[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

dscverify, program to check PGP/MD5 from .dsc file

Here's what I use to verify that files I download from Incoming are
valid.  You give it .dsc files as args and it checks the PGP signature
against the Debian keyring, then verifies the MD5 sums of the files
against those in the .dsc file.

#!/bin/sh

# $Id: dscverify,v 1.1 1998-12-09 00:31:55-05 roderick Exp $
#
# Roderick Schertler <roderick@argon.org>

# This program takes .dsc files as arguments and verifies that they're
# properly signed by a Debian developer, and that the local copies of
# the files mentioned in them match the MD5 sums given in the file.

# Copyright (C) 1998 Roderick Schertler
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# For a copy of the GNU General Public License write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

script=`basename "$0"`
exit=0
warn()	{ echo "$script:" "$@" >&2; exit=1; }
die()	{ warn "$@"; exit $exit; }

[ $# = 0 ] && die "no .dsc files specified"

pubring=
for file in \
    	~maor/dinstall/debian-keyring.pgp \
	/usr/share/keyrings/debian-keyring.pgp
do
    [ -f "$file" ] && { pubring=$file; break; }
done
[ -n "$pubring" ] || die "can't find debian-keyring.pgp"

tmp=`tempfile` || die "return $? from tempfile"
stderr=`tempfile` || die "return $? from tempfile"

for file
do
    pgp +pubring="$pubring" -f <"$file" >"$tmp" 2>"$stderr" || {
    	warn "return $? from pgp for $file"
	continue
    }

    grep '^File has signature.' $stderr >/dev/null || {
    	warn "no signature in $file"
	continue
    }

    grep '^Good signature from user' $stderr || {
    	warn "invalid signature in $file"
	continue
    }

    perl -we '
    	$on = $any = 0;
    	while (<>) {
	    chomp;
	    if (/^Files:/) {
	    	$on = 1;
	    }
	    elsif (/^$/ || /^\S/) {
	    	$on = 0;
	    }
	    elsif ($on) {
	    	$any = 1;
	    	/^\s*(\S+)\s+(\d+)\s+(\S+)\s*$/
		    or die qq/Invalid file line "$_"\n/;
		my ($md5, $size, $file) = ($1, $2, $3);
		length($md5) == 32 or die qq/Invalid MD5 hash "$md5"\n/;
		print "validating $file\n";
		defined($this_size = -s $file)
		    or die "Can'\''t stat $file: $!\n";
		$this_size == $size
		    or die "Invalid file length for $file (wanted $size)\n";
		chomp($output = `md5sum < $file`);
		$? and die "Return $? from md5 for $file\n";
		$output eq $md5
		    or die "MD5 mismatch for $file ($md5 vs $output)\n";
	    }
    	}
	$any or die "Did not see any files\n"' $tmp || {
	warn "return $? from perl"
	continue
    }
done

rm $tmp $stderr || warn "return $? removing $tmp and $stderr"
exit $exit

-- 
Roderick Schertler
roderick@argon.org
Reply to: