[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] [tor/master] Add a make-signature.sh script.
commit 6ccb16438ad611b41bbb7f3faab0f7726b364d93
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Sat Jan 15 15:00:41 2011 -0500
Add a make-signature.sh script.
---
contrib/make-signature.sh | 77 +++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 77 insertions(+), 0 deletions(-)
diff --git a/contrib/make-signature.sh b/contrib/make-signature.sh
new file mode 100755
index 0000000..a0edb67
--- /dev/null
+++ b/contrib/make-signature.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+if test "$1" = "" ; then
+ echo "I need a package as an argument."
+ exit 1
+fi
+
+PACKAGEFILE=$1
+
+if test ! -f "$PACKAGEFILE" ; then
+ echo "$PACKAGEFILE is not a file."
+ exit 1
+fi
+
+DIGESTNAME=sha256
+DIGESTOUTPUT=`gpg --print-md $DIGESTNAME $PACKAGEFILE`
+
+RAWDIGEST=`gpg --print-md $DIGESTNAME $PACKAGEFILE | sed -e 's/^[^ ]*: //' `
+
+# These regexes are a little fragile, but I think they work for us.
+VERSION=`echo $PACKAGEFILE | sed -e 's/^[a-z\-]*//' -e 's/\.[\.a-z]*$//' `
+PACKAGE=`echo $PACKAGEFILE | sed -e 's/-[0-9].*//'`
+SIGFILE_UNSIGNED="$PACKAGE-$VERSION-signature"
+SIGNATUREFILE="$SIGFILE_UNSIGNED.asc"
+
+cat >$SIGFILE_UNSIGNED <<EOF
+This is the signature file for "$PACKAGEFILE",
+which contains version "$VERSION" of "$PACKAGE".
+
+Here's how to check this signature.
+
+1) Make sure that this is really a signature file, and not a forgery,
+ with:
+
+ "gpg --verify $SIGNATUREFILE"
+
+ The key should be one of the keys that signs the Tor release; the
+ official Tor website has more information on those.
+
+ If this step fails, then either you are missing the correct key, or
+ this signature file was not really signed by a Tor packager.
+ Beware!
+
+2) Make sure that the package you wanted is indeed "$PACKAGE", and that
+ its version you wanted is indeed "$VERSION". If you wanted a
+ different package, or a different version, this signature file is
+ not the right one!
+
+3) Now that you're sure you have the right signature file, make sure
+ that you got the right package. Check its $DIGESTNAME digest with
+
+ "gpg --print-md $DIGESTNAME $PACKAGEFILE"
+
+ The output should match this, exactly:
+
+$DIGESTOUTPUT
+
+ Make sure that every part of the output matches: don't just check the
+ first few characters. If the digest does not match, you do not have
+ the right package file. It could even be a forgery.
+
+Frequentlty asked questions:
+
+Q: Why not just sign the package file, like you used to do?
+A: GPG signatures authenticate file contents, but not file names. If
+ somebody gave you a renamed file with a matching renamed signature
+ file, the signature would still be given as "valid".
+
+--
+FILENAME: $PACKAGEFILE
+PACKAGE: $PACKAGE
+VERSION: $VERSION
+DIGESTALG: $DIGESTNAME
+DIGEST: $RAWDIGEST
+EOF
+
+gpg --clearsign $SIGFILE_UNSIGNED