Sign and verify new release jars with GnuPG
This commit is contained in:
parent
c580c95c73
commit
33e980e114
|
@ -648,7 +648,7 @@
|
|||
<target name="portable" description="Build portable package" depends="revision">
|
||||
<tar destfile="${dir.dist}/${release}-portable.tar.xz" compression="xz" longfile="posix" encoding="utf-8">
|
||||
<tarfileset file="${path.fatjar}" fullpath="FileBot.jar" />
|
||||
<tarfileset dir="${dir.installer}/portable" includes="*.exe, *.ini, *.cmd" />
|
||||
<tarfileset dir="${dir.installer}/portable" includes="*.exe, *.ini, *.cmd, *.pub" />
|
||||
<tarfileset dir="${dir.installer}/portable" includes="*.sh" filemode="755" />
|
||||
|
||||
<!-- include native libraries for all supported platforms -->
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBFjvJR4BEACtnzG7X9KXJ/aveDFDG6RS+jN0v+02REaem2KG5Wgp8M5EYrH6
|
||||
mh4+Z0VABwxsu78x9LoLfM5oCBimciP4dYi9NpHgz9dGDW158mtNbiV4YWBnUVPC
|
||||
tdUyR4JXbeSuJCj67Ef9ReInqyoQu5y2RPdhIdZwdrllurrbOAiO+l4fOq1e30da
|
||||
WqYMsl7mtv+e8ns+Esmu/ogXv003vzQZMeuR+KtdME5y+dkfiIUE4t4fDtPlPdbb
|
||||
fn9l6ScwltfrnC6FL8wtrBIgFsZ+oZFv4D82qPMawYUNLZ0RARLcLAhYiyWKhqVb
|
||||
/19UItpgA5lrzBNPZgYmlbZNdoBPvnqomteCQfRQCtKbjjQv27yheJQDzeM3jIxQ
|
||||
cnlcnR2sD2nOc9zU+HkGsAHtpAYf0xeKZHme/A1es84vyT+Dvjm785JhLTkYZ30/
|
||||
lI3CpILBptfggS+T5Xy1rmMmeoTH6/qxKVc0bxjkYRIUkYqUFKAw7ZIUAv+guBmf
|
||||
HjjvOs+LZfU1jfIrx3l3h2OJD7LaCXfeT4CRJWsLXnpsaMBIbyIMk0EAyvFGFX3h
|
||||
Bsbc+RHVmXMqOM7BGdfsa/zLZKpXQEk7/nBxjGx5xFuqNnG2jY/SkcXpcQUgTBGH
|
||||
vBjpigavLB/EehT12FE+lw6XmvLIdz9XWP7vhMC80fDXzZrJFmbMKFujXQARAQAB
|
||||
tCdSZWluaGFyZCBQb2ludG5lciA8cmVkbm9haEBmaWxlYm90Lm5ldD6JAk4EEwEI
|
||||
ADgWIQSwl25R5cBHrQ/QUSlOQC6/fDxqcQUCWO8lHgIbAwULCQgHAgYVCAkKCwIE
|
||||
FgIDAQIeAQIXgAAKCRBOQC6/fDxqcbr0EACSWs8AQkvN1RP1AZlhO8l6IXYTTKMF
|
||||
Se4OtiJyvvo07cAE5bkhCNppjwZ0L5ryZkJKJOjk9vO0OSUPdrZJVbuiHAXt7afX
|
||||
1AKfrAdwgBKRyYq6yoVm4/vHCcTx92ZWssrtHTJ5RKGhkCkbIZOuMfEpFqYieZ9C
|
||||
rsI00pe9t05yUnRQ8Bv06S39d5g8OO8ty+KifYTJ6NtkqrJY3TKGNI5fZn4+LZfn
|
||||
tHEBe6LOhZoVYu8gS3cgNKCP1JNwy1ZOsAhdFfYuZNYe8ZhwspRXxUFIgwaYc33V
|
||||
D7YMjUi2Y/y4SbPttL4nLwjy1+rK5xF8Av6kScWVA4DTTgjAAn/EvJHpwxVlL/6X
|
||||
4gfog2Cyyzp43WJxF7N/EDsaSoVjGdLrXmVPW6SPO2PVonYomDzFuKYXub50xehS
|
||||
cWhCjQH6mCoiIMbXw1s9uB33IOGvjmFe2e62DiaCesNitbl5VF/4d/WtoDS2nyqm
|
||||
5SFDBknOn0/bNwCTTQgGwtt7Vf3Y8r2ADbah3avbQ/b+yIv46vkm702o5QfYItsA
|
||||
Li4CQGMwHfrRwMmwLfQXnmahZFnDcJq0ZNXDEywX+/eKF1ilHWAPGUOnIanybmGc
|
||||
3oU6ZjqpE30SUGOZcPZQpUMOPF9jXraZYrzC/lbwr+23jk+22yMpKgIOoDov/GN3
|
||||
q3l3xv1vCNF71Q==
|
||||
=Kug3
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -21,37 +21,46 @@ APP_ROOT=`cd "$PRG_DIR" && pwd`
|
|||
cd "$WORKING_DIR"
|
||||
|
||||
|
||||
|
||||
# update core application files
|
||||
JAR_XZ_FILE="$APP_ROOT/FileBot.jar.xz"
|
||||
JAR_XZ_URL="https://sourceforge.net/projects/filebot/files/filebot/HEAD/FileBot.jar.xz"
|
||||
PACKAGE_NAME="FileBot.jar.xz.gpg"
|
||||
PACKAGE_FILE="$APP_ROOT/$PACKAGE_NAME"
|
||||
PACKAGE_URL="https://sourceforge.net/projects/filebot/files/filebot/HEAD/$PACKAGE_NAME"
|
||||
|
||||
# check if file has changed
|
||||
JAR_XZ_SHA1_EXPECTED=`curl --retry 5 "$JAR_XZ_URL/list" | egrep -o "[a-z0-9]{40}"`
|
||||
JAR_XZ_SHA1=`sha1sum $JAR_XZ_FILE | cut -d' ' -f1`
|
||||
PACKAGE_SHA1_EXPECTED=`curl --retry 5 "$PACKAGE_URL/list" | egrep -o "[a-z0-9]{40}"`
|
||||
PACKAGE_SHA1=`sha1sum $PACKAGE_FILE | cut -d' ' -f1`
|
||||
|
||||
if [ -z "$JAR_XZ_SHA1_EXPECTED" ]; then
|
||||
if [ -z "$PACKAGE_SHA1_EXPECTED" ]; then
|
||||
echo "SHA1 hash unknown"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$JAR_XZ_SHA1" == "$JAR_XZ_SHA1_EXPECTED" ]; then
|
||||
echo "$JAR_XZ_FILE [SHA1: $JAR_XZ_SHA1]"
|
||||
if [ "$PACKAGE_SHA1" == "$PACKAGE_SHA1_EXPECTED" ]; then
|
||||
echo "$PACKAGE_FILE [SHA1: $PACKAGE_SHA1]"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Update $JAR_XZ_FILE"
|
||||
curl -L -o "$JAR_XZ_FILE" -z "$JAR_XZ_FILE" --retry 5 "$JAR_XZ_URL" # FRS will redirect to (unsecure) HTTP download link
|
||||
echo "Update $PACKAGE_FILE"
|
||||
curl -L -o "$PACKAGE_FILE" -z "$PACKAGE_FILE" --retry 5 "$PACKAGE_URL" # FRS will redirect to (unsecure) HTTP download link
|
||||
|
||||
# check if file has been corrupted (or modified) in transit
|
||||
JAR_XZ_SHA1=`sha1sum $JAR_XZ_FILE | cut -d' ' -f1`
|
||||
echo "$JAR_XZ_FILE [SHA1: $JAR_XZ_SHA1]"
|
||||
PACKAGE_SHA1=`sha1sum $PACKAGE_FILE | cut -d' ' -f1`
|
||||
echo "$PACKAGE_FILE [SHA1: $PACKAGE_SHA1]"
|
||||
|
||||
if [ "$JAR_XZ_SHA1" != "$JAR_XZ_SHA1_EXPECTED" ]; then
|
||||
echo "SHA1 hash mismatch [SHA1: $JAR_XZ_SHA1_EXPECTED]"
|
||||
rm -vf "$JAR_XZ_FILE"
|
||||
if [ "$PACKAGE_SHA1" != "$PACKAGE_SHA1_EXPECTED" ]; then
|
||||
echo "SHA1 hash mismatch [SHA1: $PACKAGE_SHA1_EXPECTED]"
|
||||
rm -vf "$PACKAGE_FILE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# unpack new jar
|
||||
xz --decompress --force --keep "$JAR_XZ_FILE"
|
||||
|
||||
# initialize gpg
|
||||
GPG_HOME="$APP_ROOT/.gpg"
|
||||
JAR_XZ_FILE="$APP_ROOT/FileBot.jar.xz"
|
||||
|
||||
if [ -d "$GPG_HOME" ]; then
|
||||
mkdir -p -m 700 "$GPG_HOME" && gpg --homedir "$GPG_HOME" --import "$APP_ROOT/filebot.pub"
|
||||
fi
|
||||
|
||||
# verify signature and extract jar
|
||||
gpg --batch --yes --homedir "$GPG_HOME" --trusted-key "4E402EBF7C3C6A71" --output "$JAR_XZ_FILE" --decrypt "$PACKAGE_FILE" && xz --decompress --force "$JAR_XZ_FILE"
|
||||
|
|
Loading…
Reference in New Issue