2 # Copyright (c) 2016 The Bitcoin Core developers
3 # Distributed under the MIT software license, see the accompanying
4 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
6 ### This script attempts to download the signature file SHA256SUMS.asc from
7 ### bitcoincore.org and bitcoin.org and compares them.
8 ### It first checks if the signature passes, and then downloads the files specified in
9 ### the file, and checks if the hashes of these files match those that are specified
10 ### in the signature file.
11 ### The script returns 0 if everything passes the checks. It returns 1 if either the
12 ### signature check or the hash check doesn't pass. If an error occurs the return value is 2
17 rm "$file" 2> /dev
/null
21 WORKINGDIR
="/tmp/bitcoin_verify_binaries"
24 SIGNATUREFILENAME
="SHA256SUMS.asc"
26 HOST1
="https://bitcoincore.org"
27 HOST2
="https://bitcoin.org"
29 VERSIONPREFIX
="bitcoin-core-"
32 if [ ! -d "$WORKINGDIR" ]; then
36 cd "$WORKINGDIR" ||
exit 1
38 #test if a version number has been passed as an argument
40 #let's also check if the version number includes the prefix 'bitcoin-',
41 # and add this prefix if it doesn't
42 if [[ $1 == "$VERSIONPREFIX"* ]]; then
45 VERSION
="$VERSIONPREFIX$1"
48 STRIPPEDLAST
="${VERSION%-*}"
50 #now let's see if the version string contains "rc" or a platform name (e.g. "osx")
51 if [[ "$STRIPPEDLAST-" == "$VERSIONPREFIX" ]]; then
52 BASEDIR
="$BASEDIR$VERSION/"
54 # let's examine the last part to see if it's rc and/or platform name
55 STRIPPEDNEXTTOLAST
="${STRIPPEDLAST%-*}"
56 if [[ "$STRIPPEDNEXTTOLAST-" == "$VERSIONPREFIX" ]]; then
58 LASTSUFFIX
="${VERSION##*-}"
59 VERSION
="$STRIPPEDLAST"
61 if [[ $LASTSUFFIX == *"$RCVERSIONSTRING"* ]]; then
62 RCVERSION
="$LASTSUFFIX"
64 PLATFORM
="$LASTSUFFIX"
68 RCVERSION
="${STRIPPEDLAST##*-}"
69 PLATFORM
="${VERSION##*-}"
71 VERSION
="$STRIPPEDNEXTTOLAST"
74 BASEDIR
="$BASEDIR$VERSION/"
75 if [[ $RCVERSION == *"$RCVERSIONSTRING"* ]]; then
76 BASEDIR
="$BASEDIR$RCSUBDIR.$RCVERSION/"
80 echo "Error: need to specify a version on the command line"
84 #first we fetch the file containing the signature
85 WGETOUT
=$
(wget
-N "$HOST1$BASEDIR$SIGNATUREFILENAME" 2>&1)
87 #and then see if wget completed successfully
89 echo "Error: couldn't fetch signature file. Have you specified the version number in the following format?"
90 echo "[$VERSIONPREFIX]<version>-[$RCVERSIONSTRING[0-9]] (example: ${VERSIONPREFIX}0.10.4-${RCVERSIONSTRING}1)"
92 echo "$WGETOUT"|
sed 's/^/\t/g'
96 WGETOUT
=$
(wget
-N -O "$SIGNATUREFILENAME.2" "$HOST2$BASEDIR$SIGNATUREFILENAME" 2>&1)
98 echo "bitcoin.org failed to provide signature file, but bitcoincore.org did?"
100 echo "$WGETOUT"|
sed 's/^/\t/g'
101 clean_up
$SIGNATUREFILENAME
105 SIGFILEDIFFS
="$(diff $SIGNATUREFILENAME $SIGNATUREFILENAME.2)"
106 if [ "$SIGFILEDIFFS" != "" ]; then
107 echo "bitcoin.org and bitcoincore.org signature files were not equal?"
108 clean_up
$SIGNATUREFILENAME $SIGNATUREFILENAME.2
113 GPGOUT
=$
(gpg
--yes --decrypt --output "$TMPFILE" "$SIGNATUREFILENAME" 2>&1)
115 #return value 0: good signature
116 #return value 1: bad signature
117 #return value 2: gpg error
120 if [ $RET -ne 0 ]; then
121 if [ $RET -eq 1 ]; then
122 #and notify the user if it's bad
123 echo "Bad signature."
124 elif [ $RET -eq 2 ]; then
125 #or if a gpg error has occurred
126 echo "gpg error. Do you have the Bitcoin Core binary release signing key installed?"
130 echo "$GPGOUT"|
sed 's/^/\t/g'
131 clean_up
$SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
135 if [ -n "$PLATFORM" ]; then
136 grep $PLATFORM $TMPFILE > "$TMPFILE-plat"
137 TMPFILESIZE
=$
(stat
-c%s
"$TMPFILE-plat")
138 if [ $TMPFILESIZE -eq 0 ]; then
139 echo "error: no files matched the platform specified" && exit 3
141 mv "$TMPFILE-plat" $TMPFILE
144 #here we extract the filenames from the signature file
145 FILES
=$
(awk '{print $2}' "$TMPFILE")
147 #and download these one by one
150 echo "Downloading $file"
151 wget
--quiet -N "$HOST1$BASEDIR$file"
155 DIFF
=$
(diff <(sha256sum
$FILES) "$TMPFILE")
157 if [ $?
-eq 1 ]; then
158 echo "Hashes don't match."
159 echo "Offending files:"
160 echo "$DIFF"|
grep "^<"|
awk '{print "\t"$3}'
162 elif [ $?
-gt 1 ]; then
163 echo "Error executing 'diff'"
168 echo "Clean up the binaries"
169 clean_up
$FILES $SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
171 echo "Keep the binaries in $WORKINGDIR"
175 echo -e "Verified hashes of \n$FILES"