mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-20 10:12:15 +01:00
Code Issues Projects Releases Wiki Activity

Add a make-signature.sh script.

Browse Source
This commit is contained in:
Nick Mathewson 2011-01-15 15:00:41 -05:00
parent 07888ed8e4
commit 6ccb16438a
1 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
contrib/make-signature.sh Executable file
View File

@ -0,0 +1,77 @@
#!/bin/sh
if test "$1" = "" ; then
echo "I need a package as an argument."
exit 1
fi
PACKAGEFILE=$1
if test ! -f "$PACKAGEFILE" ; then
echo "$PACKAGEFILE is not a file."
exit 1
fi
DIGESTNAME=sha256
DIGESTOUTPUT=`gpg --print-md $DIGESTNAME $PACKAGEFILE`
RAWDIGEST=`gpg --print-md $DIGESTNAME $PACKAGEFILE | sed -e 's/^[^ ]*: //' `
# These regexes are a little fragile, but I think they work for us.
VERSION=`echo $PACKAGEFILE | sed -e 's/^[a-z\-]*//' -e 's/\.[\.a-z]*$//' `
PACKAGE=`echo $PACKAGEFILE | sed -e 's/-[0-9].*//'`
SIGFILE_UNSIGNED="$PACKAGE-$VERSION-signature"
SIGNATUREFILE="$SIGFILE_UNSIGNED.asc"
cat >$SIGFILE_UNSIGNED <<EOF
This is the signature file for "$PACKAGEFILE",
which contains version "$VERSION" of "$PACKAGE".
Here's how to check this signature.
1) Make sure that this is really a signature file, and not a forgery,
with:
"gpg --verify $SIGNATUREFILE"
The key should be one of the keys that signs the Tor release; the
official Tor website has more information on those.
If this step fails, then either you are missing the correct key, or
this signature file was not really signed by a Tor packager.
Beware!
2) Make sure that the package you wanted is indeed "$PACKAGE", and that
its version you wanted is indeed "$VERSION". If you wanted a
different package, or a different version, this signature file is
not the right one!
3) Now that you're sure you have the right signature file, make sure
that you got the right package. Check its $DIGESTNAME digest with
"gpg --print-md $DIGESTNAME $PACKAGEFILE"
The output should match this, exactly:
$DIGESTOUTPUT
Make sure that every part of the output matches: don't just check the
first few characters. If the digest does not match, you do not have
the right package file. It could even be a forgery.
Frequentlty asked questions:
Q: Why not just sign the package file, like you used to do?
A: GPG signatures authenticate file contents, but not file names. If
somebody gave you a renamed file with a matching renamed signature
file, the signature would still be given as "valid".
--
FILENAME: $PACKAGEFILE
PACKAGE: $PACKAGE
VERSION: $VERSION
DIGESTALG: $DIGESTNAME
DIGEST: $RAWDIGEST
EOF
gpg --clearsign $SIGFILE_UNSIGNED