*//'`
    23. 

  23. SIGFILE_UNSIGNED="$PACKAGE-$VERSION-signature"
    24. 

  24. SIGNATUREFILE="$SIGFILE_UNSIGNED.asc"
    25. 

  25. 

  26. cat >$SIGFILE_UNSIGNED <<EOF
    27. 

  27. This is the signature file for "$PACKAGEFILE",
    28. 

  28. which contains version "$VERSION" of "$PACKAGE".
    29. 

  29. 

  30. Here's how to check this signature.
    31. 

  31. 

  32. 1) Make sure that this is really a signature file, and not a forgery,
    33. 

  33.    with:
    34. 

  34. 

  35.      "gpg --verify $SIGNATUREFILE"
    36. 

  36. 

  37.    The key should be one of the keys that signs the Tor release; the
    38. 

  38.    official Tor website has more information on those.
    39. 

  39. 

  40.    If this step fails, then either you are missing the correct key, or
    41. 

  41.    this signature file was not really signed by a Tor packager.
    42. 

  42.    Beware!
    43. 

  43. 

  44. 2) Make sure that the package you wanted is indeed "$PACKAGE", and that
    45. 

  45.    its version you wanted is indeed "$VERSION".  If you wanted a
    46. 

  46.    different package, or a different version, this signature file is
    47. 

  47.    not the right one!
    48. 

  48. 

  49. 3) Now that you're sure you have the right signature file, make sure
    50. 

  50.    that you got the right package.  Check its $DIGESTNAME digest with
    51. 

  51. 

  52.      "gpg --print-md $DIGESTNAME $PACKAGEFILE"
    53. 

  53. 

  54.    The output should match this, exactly:
    55. 

  55. 

  56. $DIGESTOUTPUT
    57. 

  57. 

  58.    Make sure that every part of the output matches: don't just check the
    59. 

  59.    first few characters.  If the digest does not match, you do not have
    60. 

  60.    the right package file.  It could even be a forgery.
    61. 

  61. 

  62. Frequentlty asked questions:
    63. 

  63. 

  64. Q: Why not just sign the package file, like you used to do?
    65. 

  65. A: GPG signatures authenticate file contents, but not file names.  If
    66. 

  66.    somebody gave you a renamed file with a matching renamed signature
    67. 

  67.    file, the signature would still be given as "valid".
    68. 

  68. 

  69. -- 
    70. 

  70. FILENAME: $PACKAGEFILE
    71. 

  71. PACKAGE: $PACKAGE
    72. 

  72. VERSION: $VERSION
    73. 

  73. DIGESTALG: $DIGESTNAME
    74. 

  74. DIGEST: $RAWDIGEST
    75. 

  75. EOF
    76. 

  76. 

  77. gpg --clearsign $SIGFILE_UNSIGNED
    78.