Verify GPG signatures for OpenSSL / libevent / tor

scripts/build-libevent.sh

@@ -1,10 +1,35 @@
 #!/bin/bash
 set -e
 
+VERIFYGPG=true
+
 if [ ! -e "libevent-${LIBEVENT_VERSION}.tar.gz" ]; then
 	curl -LO "https://github.com/downloads/libevent/libevent/libevent-${LIBEVENT_VERSION}.tar.gz"  --retry 5
 fi
 
+# Download GPG signature
+if [ ! -e "libevent-${OPENSSL_VERSION}.tar.gz.asc" ]; then
+  curl -LO "https://github.com/downloads/libevent/libevent/libevent-${LIBEVENT_VERSION}.tar.gz.asc" --retry 5
+fi
+
+# Verify signature
+if $VERIFYGPG; then
+  if out=$(gpg --status-fd 1 --verify "libevent-${LIBEVENT_VERSION}.tar.gz.asc" "libevent-${LIBEVENT_VERSION}.tar.gz" 2>/dev/null)
+    echo "$out" | grep -qs "^\[GNUPG:\] VALIDSIG"; then
+      echo "$out" | egrep "GOODSIG|VALIDSIG"
+      echo "Verified libevent GPG signature..."
+    elif echo "$out" | grep -qs "^\[GNUPG:\] BADSIG"; then
+      echo "$out" >&2
+      echo "Invalid signature for libevent!"
+      echo "It might be time to freak out!"
+      exit 1
+    else
+      echo "Couldn't verify libevent signature."
+      echo "Have you imported a libevent public key?"
+      exit 1
+  fi
+fi
+
 # Extract source
 rm -rf "libevent-${LIBEVENT_VERSION}"
 tar zxf "libevent-${LIBEVENT_VERSION}.tar.gz"

scripts/build-openssl.sh

@@ -1,11 +1,36 @@
 #!/bin/bash
 set -e
 
+VERIFYGPG=true
+
 # Download source
 if [ ! -e "openssl-${OPENSSL_VERSION}.tar.gz" ]; then
   curl -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz"  --retry 5
 fi
 
+# Download GPG signature
+if [ ! -e "openssl-${OPENSSL_VERSION}.tar.gz.asc" ]; then
+  curl -O "http://openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.asc" --retry 5
+fi
+
+# Verify signature
+if $VERIFYGPG; then
+  if out=$(gpg --status-fd 1 --verify "openssl-${OPENSSL_VERSION}.tar.gz.asc" "openssl-${OPENSSL_VERSION}.tar.gz" 2>/dev/null)
+    echo "$out" | grep -qs "^\[GNUPG:\] VALIDSIG"; then
+      echo "$out" | egrep "GOODSIG|VALIDSIG"
+      echo "Verified OpenSSL GPG signature..."
+    elif echo "$out" | grep -qs "^\[GNUPG:\] BADSIG"; then
+      echo "$out" >&2
+      echo "Invalid signature for OpenSSL!"
+      echo "It might be time to freak out!"
+      exit 1
+    else
+      echo "Couldn't verify OpenSSL signature."
+      echo "Have you imported an OpenSSL public key?"
+      exit 1
+  fi
+fi
+
 # Extract source
 rm -rf "openssl-${OPENSSL_VERSION}"
 tar zxf "openssl-${OPENSSL_VERSION}.tar.gz"

scripts/build-tor.sh

@@ -1,10 +1,34 @@
 #!/bin/bash
 set -e
 
+VERIFYGPG=true
+
 # Download source
 if [ ! -e "tor-${TOR_VERSION}.tar.gz" ]; then
   curl -O "https://dist.torproject.org/tor-${TOR_VERSION}.tar.gz" --retry 5
 fi
+# Download GPG signature
+if [ ! -e "tor-${TOR_VERSION}.tar.gz.asc" ]; then
+  curl -LO "https://dist.torproject.org/tor-${TOR_VERSION}.tar.gz.asc" --retry 5
+fi
+
+# Verify signature
+if $VERIFYGPG; then
+  if out=$(gpg --status-fd 1 --verify "tor-${TOR_VERSION}.tar.gz.asc" "tor-${TOR_VERSION}.tar.gz" 2>/dev/null)
+    echo "$out" | grep -qs "^\[GNUPG:\] VALIDSIG"; then
+      echo "$out" | egrep "GOODSIG|VALIDSIG"
+      echo "Verified Tor GPG signature..."
+    elif echo "$out" | grep -qs "^\[GNUPG:\] BADSIG"; then
+      echo "$out" >&2
+      echo "Invalid signature for Tor package!"
+      echo "It might be time to freak out!"
+      exit 1
+    else
+      echo "Couldn't verify Tor package signature."
+      echo "Have you imported a Tor public key?"
+      exit 1
+  fi
+fi
 
 # Extract source
 rm -rf "tor-${TOR_VERSION}"