Ticket #2340: make-signature.sh

File make-signature.sh, 2.1 KB (added by nickm, 9 years ago)

Quick script to make signed documents that tell you the right digest and file

Line 
1#!/bin/sh
2
3if test "$1" = "" ; then
4    echo "I need a package as an argument."
5    exit 1
6fi
7
8PACKAGEFILE=$1
9
10if test ! -f "$PACKAGEFILE" ; then
11    echo "$PACKAGEFILE is not a file."
12    exit 1
13fi
14
15DIGESTNAME=sha256
16DIGESTOUTPUT=`gpg --print-md $DIGESTNAME $PACKAGEFILE`
17
18# These regexes are a little fragile, but I think they work for us.
19VERSION=`echo $PACKAGEFILE | sed -e 's/^[a-z\-]*//' -e 's/\.[\.a-z]*$//' `
20PACKAGE=`echo $PACKAGEFILE | sed -e 's/-[0-9].*//'`
21SIGFILE_UNSIGNED="$PACKAGE-$VERSION-signature"
22SIGNATUREFILE="$SIGFILE_UNSIGNED.asc"
23
24cat >$SIGFILE_UNSIGNED <<EOF
25This is the signature file for "$PACKAGEFILE",
26which contains version "$VERSION" of "$PACKAGE".
27
28Here's how to check this signature.
29
301) Make sure that this is really a signature file, and not a forgery,
31   with:
32
33     "gpg --verify $SIGNATUREFILE"
34
35   The key should be one of the keys that signs the Tor release; the
36   official Tor website has more information on those.
37
38   If this step fails, then either you are missing the correct key, or
39   this signature file was not really signed by a Tor packager.
40   Beware!
41
422) Make sure that the package you wanted is indeed "$PACKAGE", and that
43   its version you wanted is indeed "$VERSION".  If you wanted a
44   different package, or a different version, this signature file is
45   not the right one!
46
473) Now that you're sure you have the right signature file, make sure
48   that you got the right package.  Check its $DIGESTNAME digest with
49
50     "gpg --print-md $DIGESTNAME $PACKAGEFILE"
51
52   The output should match this, exactly:
53
54$DIGESTOUTPUT
55
56   Make sure that every part of the output matches: don't just check the
57   first few characters.  If the digest does not match, you do not have
58   the right package file.  It could even be a forgery.
59
60Frequentlty asked questions:
61
62Q: Why not just sign the package file, like you used to do?
63A: GPG signatures authenticate file contents, but not file names.  If
64   somebody gave you a renamed file with a matching renamed signature
65   file, the signature would still be given as "valid".
66EOF
67
68gpg --clearsign $SIGFILE_UNSIGNED