You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by vy...@apache.org on 2021/12/30 08:39:40 UTC
[logging-log4j2] branch release-2.x updated: Add script for verifying release signatures and hashes.
This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new 8c1ea14 Add script for verifying release signatures and hashes.
8c1ea14 is described below
commit 8c1ea147ae157bd7465a5370a17cd576058a4c37
Author: Volkan Yazici <vo...@yazi.ci>
AuthorDate: Thu Dec 30 09:35:51 2021 +0100
Add script for verifying release signatures and hashes.
---
.gitignore | 1 -
bin/verify-release-artifacts.sh | 134 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 134 insertions(+), 1 deletion(-)
diff --git a/.gitignore b/.gitignore
index 0873ed9..8208867 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,6 +26,5 @@ target/
.factorypath
velocity.log
felix-cache/
-bin/
/.metadata/
.DS_Store
diff --git a/bin/verify-release-artifacts.sh b/bin/verify-release-artifacts.sh
new file mode 100755
index 0000000..64e992c
--- /dev/null
+++ b/bin/verify-release-artifacts.sh
@@ -0,0 +1,134 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -euo pipefail
+IFS=$'\n\t'
+
+help() {
+ cat <<EOF
+This shell script downloads release artifacts and verifies their
+signatures and hashes.
+
+Usage: $0 [-h] [-t] [-p <work_dir>]
+
+-h Shows this help menu.
+-t Creates a temporary working directory, performs the
+ download and verification, deletes the directory at
+ exit.
+-p <work_dir> Uses the provided permanent directory to download the
+ artifacts and verify them.
+EOF
+}
+
+fail_due_to_invalid_arguments() {
+ echo "Invalid arguments."
+ echo
+ help
+ exit 1
+}
+
+# Determine the working directory.
+if [ "$#" -eq 0 ]; then
+ fail_due_to_invalid_arguments
+elif [ "$#" -eq 1 ] && [ "$1" == "-h" ]; then
+ help
+ exit 0
+elif [ "$#" -eq 1 ] && [ "$1" == "-t" ]; then
+ work_dir="$(mktemp -d)"
+ trap 'rm -rf -- "$work_dir"' EXIT
+ echo "Using temporary working directory: $work_dir"
+elif [ "$#" -eq 2 ] && [ "$1" == "-p" ]; then
+ work_dir="$2"
+ echo "Using permanent working directory: $work_dir"
+else
+ fail_due_to_invalid_arguments
+fi
+cd "$work_dir"
+
+# Download and import GPG keys.
+echo "Downloading GPG keys..."
+wget \
+ --quiet \
+ --timestamping \
+ https://dist.apache.org/repos/dist/release/logging/KEYS
+echo "Importing GPG keys..."
+gpg --quiet --import KEYS
+
+# Download artifacts.
+echo "Downloading release artifacts..."
+wget \
+ --quiet \
+ --execute robots=off \
+ --timestamping \
+ --cut-dirs=7 \
+ --no-host-directories \
+ --recursive \
+ --page-requisites \
+ --no-parent \
+ --no-check-certificate \
+ https://dist.apache.org/repos/dist/dev/logging/log4j/
+
+# Exit code utilities.
+function set_exit_code() { echo "$1" >.exit_code; }
+function get_exit_code() { [ -e .exit_code ] && head -n1 .exit_code || echo 0; }
+
+# Reset the exit code.
+set_exit_code 0
+
+# Check signatures.
+echo "Checking signatures..."
+asc_file_count=0
+while read -r asc_file; do
+ gpg --verify "$asc_file" 2>&1 | grep -q "Good sig" || {
+ echo "Signature could not be verified: $asc_file"
+ set_exit_code 1
+ }
+ (( asc_file_count+=1 ))
+done <<< "$(find . -type f -name "*.asc")"
+echo "Checked signature file count: $asc_file_count"
+
+# Check hashes.
+echo "Checking hashes..."
+sha_file_count=0
+for sha_alg in 256 512; do
+ while read -r sha_file; do
+ # Due to a Maven plugin mishap, some of the generated hash files do not contain the filename in the 2nd column.
+ # This breaks `shasum --check` operation.
+ # Hence here we check hashes manually.
+ expected_hash="$(head -n1 "$sha_file" | cut -d' ' -f1)"
+ org_file="${sha_file%.sha$sha_alg}"
+ actual_hash="$(shasum --algorithm $sha_alg "$org_file" | head -n1 | cut -d' ' -f1)"
+ if [ "$expected_hash" != "$actual_hash" ]; then
+ echo "Hash could not be verified: $sha_file"
+ set_exit_code 1
+ fi
+ (( sha_file_count+=1 ))
+ done <<< "$(find . -type f -name "*.sha$sha_alg")"
+done
+echo "Checked hash file count: $sha_file_count"
+
+# Exit with the set code.
+exit_code="$(get_exit_code)"
+if [ "$exit_code" -eq 0 ]; then
+ echo "All checks are succeeded."
+else
+ echo "Some checks were failed!"
+ exit "$exit_code"
+fi