Sign and verify new release jars with GnuPG

This commit is contained in:
Reinhard Pointner 2017-04-13 17:54:09 +08:00
parent c580c95c73
commit 33e980e114
5 changed files with 56 additions and 18 deletions

View File

@ -648,7 +648,7 @@
<target name="portable" description="Build portable package" depends="revision">
<tar destfile="${dir.dist}/${release}-portable.tar.xz" compression="xz" longfile="posix" encoding="utf-8">
<tarfileset file="${path.fatjar}" fullpath="FileBot.jar" />
<tarfileset dir="${dir.installer}/portable" includes="*.exe, *.ini, *.cmd" />
<tarfileset dir="${dir.installer}/portable" includes="*.exe, *.ini, *.cmd, *.pub" />
<tarfileset dir="${dir.installer}/portable" includes="*.sh" filemode="755" />
<!-- include native libraries for all supported platforms -->

View File

@ -0,0 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFjvJR4BEACtnzG7X9KXJ/aveDFDG6RS+jN0v+02REaem2KG5Wgp8M5EYrH6
mh4+Z0VABwxsu78x9LoLfM5oCBimciP4dYi9NpHgz9dGDW158mtNbiV4YWBnUVPC
tdUyR4JXbeSuJCj67Ef9ReInqyoQu5y2RPdhIdZwdrllurrbOAiO+l4fOq1e30da
WqYMsl7mtv+e8ns+Esmu/ogXv003vzQZMeuR+KtdME5y+dkfiIUE4t4fDtPlPdbb
fn9l6ScwltfrnC6FL8wtrBIgFsZ+oZFv4D82qPMawYUNLZ0RARLcLAhYiyWKhqVb
/19UItpgA5lrzBNPZgYmlbZNdoBPvnqomteCQfRQCtKbjjQv27yheJQDzeM3jIxQ
cnlcnR2sD2nOc9zU+HkGsAHtpAYf0xeKZHme/A1es84vyT+Dvjm785JhLTkYZ30/
lI3CpILBptfggS+T5Xy1rmMmeoTH6/qxKVc0bxjkYRIUkYqUFKAw7ZIUAv+guBmf
HjjvOs+LZfU1jfIrx3l3h2OJD7LaCXfeT4CRJWsLXnpsaMBIbyIMk0EAyvFGFX3h
Bsbc+RHVmXMqOM7BGdfsa/zLZKpXQEk7/nBxjGx5xFuqNnG2jY/SkcXpcQUgTBGH
vBjpigavLB/EehT12FE+lw6XmvLIdz9XWP7vhMC80fDXzZrJFmbMKFujXQARAQAB
tCdSZWluaGFyZCBQb2ludG5lciA8cmVkbm9haEBmaWxlYm90Lm5ldD6JAk4EEwEI
ADgWIQSwl25R5cBHrQ/QUSlOQC6/fDxqcQUCWO8lHgIbAwULCQgHAgYVCAkKCwIE
FgIDAQIeAQIXgAAKCRBOQC6/fDxqcbr0EACSWs8AQkvN1RP1AZlhO8l6IXYTTKMF
Se4OtiJyvvo07cAE5bkhCNppjwZ0L5ryZkJKJOjk9vO0OSUPdrZJVbuiHAXt7afX
1AKfrAdwgBKRyYq6yoVm4/vHCcTx92ZWssrtHTJ5RKGhkCkbIZOuMfEpFqYieZ9C
rsI00pe9t05yUnRQ8Bv06S39d5g8OO8ty+KifYTJ6NtkqrJY3TKGNI5fZn4+LZfn
tHEBe6LOhZoVYu8gS3cgNKCP1JNwy1ZOsAhdFfYuZNYe8ZhwspRXxUFIgwaYc33V
D7YMjUi2Y/y4SbPttL4nLwjy1+rK5xF8Av6kScWVA4DTTgjAAn/EvJHpwxVlL/6X
4gfog2Cyyzp43WJxF7N/EDsaSoVjGdLrXmVPW6SPO2PVonYomDzFuKYXub50xehS
cWhCjQH6mCoiIMbXw1s9uB33IOGvjmFe2e62DiaCesNitbl5VF/4d/WtoDS2nyqm
5SFDBknOn0/bNwCTTQgGwtt7Vf3Y8r2ADbah3avbQ/b+yIv46vkm702o5QfYItsA
Li4CQGMwHfrRwMmwLfQXnmahZFnDcJq0ZNXDEywX+/eKF1ilHWAPGUOnIanybmGc
3oU6ZjqpE30SUGOZcPZQpUMOPF9jXraZYrzC/lbwr+23jk+22yMpKgIOoDov/GN3
q3l3xv1vCNF71Q==
=Kug3
-----END PGP PUBLIC KEY BLOCK-----

0
installer/portable/filebot.sh Normal file → Executable file
View File

0
installer/portable/install-filebot.sh Normal file → Executable file
View File

43
installer/portable/update-filebot.sh Normal file → Executable file
View File

@ -21,37 +21,46 @@ APP_ROOT=`cd "$PRG_DIR" && pwd`
cd "$WORKING_DIR"
# update core application files
JAR_XZ_FILE="$APP_ROOT/FileBot.jar.xz"
JAR_XZ_URL="https://sourceforge.net/projects/filebot/files/filebot/HEAD/FileBot.jar.xz"
PACKAGE_NAME="FileBot.jar.xz.gpg"
PACKAGE_FILE="$APP_ROOT/$PACKAGE_NAME"
PACKAGE_URL="https://sourceforge.net/projects/filebot/files/filebot/HEAD/$PACKAGE_NAME"
# check if file has changed
JAR_XZ_SHA1_EXPECTED=`curl --retry 5 "$JAR_XZ_URL/list" | egrep -o "[a-z0-9]{40}"`
JAR_XZ_SHA1=`sha1sum $JAR_XZ_FILE | cut -d' ' -f1`
PACKAGE_SHA1_EXPECTED=`curl --retry 5 "$PACKAGE_URL/list" | egrep -o "[a-z0-9]{40}"`
PACKAGE_SHA1=`sha1sum $PACKAGE_FILE | cut -d' ' -f1`
if [ -z "$JAR_XZ_SHA1_EXPECTED" ]; then
if [ -z "$PACKAGE_SHA1_EXPECTED" ]; then
echo "SHA1 hash unknown"
exit 1
fi
if [ "$JAR_XZ_SHA1" == "$JAR_XZ_SHA1_EXPECTED" ]; then
echo "$JAR_XZ_FILE [SHA1: $JAR_XZ_SHA1]"
if [ "$PACKAGE_SHA1" == "$PACKAGE_SHA1_EXPECTED" ]; then
echo "$PACKAGE_FILE [SHA1: $PACKAGE_SHA1]"
exit 0
fi
echo "Update $JAR_XZ_FILE"
curl -L -o "$JAR_XZ_FILE" -z "$JAR_XZ_FILE" --retry 5 "$JAR_XZ_URL" # FRS will redirect to (unsecure) HTTP download link
echo "Update $PACKAGE_FILE"
curl -L -o "$PACKAGE_FILE" -z "$PACKAGE_FILE" --retry 5 "$PACKAGE_URL" # FRS will redirect to (unsecure) HTTP download link
# check if file has been corrupted (or modified) in transit
JAR_XZ_SHA1=`sha1sum $JAR_XZ_FILE | cut -d' ' -f1`
echo "$JAR_XZ_FILE [SHA1: $JAR_XZ_SHA1]"
PACKAGE_SHA1=`sha1sum $PACKAGE_FILE | cut -d' ' -f1`
echo "$PACKAGE_FILE [SHA1: $PACKAGE_SHA1]"
if [ "$JAR_XZ_SHA1" != "$JAR_XZ_SHA1_EXPECTED" ]; then
echo "SHA1 hash mismatch [SHA1: $JAR_XZ_SHA1_EXPECTED]"
rm -vf "$JAR_XZ_FILE"
if [ "$PACKAGE_SHA1" != "$PACKAGE_SHA1_EXPECTED" ]; then
echo "SHA1 hash mismatch [SHA1: $PACKAGE_SHA1_EXPECTED]"
rm -vf "$PACKAGE_FILE"
exit 1
fi
# unpack new jar
xz --decompress --force --keep "$JAR_XZ_FILE"
# initialize gpg
GPG_HOME="$APP_ROOT/.gpg"
JAR_XZ_FILE="$APP_ROOT/FileBot.jar.xz"
if [ -d "$GPG_HOME" ]; then
mkdir -p -m 700 "$GPG_HOME" && gpg --homedir "$GPG_HOME" --import "$APP_ROOT/filebot.pub"
fi
# verify signature and extract jar
gpg --batch --yes --homedir "$GPG_HOME" --trusted-key "4E402EBF7C3C6A71" --output "$JAR_XZ_FILE" --decrypt "$PACKAGE_FILE" && xz --decompress --force "$JAR_XZ_FILE"