From 548b92b3e5b3df4004338c9cd97d63aed689539c Mon Sep 17 00:00:00 2001 From: Devin Chalmers Date: Wed, 14 Jan 2015 00:53:39 -0800 Subject: [PATCH] Verify GPG signatures for OpenSSL / libevent / tor --- scripts/build-libevent.sh | 25 +++++++++++++++++++++++++ scripts/build-openssl.sh | 25 +++++++++++++++++++++++++ scripts/build-tor.sh | 24 ++++++++++++++++++++++++ 3 files changed, 74 insertions(+) diff --git a/scripts/build-libevent.sh b/scripts/build-libevent.sh index 0d54ae9..023f032 100755 --- a/scripts/build-libevent.sh +++ b/scripts/build-libevent.sh @@ -1,10 +1,35 @@ #!/bin/bash set -e +VERIFYGPG=true + if [ ! -e "libevent-${LIBEVENT_VERSION}.tar.gz" ]; then curl -LO "https://github.com/downloads/libevent/libevent/libevent-${LIBEVENT_VERSION}.tar.gz" --retry 5 fi +# Download GPG signature +if [ ! -e "libevent-${OPENSSL_VERSION}.tar.gz.asc" ]; then + curl -LO "https://github.com/downloads/libevent/libevent/libevent-${LIBEVENT_VERSION}.tar.gz.asc" --retry 5 +fi + +# Verify signature +if $VERIFYGPG; then + if out=$(gpg --status-fd 1 --verify "libevent-${LIBEVENT_VERSION}.tar.gz.asc" "libevent-${LIBEVENT_VERSION}.tar.gz" 2>/dev/null) + echo "$out" | grep -qs "^\[GNUPG:\] VALIDSIG"; then + echo "$out" | egrep "GOODSIG|VALIDSIG" + echo "Verified libevent GPG signature..." + elif echo "$out" | grep -qs "^\[GNUPG:\] BADSIG"; then + echo "$out" >&2 + echo "Invalid signature for libevent!" + echo "It might be time to freak out!" + exit 1 + else + echo "Couldn't verify libevent signature." + echo "Have you imported a libevent public key?" + exit 1 + fi +fi + # Extract source rm -rf "libevent-${LIBEVENT_VERSION}" tar zxf "libevent-${LIBEVENT_VERSION}.tar.gz" diff --git a/scripts/build-openssl.sh b/scripts/build-openssl.sh index bb351d9..efc1557 100755 --- a/scripts/build-openssl.sh +++ b/scripts/build-openssl.sh @@ -1,11 +1,36 @@ #!/bin/bash set -e +VERIFYGPG=true + # Download source if [ ! -e "openssl-${OPENSSL_VERSION}.tar.gz" ]; then curl -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" --retry 5 fi +# Download GPG signature +if [ ! -e "openssl-${OPENSSL_VERSION}.tar.gz.asc" ]; then + curl -O "http://openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.asc" --retry 5 +fi + +# Verify signature +if $VERIFYGPG; then + if out=$(gpg --status-fd 1 --verify "openssl-${OPENSSL_VERSION}.tar.gz.asc" "openssl-${OPENSSL_VERSION}.tar.gz" 2>/dev/null) + echo "$out" | grep -qs "^\[GNUPG:\] VALIDSIG"; then + echo "$out" | egrep "GOODSIG|VALIDSIG" + echo "Verified OpenSSL GPG signature..." + elif echo "$out" | grep -qs "^\[GNUPG:\] BADSIG"; then + echo "$out" >&2 + echo "Invalid signature for OpenSSL!" + echo "It might be time to freak out!" + exit 1 + else + echo "Couldn't verify OpenSSL signature." + echo "Have you imported an OpenSSL public key?" + exit 1 + fi +fi + # Extract source rm -rf "openssl-${OPENSSL_VERSION}" tar zxf "openssl-${OPENSSL_VERSION}.tar.gz" diff --git a/scripts/build-tor.sh b/scripts/build-tor.sh index 5c6f2af..842a4f7 100755 --- a/scripts/build-tor.sh +++ b/scripts/build-tor.sh @@ -1,10 +1,34 @@ #!/bin/bash set -e +VERIFYGPG=true + # Download source if [ ! -e "tor-${TOR_VERSION}.tar.gz" ]; then curl -O "https://dist.torproject.org/tor-${TOR_VERSION}.tar.gz" --retry 5 fi +# Download GPG signature +if [ ! -e "tor-${TOR_VERSION}.tar.gz.asc" ]; then + curl -LO "https://dist.torproject.org/tor-${TOR_VERSION}.tar.gz.asc" --retry 5 +fi + +# Verify signature +if $VERIFYGPG; then + if out=$(gpg --status-fd 1 --verify "tor-${TOR_VERSION}.tar.gz.asc" "tor-${TOR_VERSION}.tar.gz" 2>/dev/null) + echo "$out" | grep -qs "^\[GNUPG:\] VALIDSIG"; then + echo "$out" | egrep "GOODSIG|VALIDSIG" + echo "Verified Tor GPG signature..." + elif echo "$out" | grep -qs "^\[GNUPG:\] BADSIG"; then + echo "$out" >&2 + echo "Invalid signature for Tor package!" + echo "It might be time to freak out!" + exit 1 + else + echo "Couldn't verify Tor package signature." + echo "Have you imported a Tor public key?" + exit 1 + fi +fi # Extract source rm -rf "tor-${TOR_VERSION}"