2 # Copyright (c) 2016 The Bitcoin Core developers
3 # Distributed under the MIT software license, see the accompanying
4 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
6 ### This script attempts to download the signature file SHA256SUMS.asc from
7 ### bitcoincore.org and bitcoin.org and compares them.
8 ### It first checks if the signature passes, and then downloads the files specified in
9 ### the file, and checks if the hashes of these files match those that are specified
10 ### in the signature file.
11 ### The script returns 0 if everything passes the checks. It returns 1 if either the
12 ### signature check or the hash check doesn't pass. If an error occurs the return value is 2
17 rm "$file" 2> /dev
/null
21 WORKINGDIR
="/tmp/bitcoin_verify_binaries"
24 SIGNATUREFILENAME
="SHA256SUMS.asc"
26 HOST1
="https://bitcoincore.org"
27 HOST2
="https://bitcoin.org"
29 VERSIONPREFIX
="bitcoin-core-"
32 if [ ! -d "$WORKINGDIR" ]; then
38 #test if a version number has been passed as an argument
40 #let's also check if the version number includes the prefix 'bitcoin-',
41 # and add this prefix if it doesn't
42 if [[ $1 == "$VERSIONPREFIX"* ]]; then
45 VERSION
="$VERSIONPREFIX$1"
48 STRIPPEDLAST
="${VERSION%-*}"
50 #now let's see if the version string contains "rc" or a platform name (e.g. "osx")
51 if [[ "$STRIPPEDLAST-" == "$VERSIONPREFIX" ]]; then
52 BASEDIR
="$BASEDIR$VERSION/"
54 # let's examine the last part to see if it's rc and/or platform name
55 STRIPPEDNEXTTOLAST
="${STRIPPEDLAST%-*}"
56 if [[ "$STRIPPEDNEXTTOLAST-" == "$VERSIONPREFIX" ]]; then
58 LASTSUFFIX
="${VERSION##*-}"
59 VERSION
="$STRIPPEDLAST"
61 if [[ $LASTSUFFIX == *"$RCVERSIONSTRING"* ]]; then
62 RCVERSION
="$LASTSUFFIX"
64 PLATFORM
="$LASTSUFFIX"
68 RCVERSION
="${STRIPPEDLAST##*-}"
69 PLATFORM
="${VERSION##*-}"
71 VERSION
="$STRIPPEDNEXTTOLAST"
74 BASEDIR
="$BASEDIR$VERSION/"
75 if [[ $RCVERSION == *"$RCVERSIONSTRING"* ]]; then
76 BASEDIR
="$BASEDIR$RCSUBDIR.$RCVERSION/"
80 SIGNATUREFILE
="$BASEDIR$SIGNATUREFILENAME"
82 echo "Error: need to specify a version on the command line"
86 #first we fetch the file containing the signature
87 WGETOUT
=$
(wget
-N "$HOST1$BASEDIR$SIGNATUREFILENAME" 2>&1)
89 #and then see if wget completed successfully
91 echo "Error: couldn't fetch signature file. Have you specified the version number in the following format?"
92 echo "[$VERSIONPREFIX]<version>-[$RCVERSIONSTRING[0-9]] (example: "$VERSIONPREFIX"0.10.4-"$RCVERSIONSTRING"1)"
94 echo "$WGETOUT"|
sed 's/^/\t/g'
98 WGETOUT
=$
(wget
-N -O "$SIGNATUREFILENAME.2" "$HOST2$BASEDIR$SIGNATUREFILENAME" 2>&1)
100 echo "bitcoin.org failed to provide signature file, but bitcoincore.org did?"
102 echo "$WGETOUT"|
sed 's/^/\t/g'
103 clean_up
$SIGNATUREFILENAME
107 SIGFILEDIFFS
="$(diff $SIGNATUREFILENAME $SIGNATUREFILENAME.2)"
108 if [ "$SIGFILEDIFFS" != "" ]; then
109 echo "bitcoin.org and bitcoincore.org signature files were not equal?"
110 clean_up
$SIGNATUREFILENAME $SIGNATUREFILENAME.2
115 GPGOUT
=$
(gpg
--yes --decrypt --output "$TMPFILE" "$SIGNATUREFILENAME" 2>&1)
117 #return value 0: good signature
118 #return value 1: bad signature
119 #return value 2: gpg error
122 if [ $RET -ne 0 ]; then
123 if [ $RET -eq 1 ]; then
124 #and notify the user if it's bad
125 echo "Bad signature."
126 elif [ $RET -eq 2 ]; then
127 #or if a gpg error has occurred
128 echo "gpg error. Do you have the Bitcoin Core binary release signing key installed?"
132 echo "$GPGOUT"|
sed 's/^/\t/g'
133 clean_up
$SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
137 if [ -n "$PLATFORM" ]; then
138 grep $PLATFORM $TMPFILE > "$TMPFILE-plat"
139 TMPFILESIZE
=$
(stat
-c%s
"$TMPFILE-plat")
140 if [ $TMPFILESIZE -eq 0 ]; then
141 echo "error: no files matched the platform specified" && exit 3
143 mv "$TMPFILE-plat" $TMPFILE
146 #here we extract the filenames from the signature file
147 FILES
=$
(awk '{print $2}' "$TMPFILE")
149 #and download these one by one
152 echo "Downloading $file"
153 wget
--quiet -N "$HOST1$BASEDIR$file"
157 DIFF
=$
(diff <(sha256sum
$FILES) "$TMPFILE")
159 if [ $?
-eq 1 ]; then
160 echo "Hashes don't match."
161 echo "Offending files:"
162 echo "$DIFF"|
grep "^<"|
awk '{print "\t"$3}'
164 elif [ $?
-gt 1 ]; then
165 echo "Error executing 'diff'"
170 echo "Clean up the binaries"
171 clean_up
$FILES $SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
173 echo "Keep the binaries in $WORKINGDIR"
177 echo -e "Verified hashes of \n$FILES"