diff options
author | Robin H. Johnson <robbat2@gentoo.org> | 2023-10-08 21:42:40 -0700 |
---|---|---|
committer | Robin H. Johnson <robbat2@gentoo.org> | 2023-10-08 21:42:40 -0700 |
commit | af2705bc697575af9a0db1ede209cb9994c4da9b (patch) | |
tree | 6a6fdef2da089f6a48858efc4a859407c1b6e38e | |
parent | sign-autobuilds: tweak signing of latest*txt files, must be clearsigned-only (diff) | |
download | mastermirror-scripts-20231009T044248Z.tar.gz mastermirror-scripts-20231009T044248Z.tar.bz2 mastermirror-scripts-20231009T044248Z.zip |
verify-digests.sh: cleanup for newer systems20231009T044248Z
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
-rwxr-xr-x | verify-digests.sh | 51 |
1 files changed, 37 insertions, 14 deletions
diff --git a/verify-digests.sh b/verify-digests.sh index bd0cfa8..b5f7682 100755 --- a/verify-digests.sh +++ b/verify-digests.sh @@ -39,9 +39,11 @@ transform_digest() { | \ awk \ -e '/^# .* HASH$/{hash=$2}' \ + -e '(hash=="BLAKE2B"){hash="BLAKE2b"}' \ + -e '(hash=="BLAKE2S"){hash="BLAKE2s"}' \ -e '/^[[:xdigit:]]+[[:space:]]+.+/{if(hash != ""){printf "%s (%s) = %s\n",hash,$2,$1}}' \ - -e '/^((SHA|MD|RIPEMD)[0-9]+|WHIRLPOOL) \(.*\) = [[:xdigit:]]+/{print $0}' \ - -e '/^((SHA|MD|RIPEMD)[0-9]+|WHIRLPOOL) [[:xdigit:]]+ [^[:space:]]+$/{ printf "%s (%s) = %s\n",$1,$3,$2; }' + -e '/^([A-Z]+[0-9A-Za-z-]+) \(.*\) = [[:xdigit:]]+/{print $0}' \ + -e '/^([A-Z]+[0-9A-Za-z-]+) [[:xdigit:]]+ [^[:space:]]+$/{ printf "%s (%s) = %s\n",$1,$3,$2; }' } # Pass all directory arguments to find @@ -63,7 +65,7 @@ fi # Check if non-dir arguments were digest files or files that you want to get checked DIGESTS_ARGS2=( ) for f in "${DIGESTS_ARGS[@]}" ; do - if [[ "${f/DIGEST}" != "$f" ]] || grep -sq -m 1 -e '# MD5 HASH' -e '# SHA[0-9]\+ HASH' -e ') = [0-9a-f]\+' $f; then + if [[ "${f/DIGEST}" != "$f" ]] || grep -sq -m 1 -E -e '# ([A-Z]+[0-9A-Za-z-]+) HASH' -e ') = [0-9a-f]\+' "$f"; then DIGESTS_ARGS2+=( "$f" ) else d=$( dirname "$f" ) @@ -85,11 +87,14 @@ DIGESTS=( "${DIGESTS_ARGS2[@]}" "${DIGESTS_FIND[@]}" ) DIGESTS2="$(echo "${DIGESTS[@]}" | fmt -1 |sed '/.asc$/s/.asc$//' | sort | uniq)" DIGESTS=( ) for d in ${DIGESTS2} ; do - if [ -e "${d}" -a -e "${d}.asc" ]; then + if [[ -e "${d}" ]] && [[ -e "${d}.asc" ]]; then + # split signed DIGESTS+=( "${d}.asc" ) - elif [ ! -e "${d}" -a -e "${d}.asc" ]; then + elif [[ ! -e "${d}" ]] && [[ -e "${d}.asc" ]]; then + # cleansigned, with extension DIGESTS+=( "${d}.asc" ) - elif [ -e "${d}" -a ! -e "${d}.asc" ]; then + elif [[ -e "${d}" ]] && [[ ! -e "${d}.asc" ]]; then + # cleansigned, no extension DIGESTS+=( "${d}" ) fi done @@ -99,8 +104,8 @@ done T=$(date -u +%Y%m%dT%H%M%SZ) tmp1=$(mktemp --tmpdir) tmp2=$(mktemp --tmpdir) -failures=$(mktemp --tmpdir gentoo-failures.$T.XXXXXXXXXX) -trap 'rm -f "${tmp1}"" "${tmp2}"' SIGINT SIGTERM EXIT +failures=$(mktemp --tmpdir "gentoo-failures.$T.XXXXXXXXXX") +trap 'rm -f "${tmp1}" "${tmp2}"' SIGINT SIGTERM EXIT # Now check them failed_digests=() @@ -113,17 +118,35 @@ for d in $(echo "${DIGESTS[@]}" | fmt -1 | sort | uniq); do checked=0 found=0 # order by strength - for h in SHA512 SHA384 SHA256 SHA224 SHA1 MD5 ; do + for h in BLAKE2B SHA3-512 WHIRLPOOL SHA512 SHA384 SHA256 SHA224 ; do sleep 0.01 - [[ $found -eq 1 ]] && break + [[ "$found" -eq 1 ]] && break if [[ "${hashes/$h}" != "${hashes}" ]]; then found=1 echo "using $h" - pushd $(dirname $d) >/dev/null - cmd=$(echo ${h}sum | tr '[:upper:]' '[:lower:]') - grep "^$h " $tmp1 | ionice -c 3 --ignore ${cmd} -c - | tee "$tmp2" + pushd "$(dirname "$d")" >/dev/null + cmd=${h}sum + cmd=${cmd,,} + # Special case, the tool name is different than the hash. + case ${h,,} in + blake2b) cmd='b2sum' ;; + blake2s) cmd='b2sum' ;; + esac + # Check we have the tooling to validate + if command -v "$cmd" >/dev/null; then + : + elif command -v rhash >/dev/null ; then + cmd=rhash + else + echo "Could not find $cmd or rhash to verify ${h} hashes" 1>&2 + continue + fi + # Run the tooling now. + # TODO: if we assume rhash is available always, it could check all the hashes at once + # but that means rewriting this loop of strength-ordering + grep "^$h " "$tmp1" | ionice -c 3 --ignore "${cmd}" -c - | tee "$tmp2" rc=${PIPESTATUS[1]} - if [ $rc -ne 0 ]; then + if [ "$rc" -ne 0 ]; then failed_digests+=("$d") cat "$tmp2" >> "$failures" fi |