commit: 279a7ebed5c004e1da3df8fa77c783a1e42ab955
Author: Ian Stakenvicius <axs <AT> gentoo <DOT> org>
AuthorDate: Wed Apr 27 14:43:07 2016 +0000
Commit: Ian Stakenvicius <axs <AT> gentoo <DOT> org>
CommitDate: Wed Apr 27 14:43:10 2016 +0000
URL: https://gitweb.gentoo.org/proj/mozilla.git/commit/?id=279a7ebe
added script that helps with verifying SHA512 hashes of distfiles against
upstream
The script also checks the signature of the SHA512SUMS file is valid, though
the trust
of the mozilla key used is entirely up to the user to verify and validate.
scripts/verify_distfiles.sh | 63 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/scripts/verify_distfiles.sh b/scripts/verify_distfiles.sh
new file mode 100755
index 0000000..b418620
--- /dev/null
+++ b/scripts/verify_distfiles.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# Script to check distfiles against SHA512SUMS in upstream repo
+# Note - your gpg setup needs to have the mozilla release key imported for
signature verification
+# Author: Ian Stakenvicius
+# 2016-03-10
+
+check_distfiles() {
+ local myver myname tmp
+ myname=$(qatom $1 |awk '{print $2}')
+ mybasename=${myname/-bin/}
+ if grep 'MOZ_ESR=""' $1 &>/dev/null || [[ -n $(grep -L MOZ_ESR $1) ]] ;
then
+ myver=$(qatom $1 |awk '{print $3}')
+ else
+ myver=$(qatom $1 |awk '{print $3 "esr"}')
+ fi
+
+ sigfile=$(mktemp)
+ wget -O ${sigfile}.asc -q
https://archive.mozilla.org/pub/${mybasename}/releases/${myver}/SHA512SUMS.asc
+ wget -O ${sigfile} -q
https://archive.mozilla.org/pub/${mybasename}/releases/${myver}/SHA512SUMS
+ gpg --verify ${sigfile}.asc ${sigfile} || exit 1
+
+ grep -e "^DIST ${mybasename}-${myver}[-\.]" \
+ -e "^DIST ${myname}_.*-${myver}[-\.]" \
+ Manifest
+ exit 1
+
+ grep -e "^DIST ${myname}-${myver}[-\.]" \
+ -e "^DIST ${mybasename}_.*-${myver}[-\.]" \
+ Manifest |grep -v -- "${myname}-.*-patches-" |awk '{print $7}' |while
read ech ; do
+ tmp=$(grep ${ech} Manifest |awk '{print $2}')
+ if grep $ech ${sigfile} &>/dev/null ; then
+ echo -n $tmp
+ grep ${ech} ${sigfile} |awk '{print " -> " $2 " OK"}'
+ else
+ echo -n "ERROR - no file with sum ${ech} found --
${tmp}"
+ exit 1
+ fi
+ done
+ rm -f ${sigfile}.asc ${sigfile}
+}
+
+
+if [[ ! -e Manifest ]]; then
+ echo "ERROR - must be run in the directory of the package (with ebuilds
and Manifest)"
+ echo "USAGE: $0 [ebuild file(s)]"
+ exit 1
+fi
+
+ebuild_list=( "$@" )
+if [ "$#" -eq 0 ]; then
+ echo "No arguments specified, verifying all ebuilds in current
directory"
+ ebuild_list=( *.ebuild )
+fi
+
+for ebuild in "${ebuild_list[@]}"; do
+ echo "Checking $ebuild"
+ if [[ -e $ebuild ]]; then
+ check_distfiles $ebuild
+ else
+ echo "ERROR - $ebuild does not exist, skipping"
+ fi
+done
