contrib/make-signature.sh

   1 #!/bin/sh
   2
   3 set -eu
   4
   5 if test "$1" = "" ; then
   6     echo "I need a package as an argument."
   7     exit 1
   8 fi
   9
  10 PACKAGEFILE=$1
  11
  12 if test ! -f "$PACKAGEFILE" ; then
  13     echo "$PACKAGEFILE is not a file."
  14     exit 1
  15 fi
  16
  17 DIGESTNAME=sha256
  18 DIGESTOUTPUT=`gpg --print-md $DIGESTNAME $PACKAGEFILE`
  19
  20 RAWDIGEST=`gpg --print-md $DIGESTNAME $PACKAGEFILE | sed -e 's/^[^ ]*: //' `
  21
  22 # These regexes are a little fragile, but I think they work for us.
  23 VERSION=`echo $PACKAGEFILE | sed -e 's/^[a-z\-]*//' -e 's/\.[\.a-z]*$//' `
  24 PACKAGE=`echo $PACKAGEFILE | sed -e 's/-[0-9].*//'`
  25 SIGFILE_UNSIGNED="$PACKAGE-$VERSION-signature"
  26 SIGNATUREFILE="$SIGFILE_UNSIGNED.asc"
  27
  28 cat >$SIGFILE_UNSIGNED <<EOF
  29 This is the signature file for "$PACKAGEFILE",
  30 which contains version "$VERSION" of "$PACKAGE".
  31
  32 Here's how to check this signature.
  33
  34 1) Make sure that this is really a signature file, and not a forgery,
  35    with:
  36
  37      "gpg --verify $SIGNATUREFILE"
  38
  39    The key should be one of the keys that signs the Tor release; the
  40    official Tor website has more information on those.
  41
  42    If this step fails, then either you are missing the correct key, or
  43    this signature file was not really signed by a Tor packager.
  44    Beware!
  45
  46 2) Make sure that the package you wanted is indeed "$PACKAGE", and that
  47    its version you wanted is indeed "$VERSION".  If you wanted a
  48    different package, or a different version, this signature file is
  49    not the right one!
  50
  51 3) Now that you're sure you have the right signature file, make sure
  52    that you got the right package.  Check its $DIGESTNAME digest with
  53
  54      "gpg --print-md $DIGESTNAME $PACKAGEFILE"
  55
  56    The output should match this, exactly:
  57
  58 $DIGESTOUTPUT
  59
  60    Make sure that every part of the output matches: don't just check the
  61    first few characters.  If the digest does not match, you do not have
  62    the right package file.  It could even be a forgery.
  63
  64 Frequently asked questions:
  65
  66 Q: Why not just sign the package file, like you used to do?
  67 A: GPG signatures authenticate file contents, but not file names.  If
  68    somebody gave you a renamed file with a matching renamed signature
  69    file, the signature would still be given as "valid".
  70
  71 --
  72 FILENAME: $PACKAGEFILE
  73 PACKAGE: $PACKAGE
  74 VERSION: $VERSION
  75 DIGESTALG: $DIGESTNAME
  76 DIGEST: $RAWDIGEST
  77 EOF
  78
  79 gpg --clearsign $SIGFILE_UNSIGNED