Checking md5 sums from a script for releases

[Mike Kienenberger <mk...@gmail.com>]

I asked about this for the last release and the only comment was:

> Yeah, lately we've been using gpg for that instead of md5 command:

Is there a compelling reason to do this?   I have been unable to find
a simple scripted approach to validate an md5 signature produced by
gpg.

With a regular md5sum-produced file, I can use

find . -name '*.md5' -exec cat {} \; -printf '  %f\n' | sed
's|\.md5$||' | md5sum -c

and get a result for every file, no matter what the name.

The same exact approach works for sha1 signatures.

I haven't yet found a way to do with this gpg -print-md5 output,
although it could just be my own short-sightedness.

Re: Checking md5 sums from a script for releases

[Mike Kienenberger <mk...@gmail.com>]

Never mind -- I gave up trying to used gpg to validate the md5
signature and instead rewrote the file data so that it'd go into
md5sum:

cat *.md5 | tr -d ' ' | awk 'BEGIN{OFS=" "; FS=":"}
{tmp=$1;$1=$2;$2=tmp;print}' | md5sum -c

That's not too bad, and I can live with that.


On Sat, Sep 20, 2014 at 5:09 PM, Mike Kienenberger <mk...@gmail.com> wrote:
> I asked about this for the last release and the only comment was:
>
>> Yeah, lately we've been using gpg for that instead of md5 command:
>
> Is there a compelling reason to do this?   I have been unable to find
> a simple scripted approach to validate an md5 signature produced by
> gpg.
>
> With a regular md5sum-produced file, I can use
>
> find . -name '*.md5' -exec cat {} \; -printf '  %f\n' | sed
> 's|\.md5$||' | md5sum -c
>
> and get a result for every file, no matter what the name.
>
> The same exact approach works for sha1 signatures.
>
> I haven't yet found a way to do with this gpg -print-md5 output,
> although it could just be my own short-sightedness.