| b.liu | e958203 | 2025-04-17 19:18:16 +0800 | [diff] [blame] | 1 | #!/usr/bin/env bash |
| 2 | # Script to perform verified file downloads. |
| 3 | # Exit codes: |
| 4 | # 0 - File downloaded successfully and verified |
| 5 | # 1 - Failed to download requested file |
| 6 | # 2 - Failed to download sha256sums file |
| 7 | # 3 - Failed to download sha256sums.gpg file |
| 8 | # 4 - GnuPG is available but fails to verify the signature (missing pubkey, file integrity error, ...) |
| 9 | # 5 - The checksums do not match |
| 10 | # 6 - Unable to copy the requested file to its final destination |
| 11 | # 254 - The script got interrupted by a signal |
| 12 | # 255 - A suitable download or checksum utility is missing |
| 13 | |
| 14 | [ -n "$1" ] || { |
| 15 | echo "$0 - Download and verify build artifacts" |
| 16 | echo "Usage: $0 <url>" >&2 |
| 17 | exit 1 |
| 18 | } |
| 19 | |
| 20 | finish() { |
| 21 | [ -e "/tmp/verify.$$" ] && { |
| 22 | echo "Cleaning up." |
| 23 | rm -r "/tmp/verify.$$" |
| 24 | } |
| 25 | exit "$1" |
| 26 | } |
| 27 | |
| 28 | trap "finish 254" INT TERM |
| 29 | |
| 30 | destdir="$(pwd)" |
| 31 | image_url="$1" |
| 32 | image_file="${image_url##*/}" |
| 33 | sha256_url="${image_url%/*}/sha256sums" |
| 34 | gpgsig_url="${image_url%/*}/sha256sums.asc" |
| 35 | keyserver_url="hkp://keyserver.ubuntu.com" |
| 36 | |
| 37 | # Find a suitable download utility |
| 38 | if which curl >/dev/null; then |
| 39 | download() { curl --progress-bar -o "$1" "$2"; } |
| 40 | elif which wget >/dev/null; then |
| 41 | download() { wget -O "$1" "$2"; } |
| 42 | elif which fetch >/dev/null; then |
| 43 | download() { fetch -o "$1" "$2"; } |
| 44 | else |
| 45 | echo "No suitable download utility found, cannot download files!" >&2 |
| 46 | finish 255 |
| 47 | fi |
| 48 | |
| 49 | # Find a suitable checksum utility |
| 50 | if which sha256sum >/dev/null; then |
| 51 | checksum() { sha256sum -c --ignore-missing "sha256sums"; } |
| 52 | elif which shasum >/dev/null; then |
| 53 | checksum() { |
| 54 | local sum |
| 55 | sum="$(shasum -a 256 "$image_file")"; |
| 56 | grep -xF "${sum%% *} *$image_file" "sha256sums"; |
| 57 | } |
| 58 | else |
| 59 | echo "No SHA256 checksum executable installed, cannot verify checksums!" >&2 |
| 60 | finish 255 |
| 61 | fi |
| 62 | |
| 63 | # Check for gpg availability |
| 64 | if which gpg >/dev/null; then |
| 65 | runpgp() { gpg "$@"; } |
| 66 | else |
| 67 | runpgp() { |
| 68 | echo "WARNING: No GnuPG installed, cannot verify digital signature!" >&2 |
| 69 | return 0 |
| 70 | } |
| 71 | fi |
| 72 | |
| 73 | tmpdir="$(mktemp -d)" |
| 74 | cd "$tmpdir" || { |
| 75 | echo "Failed to create temporary directory!" >&2 |
| 76 | finish 255 |
| 77 | } |
| 78 | |
| 79 | echo "" |
| 80 | echo "1) Downloading artifact file" |
| 81 | echo "=========================" |
| 82 | download "$image_file" "$image_url" || { |
| 83 | echo "Failed to download image file!" >&2 |
| 84 | finish 1 |
| 85 | } |
| 86 | |
| 87 | echo "" |
| 88 | echo "2) Downloading checksum file" |
| 89 | echo "============================" |
| 90 | download "sha256sums" "$sha256_url" || { |
| 91 | echo "Failed to download checksum file!" >&2 |
| 92 | finish 2 |
| 93 | } |
| 94 | |
| 95 | echo "" |
| 96 | echo "3) Downloading the GPG signature" |
| 97 | echo "================================" |
| 98 | download "sha256sums.gpg" "$gpgsig_url" || { |
| 99 | echo "Failed to download GPG signature!" >&2 |
| 100 | finish 3 |
| 101 | } |
| 102 | |
| 103 | echo "" |
| 104 | echo "4) Verifying GPG signature" |
| 105 | echo "==========================" |
| 106 | missing_key=$(runpgp --status-fd 1 --with-fingerprint --verify \ |
| 107 | "sha256sums.gpg" "sha256sums" 2>/dev/null | sed -ne 's!^.* NO_PUBKEY !!p') |
| 108 | |
| 109 | if [ -n "$missing_key" ]; then |
| 110 | echo "The signature was signed by a public key with the id $missing_key" >&2 |
| 111 | echo "which is not present on this system." >&2 |
| 112 | echo "" >&2 |
| 113 | |
| 114 | echo "Provide a public keyserver url below or press enter to accept the" >&2 |
| 115 | echo "default suggestion. Hit Ctrl-C to abort the operation." >&2 |
| 116 | echo "" >&2 |
| 117 | |
| 118 | while true; do |
| 119 | printf 'Keyserver to use? [%s] > ' "$keyserver_url" |
| 120 | read -r url; case "${url:-$keyserver_url}" in |
| 121 | hkp://*) |
| 122 | gpg --keyserver "${url:-$keyserver_url}" --recv-keys "$missing_key" || { |
| 123 | echo "Failed to download public key." >&2 |
| 124 | finish 7 |
| 125 | } |
| 126 | break |
| 127 | ;; |
| 128 | *) |
| 129 | echo "Expecting a key server url in the form 'hkp://hostname'." >&2 |
| 130 | ;; |
| 131 | esac |
| 132 | done |
| 133 | fi |
| 134 | |
| 135 | runpgp --with-fingerprint --verify "sha256sums.gpg" "sha256sums" || { |
| 136 | echo "Failed to verify checksum file with GPG signature!" >&2 |
| 137 | finish 4 |
| 138 | } |
| 139 | |
| 140 | echo "" |
| 141 | echo "5) Verifying SHA256 checksum" |
| 142 | echo "============================" |
| 143 | checksum || { |
| 144 | echo "Checksums do not match!" >&2 |
| 145 | finish 5 |
| 146 | } |
| 147 | |
| 148 | cp "$image_file" "$destdir/$image_file" || { |
| 149 | echo "Failed to write '$destdir/$image_file'" >&2 |
| 150 | finish 6 |
| 151 | } |
| 152 | |
| 153 | echo "" |
| 154 | echo "Verification done!" |
| 155 | echo "==================" |
| 156 | echo "Downloaded artifact placed in '$destdir/$image_file'." |
| 157 | echo "" |
| 158 | |
| 159 | finish 0 |