contrib/verifybinaries/verify.sh

   1 #!/bin/bash
   2 # Copyright (c) 2016 The Bitcoin Core developers
   3 # Distributed under the MIT software license, see the accompanying
   4 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
   5
   6 ###   This script attempts to download the signature file SHA256SUMS.asc from
   7 ###   bitcoincore.org and bitcoin.org and compares them.
   8 ###   It first checks if the signature passes, and then downloads the files specified in
   9 ###   the file, and checks if the hashes of these files match those that are specified
  10 ###   in the signature file.
  11 ###   The script returns 0 if everything passes the checks. It returns 1 if either the
  12 ###   signature check or the hash check doesn't pass. If an error occurs the return value is 2
  13
  14 function clean_up {
  15    for file in $*
  16    do
  17       rm "$file" 2> /dev/null
  18    done
  19 }
  20
  21 WORKINGDIR="/tmp/bitcoin_verify_binaries"
  22 TMPFILE="hashes.tmp"
  23
  24 SIGNATUREFILENAME="SHA256SUMS.asc"
  25 RCSUBDIR="test"
  26 HOST1="https://bitcoincore.org"
  27 HOST2="https://bitcoin.org"
  28 BASEDIR="/bin/"
  29 VERSIONPREFIX="bitcoin-core-"
  30 RCVERSIONSTRING="rc"
  31
  32 if [ ! -d "$WORKINGDIR" ]; then
  33    mkdir "$WORKINGDIR"
  34 fi
  35
  36 cd "$WORKINGDIR"
  37
  38 #test if a version number has been passed as an argument
  39 if [ -n "$1" ]; then
  40    #let's also check if the version number includes the prefix 'bitcoin-',
  41    #  and add this prefix if it doesn't
  42    if [[ $1 == "$VERSIONPREFIX"* ]]; then
  43       VERSION="$1"
  44    else
  45       VERSION="$VERSIONPREFIX$1"
  46    fi
  47
  48    STRIPPEDLAST="${VERSION%-*}"
  49
  50    #now let's see if the version string contains "rc" or a platform name (e.g. "osx")
  51    if [[ "$STRIPPEDLAST-" == "$VERSIONPREFIX" ]]; then
  52       BASEDIR="$BASEDIR$VERSION/"
  53    else
  54       # let's examine the last part to see if it's rc and/or platform name
  55       STRIPPEDNEXTTOLAST="${STRIPPEDLAST%-*}"
  56       if [[ "$STRIPPEDNEXTTOLAST-" == "$VERSIONPREFIX" ]]; then
  57
  58          LASTSUFFIX="${VERSION##*-}"
  59          VERSION="$STRIPPEDLAST"
  60
  61          if [[ $LASTSUFFIX == *"$RCVERSIONSTRING"* ]]; then
  62             RCVERSION="$LASTSUFFIX"
  63          else
  64             PLATFORM="$LASTSUFFIX"
  65          fi
  66
  67       else
  68          RCVERSION="${STRIPPEDLAST##*-}"
  69          PLATFORM="${VERSION##*-}"
  70
  71          VERSION="$STRIPPEDNEXTTOLAST"
  72       fi
  73
  74       BASEDIR="$BASEDIR$VERSION/"
  75       if [[ $RCVERSION == *"$RCVERSIONSTRING"* ]]; then
  76          BASEDIR="$BASEDIR$RCSUBDIR.$RCVERSION/"
  77       fi
  78    fi
  79
  80    SIGNATUREFILE="$BASEDIR$SIGNATUREFILENAME"
  81 else
  82    echo "Error: need to specify a version on the command line"
  83    exit 2
  84 fi
  85
  86 #first we fetch the file containing the signature
  87 WGETOUT=$(wget -N "$HOST1$BASEDIR$SIGNATUREFILENAME" 2>&1)
  88
  89 #and then see if wget completed successfully
  90 if [ $? -ne 0 ]; then
  91    echo "Error: couldn't fetch signature file. Have you specified the version number in the following format?"
  92    echo "[$VERSIONPREFIX]<version>-[$RCVERSIONSTRING[0-9]] (example: "$VERSIONPREFIX"0.10.4-"$RCVERSIONSTRING"1)"
  93    echo "wget output:"
  94    echo "$WGETOUT"|sed 's/^/\t/g'
  95    exit 2
  96 fi
  97
  98 WGETOUT=$(wget -N -O "$SIGNATUREFILENAME.2" "$HOST2$BASEDIR$SIGNATUREFILENAME" 2>&1)
  99 if [ $? -ne 0 ]; then
 100    echo "bitcoin.org failed to provide signature file, but bitcoincore.org did?"
 101    echo "wget output:"
 102    echo "$WGETOUT"|sed 's/^/\t/g'
 103    clean_up $SIGNATUREFILENAME
 104    exit 3
 105 fi
 106
 107 SIGFILEDIFFS="$(diff $SIGNATUREFILENAME $SIGNATUREFILENAME.2)"
 108 if [ "$SIGFILEDIFFS" != "" ]; then
 109    echo "bitcoin.org and bitcoincore.org signature files were not equal?"
 110    clean_up $SIGNATUREFILENAME $SIGNATUREFILENAME.2
 111    exit 4
 112 fi
 113
 114 #then we check it
 115 GPGOUT=$(gpg --yes --decrypt --output "$TMPFILE" "$SIGNATUREFILENAME" 2>&1)
 116
 117 #return value 0: good signature
 118 #return value 1: bad signature
 119 #return value 2: gpg error
 120
 121 RET="$?"
 122 if [ $RET -ne 0 ]; then
 123    if [ $RET -eq 1 ]; then
 124       #and notify the user if it's bad
 125       echo "Bad signature."
 126    elif [ $RET -eq 2 ]; then
 127       #or if a gpg error has occurred
 128       echo "gpg error. Do you have the Bitcoin Core binary release signing key installed?"
 129    fi
 130
 131    echo "gpg output:"
 132    echo "$GPGOUT"|sed 's/^/\t/g'
 133    clean_up $SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
 134    exit "$RET"
 135 fi
 136
 137 if [ -n "$PLATFORM" ]; then
 138    grep $PLATFORM $TMPFILE > "$TMPFILE-plat"
 139    TMPFILESIZE=$(stat -c%s "$TMPFILE-plat")
 140    if [ $TMPFILESIZE -eq 0 ]; then
 141       echo "error: no files matched the platform specified" && exit 3
 142    fi
 143    mv "$TMPFILE-plat" $TMPFILE
 144 fi
 145
 146 #here we extract the filenames from the signature file
 147 FILES=$(awk '{print $2}' "$TMPFILE")
 148
 149 #and download these one by one
 150 for file in $FILES
 151 do
 152    echo "Downloading $file"
 153    wget --quiet -N "$HOST1$BASEDIR$file"
 154 done
 155
 156 #check hashes
 157 DIFF=$(diff <(sha256sum $FILES) "$TMPFILE")
 158
 159 if [ $? -eq 1 ]; then
 160    echo "Hashes don't match."
 161    echo "Offending files:"
 162    echo "$DIFF"|grep "^<"|awk '{print "\t"$3}'
 163    exit 1
 164 elif [ $? -gt 1 ]; then
 165    echo "Error executing 'diff'"
 166    exit 2
 167 fi
 168
 169 if [ -n "$2" ]; then
 170    echo "Clean up the binaries"
 171    clean_up $FILES $SIGNATUREFILENAME $SIGNATUREFILENAME.2 $TMPFILE
 172 else
 173    echo "Keep the binaries in $WORKINGDIR"
 174    clean_up $TMPFILE
 175 fi
 176
 177 echo -e "Verified hashes of \n$FILES"
 178
 179 exit 0