From 33e980e114d05b9db4e817373a0076f33d5f7656 Mon Sep 17 00:00:00 2001 From: Reinhard Pointner Date: Thu, 13 Apr 2017 17:54:09 +0800 Subject: [PATCH] Sign and verify new release jars with GnuPG --- build.xml | 2 +- installer/portable/filebot.pub | 29 ++++++++++++++++++ installer/portable/filebot.sh | 0 installer/portable/install-filebot.sh | 0 installer/portable/update-filebot.sh | 43 ++++++++++++++++----------- 5 files changed, 56 insertions(+), 18 deletions(-) create mode 100644 installer/portable/filebot.pub mode change 100644 => 100755 installer/portable/filebot.sh mode change 100644 => 100755 installer/portable/install-filebot.sh mode change 100644 => 100755 installer/portable/update-filebot.sh diff --git a/build.xml b/build.xml index bc0b0d49..0706a637 100644 --- a/build.xml +++ b/build.xml @@ -648,7 +648,7 @@ - + diff --git a/installer/portable/filebot.pub b/installer/portable/filebot.pub new file mode 100644 index 00000000..b6355b02 --- /dev/null +++ b/installer/portable/filebot.pub @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFjvJR4BEACtnzG7X9KXJ/aveDFDG6RS+jN0v+02REaem2KG5Wgp8M5EYrH6 +mh4+Z0VABwxsu78x9LoLfM5oCBimciP4dYi9NpHgz9dGDW158mtNbiV4YWBnUVPC +tdUyR4JXbeSuJCj67Ef9ReInqyoQu5y2RPdhIdZwdrllurrbOAiO+l4fOq1e30da +WqYMsl7mtv+e8ns+Esmu/ogXv003vzQZMeuR+KtdME5y+dkfiIUE4t4fDtPlPdbb +fn9l6ScwltfrnC6FL8wtrBIgFsZ+oZFv4D82qPMawYUNLZ0RARLcLAhYiyWKhqVb +/19UItpgA5lrzBNPZgYmlbZNdoBPvnqomteCQfRQCtKbjjQv27yheJQDzeM3jIxQ +cnlcnR2sD2nOc9zU+HkGsAHtpAYf0xeKZHme/A1es84vyT+Dvjm785JhLTkYZ30/ +lI3CpILBptfggS+T5Xy1rmMmeoTH6/qxKVc0bxjkYRIUkYqUFKAw7ZIUAv+guBmf +HjjvOs+LZfU1jfIrx3l3h2OJD7LaCXfeT4CRJWsLXnpsaMBIbyIMk0EAyvFGFX3h +Bsbc+RHVmXMqOM7BGdfsa/zLZKpXQEk7/nBxjGx5xFuqNnG2jY/SkcXpcQUgTBGH +vBjpigavLB/EehT12FE+lw6XmvLIdz9XWP7vhMC80fDXzZrJFmbMKFujXQARAQAB +tCdSZWluaGFyZCBQb2ludG5lciA8cmVkbm9haEBmaWxlYm90Lm5ldD6JAk4EEwEI +ADgWIQSwl25R5cBHrQ/QUSlOQC6/fDxqcQUCWO8lHgIbAwULCQgHAgYVCAkKCwIE +FgIDAQIeAQIXgAAKCRBOQC6/fDxqcbr0EACSWs8AQkvN1RP1AZlhO8l6IXYTTKMF +Se4OtiJyvvo07cAE5bkhCNppjwZ0L5ryZkJKJOjk9vO0OSUPdrZJVbuiHAXt7afX +1AKfrAdwgBKRyYq6yoVm4/vHCcTx92ZWssrtHTJ5RKGhkCkbIZOuMfEpFqYieZ9C +rsI00pe9t05yUnRQ8Bv06S39d5g8OO8ty+KifYTJ6NtkqrJY3TKGNI5fZn4+LZfn +tHEBe6LOhZoVYu8gS3cgNKCP1JNwy1ZOsAhdFfYuZNYe8ZhwspRXxUFIgwaYc33V +D7YMjUi2Y/y4SbPttL4nLwjy1+rK5xF8Av6kScWVA4DTTgjAAn/EvJHpwxVlL/6X +4gfog2Cyyzp43WJxF7N/EDsaSoVjGdLrXmVPW6SPO2PVonYomDzFuKYXub50xehS +cWhCjQH6mCoiIMbXw1s9uB33IOGvjmFe2e62DiaCesNitbl5VF/4d/WtoDS2nyqm +5SFDBknOn0/bNwCTTQgGwtt7Vf3Y8r2ADbah3avbQ/b+yIv46vkm702o5QfYItsA +Li4CQGMwHfrRwMmwLfQXnmahZFnDcJq0ZNXDEywX+/eKF1ilHWAPGUOnIanybmGc +3oU6ZjqpE30SUGOZcPZQpUMOPF9jXraZYrzC/lbwr+23jk+22yMpKgIOoDov/GN3 +q3l3xv1vCNF71Q== +=Kug3 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/installer/portable/filebot.sh b/installer/portable/filebot.sh old mode 100644 new mode 100755 diff --git a/installer/portable/install-filebot.sh b/installer/portable/install-filebot.sh old mode 100644 new mode 100755 diff --git a/installer/portable/update-filebot.sh b/installer/portable/update-filebot.sh old mode 100644 new mode 100755 index 14398975..6967bdfb --- a/installer/portable/update-filebot.sh +++ b/installer/portable/update-filebot.sh @@ -21,37 +21,46 @@ APP_ROOT=`cd "$PRG_DIR" && pwd` cd "$WORKING_DIR" - # update core application files -JAR_XZ_FILE="$APP_ROOT/FileBot.jar.xz" -JAR_XZ_URL="https://sourceforge.net/projects/filebot/files/filebot/HEAD/FileBot.jar.xz" +PACKAGE_NAME="FileBot.jar.xz.gpg" +PACKAGE_FILE="$APP_ROOT/$PACKAGE_NAME" +PACKAGE_URL="https://sourceforge.net/projects/filebot/files/filebot/HEAD/$PACKAGE_NAME" # check if file has changed -JAR_XZ_SHA1_EXPECTED=`curl --retry 5 "$JAR_XZ_URL/list" | egrep -o "[a-z0-9]{40}"` -JAR_XZ_SHA1=`sha1sum $JAR_XZ_FILE | cut -d' ' -f1` +PACKAGE_SHA1_EXPECTED=`curl --retry 5 "$PACKAGE_URL/list" | egrep -o "[a-z0-9]{40}"` +PACKAGE_SHA1=`sha1sum $PACKAGE_FILE | cut -d' ' -f1` -if [ -z "$JAR_XZ_SHA1_EXPECTED" ]; then +if [ -z "$PACKAGE_SHA1_EXPECTED" ]; then echo "SHA1 hash unknown" exit 1 fi -if [ "$JAR_XZ_SHA1" == "$JAR_XZ_SHA1_EXPECTED" ]; then - echo "$JAR_XZ_FILE [SHA1: $JAR_XZ_SHA1]" +if [ "$PACKAGE_SHA1" == "$PACKAGE_SHA1_EXPECTED" ]; then + echo "$PACKAGE_FILE [SHA1: $PACKAGE_SHA1]" exit 0 fi -echo "Update $JAR_XZ_FILE" -curl -L -o "$JAR_XZ_FILE" -z "$JAR_XZ_FILE" --retry 5 "$JAR_XZ_URL" # FRS will redirect to (unsecure) HTTP download link +echo "Update $PACKAGE_FILE" +curl -L -o "$PACKAGE_FILE" -z "$PACKAGE_FILE" --retry 5 "$PACKAGE_URL" # FRS will redirect to (unsecure) HTTP download link # check if file has been corrupted (or modified) in transit -JAR_XZ_SHA1=`sha1sum $JAR_XZ_FILE | cut -d' ' -f1` -echo "$JAR_XZ_FILE [SHA1: $JAR_XZ_SHA1]" +PACKAGE_SHA1=`sha1sum $PACKAGE_FILE | cut -d' ' -f1` +echo "$PACKAGE_FILE [SHA1: $PACKAGE_SHA1]" -if [ "$JAR_XZ_SHA1" != "$JAR_XZ_SHA1_EXPECTED" ]; then - echo "SHA1 hash mismatch [SHA1: $JAR_XZ_SHA1_EXPECTED]" - rm -vf "$JAR_XZ_FILE" +if [ "$PACKAGE_SHA1" != "$PACKAGE_SHA1_EXPECTED" ]; then + echo "SHA1 hash mismatch [SHA1: $PACKAGE_SHA1_EXPECTED]" + rm -vf "$PACKAGE_FILE" exit 1 fi -# unpack new jar -xz --decompress --force --keep "$JAR_XZ_FILE" + +# initialize gpg +GPG_HOME="$APP_ROOT/.gpg" +JAR_XZ_FILE="$APP_ROOT/FileBot.jar.xz" + +if [ -d "$GPG_HOME" ]; then + mkdir -p -m 700 "$GPG_HOME" && gpg --homedir "$GPG_HOME" --import "$APP_ROOT/filebot.pub" +fi + +# verify signature and extract jar +gpg --batch --yes --homedir "$GPG_HOME" --trusted-key "4E402EBF7C3C6A71" --output "$JAR_XZ_FILE" --decrypt "$PACKAGE_FILE" && xz --decompress --force "$JAR_XZ_FILE"