[or-cvs] [tor/master] Add a make-signature.sh script.

nickm at torproject.org nickm at torproject.org
Sat Jan 15 20:00:42 UTC 2011 

commit 6ccb16438ad611b41bbb7f3faab0f7726b364d93
Author: Nick Mathewson <nickm at torproject.org>
Date:   Sat Jan 15 15:00:41 2011 -0500

    Add a make-signature.sh script.
---
 contrib/make-signature.sh |   77 +++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 77 insertions(+), 0 deletions(-)

diff --git a/contrib/make-signature.sh b/contrib/make-signature.sh
new file mode 100755
index 0000000..a0edb67
--- /dev/null
+++ b/contrib/make-signature.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+if test "$1" = "" ; then
+    echo "I need a package as an argument."
+    exit 1
+fi
+
+PACKAGEFILE=$1
+
+if test ! -f "$PACKAGEFILE" ; then
+    echo "$PACKAGEFILE is not a file."
+    exit 1
+fi
+
+DIGESTNAME=sha256
+DIGESTOUTPUT=`gpg --print-md $DIGESTNAME $PACKAGEFILE`
+
+RAWDIGEST=`gpg --print-md $DIGESTNAME $PACKAGEFILE | sed -e 's/^[^ ]*: //' `
+
+# These regexes are a little fragile, but I think they work for us.
+VERSION=`echo $PACKAGEFILE | sed -e 's/^[a-z\-]*//' -e 's/\.[\.a-z]*$//' `
+PACKAGE=`echo $PACKAGEFILE | sed -e 's/-[0-9].*//'`
+SIGFILE_UNSIGNED="$PACKAGE-$VERSION-signature"
+SIGNATUREFILE="$SIGFILE_UNSIGNED.asc"
+
+cat >$SIGFILE_UNSIGNED <<EOF
+This is the signature file for "$PACKAGEFILE",
+which contains version "$VERSION" of "$PACKAGE".
+
+Here's how to check this signature.
+
+1) Make sure that this is really a signature file, and not a forgery,
+   with:
+
+     "gpg --verify $SIGNATUREFILE"
+
+   The key should be one of the keys that signs the Tor release; the
+   official Tor website has more information on those.
+
+   If this step fails, then either you are missing the correct key, or
+   this signature file was not really signed by a Tor packager.
+   Beware!
+
+2) Make sure that the package you wanted is indeed "$PACKAGE", and that
+   its version you wanted is indeed "$VERSION".  If you wanted a
+   different package, or a different version, this signature file is
+   not the right one!
+
+3) Now that you're sure you have the right signature file, make sure
+   that you got the right package.  Check its $DIGESTNAME digest with
+
+     "gpg --print-md $DIGESTNAME $PACKAGEFILE"
+
+   The output should match this, exactly:
+
+$DIGESTOUTPUT
+
+   Make sure that every part of the output matches: don't just check the
+   first few characters.  If the digest does not match, you do not have
+   the right package file.  It could even be a forgery.
+
+Frequentlty asked questions:
+
+Q: Why not just sign the package file, like you used to do?
+A: GPG signatures authenticate file contents, but not file names.  If
+   somebody gave you a renamed file with a matching renamed signature
+   file, the signature would still be given as "valid".
+
+-- 
+FILENAME: $PACKAGEFILE
+PACKAGE: $PACKAGE
+VERSION: $VERSION
+DIGESTALG: $DIGESTNAME
+DIGEST: $RAWDIGEST
+EOF
+
+gpg --clearsign $SIGFILE_UNSIGNED

More information about the tor-commits mailing list