contrib/verifybinaries/verify.sh

   1 #!/bin/bash
   2 # Copyright (c) 2016 The Bitcoin Core developers
   3 # Distributed under the MIT software license, see the accompanying
   4 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
   5
   6 ###   This script attempts to download the signature file SHA256SUMS.asc from
   7 ###   bitcoincore.org and bitcoin.org and compares them.
   8 ###   It first checks if the signature passes, and then downloads the files specified in
   9 ###   the file, and checks if the hashes of these files match those that are specified
  10 ###   in the signature file.
  11 ###   The script returns 0 if everything passes the checks. It returns 1 if either the
  12 ###   signature check or the hash check doesn't pass. If an error occurs the return value is 2
  13
  14 function clean_up {
  15    for file in $*
  16    do
  17       rm "$file" 2> /dev/null
  18    done
  19 }
  20
  21 WORKINGDIR="/tmp/bitcoin_verify_binaries"
  22 TMPFILE="hashes.tmp"
  23
  24 SIGNATUREFILENAME="SHA256SUMS.asc"
  25 RCSUBDIR="test"
  26 HOST1="https://bitcoincore.org"
  27 HOST2="https://bitcoin.org"
  28 BASEDIR="/bin/"
  29 VERSIONPREFIX="bitcoin-core-"
  30 RCVERSIONSTRING="rc"
  31
  32 if [ ! -d "$WORKINGDIR" ]; then
  33    mkdir "$WORKINGDIR"
  34 fi
  35
  36 cd "$WORKINGDIR" || exit 1
  37
  38 #test if a version number has been passed as an argument
  39 if [ -n "$1" ]; then
  40    #let's also check if the version number includes the prefix 'bitcoin-',
  41    #  and add this prefix if it doesn't
  42    if [[ $1 == "$VERSIONPREFIX"* ]]; then
  43       VERSION="$1"
  44    else
  45       VERSION="$VERSIONPREFIX$1"
  46    fi
  47
  48    STRIPPEDLAST="${VERSION%-*}"
  49
  50    #now let's see if the version string contains "rc" or a platform name (e.g. "osx")
  51    if [[ "$STRIPPEDLAST-" == "$VERSIONPREFIX" ]]; then
  52       BASEDIR="$BASEDIR$VERSION/"
  53    else
  54       # let's examine the last part to see if it's rc and/or platform name
  55       STRIPPEDNEXTTOLAST="${STRIPPEDLAST%-*}"
  56       if [[ "$STRIPPEDNEXTTOLAST-" == "$VERSIONPREFIX" ]]; then
  57
  58          LASTSUFFIX="${VERSION##*-}"
  59          VERSION="$STRIPPEDLAST"
  60
  61          if [[ $LASTSUFFIX == *"$RCVERSIONSTRING"* ]]; then
  62             RCVERSION="$LASTSUFFIX"
  63          else
  64             PLATFORM="$LASTSUFFIX"
  65          fi
  66
  67       else
  68          RCVERSION="${STRIPPEDLAST##*-}"
  69          PLATFORM="${VERSION##*-}"
  70
  71          VERSION="$STRIPPEDNEXTTOLAST"
  72       fi
  73
  74       BASEDIR="$BASEDIR$VERSION/"
  75       if [[ $RCVERSION == *"$RCVERSIONSTRING"* ]]; then
  76          BASEDIR="$BASEDIR$RCSUBDIR.$RCVERSION/"
  77       fi
  78    fi
  79 else
  80    echo "Error: need to specify a version on the command line"
  81    exit 2
  82 fi
  83
  84 #first we fetch the file containing the signature
  85 WGETOUT=$(wget -N "$HOST1$BASEDIR$SIGNATUREFILENAME" 2>&1)
  86
  87 #and then see if wget completed successfully
  88 if [ $? -ne 0 ]; then
  89    echo "Error: couldn't fetch signature file. Have you specified the version number in the following format?"
  90    echo "[$VERSIONPREFIX]<version>-[$RCVERSIONSTRING[0-9]] (example: ${VERSIONPREFIX}0.10.4-${RCVERSIONSTRING}1)"
  91    echo "wget output:"
  92    echo "$WGETOUT"|sed 's/^/\t/g'
  93    exit 2
  94 fi
  95
  96 WGETOUT=$(wget -N -O "$SIGNATUREFILENAME.2" "$HOST2$BASEDIR$SIGNATUREFILENAME" 2>&1)
  97 if [ $? -ne 0 ]; then
  98    echo "bitcoin.org failed to provide signature file, but bitcoincore.org did?"
  99    echo "wget output:"
 100    echo "$WGETOUT"|sed 's/^/\t/g'
 101    clean_up $SIGNATUREFILENAME
 102    exit 3
 103 fi
 104
 105 SIGFILEDIFFS="$(diff $SIGNATUREFILENAME $SIGNATUREFILENAME.2)"
 106 if [ "$SIGFILEDIFFS" != "" ]; then
 107    echo "bitcoin.org and bitcoincore.org signature files were not equal?"
 108    clean_up $SIGNATUREFILENAME $SIGNATUREFILENAME.2
 109    exit 4
 110 fi
 111
 112 #then we check it
 113 GPGOUT=$(gpg --yes --decrypt --output "$TMPFILE" "$SIGNATUREFILENAME" 2>&1)
 114
 115 #return value 0: good signature
 116 #return value 1: bad signature
 117 #return value 2: gpg error
 118
 119 RET="$?"
 120 if [ $RET -ne 0 ]; then
 121    if [ $RET -eq 1 ]; then
 122       #and notify the user if it's bad
 123       echo "Bad signature."
 124    elif [ $RET -eq 2 ]; then
 125       #or if a gpg error has occurred
 126       echo "gpg error. Do you have the Bitcoin Core binary release signing key installed?"
 127    fi
 128
 129    echo "gpg output:"
 130    echo "$GPGOUT"|sed 's/^/\t/g'
 131    clean_up $SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
 132    exit "$RET"
 133 fi
 134
 135 if [ -n "$PLATFORM" ]; then
 136    grep $PLATFORM $TMPFILE > "$TMPFILE-plat"
 137    TMPFILESIZE=$(stat -c%s "$TMPFILE-plat")
 138    if [ $TMPFILESIZE -eq 0 ]; then
 139       echo "error: no files matched the platform specified" && exit 3
 140    fi
 141    mv "$TMPFILE-plat" $TMPFILE
 142 fi
 143
 144 #here we extract the filenames from the signature file
 145 FILES=$(awk '{print $2}' "$TMPFILE")
 146
 147 #and download these one by one
 148 for file in $FILES
 149 do
 150    echo "Downloading $file"
 151    wget --quiet -N "$HOST1$BASEDIR$file"
 152 done
 153
 154 #check hashes
 155 DIFF=$(diff <(sha256sum $FILES) "$TMPFILE")
 156
 157 if [ $? -eq 1 ]; then
 158    echo "Hashes don't match."
 159    echo "Offending files:"
 160    echo "$DIFF"|grep "^<"|awk '{print "\t"$3}'
 161    exit 1
 162 elif [ $? -gt 1 ]; then
 163    echo "Error executing 'diff'"
 164    exit 2
 165 fi
 166
 167 if [ -n "$2" ]; then
 168    echo "Clean up the binaries"
 169    clean_up $FILES $SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
 170 else
 171    echo "Keep the binaries in $WORKINGDIR"
 172    clean_up $TMPFILE
 173 fi
 174
 175 echo -e "Verified hashes of \n$FILES"
 176
 177 exit 0