src/main/resources/signature-validator.sh - commons-release-plugin - Git at Google

 #!/bin/bash
 ###########
 #   Licensed to the Apache Software Foundation (ASF) under one or more
 #  contributor license agreements.  See the NOTICE file distributed with
 #  this work for additional information regarding copyright ownership.
 #  The ASF licenses this file to You under the Apache License, Version 2.0
 #  (the "License"); you may not use this file except in compliance with
 #  the License.  You may obtain a copy of the License at
 #
 #       http://www.apache.org/licenses/LICENSE-2.0
 #
 #   Unless required by applicable law or agreed to in writing, software
 #   distributed under the License is distributed on an "AS IS" BASIS,
 #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 ###########
 # DOCUMENTATION.
 # This script is to be placed in the root of the svn dist checkout.
 # For example, my directory looks like:
 #
 #   drwxr-xr-x@  8 usr  staff   256 Oct  1 11:22 .svn
 #   -rw-r--r--@  1 usr  staff  1230 Oct  1 11:22 HEADER.html
 #   -rw-r--r--@  1 usr  staff  2649 Oct  1 11:22 README.html
 #   -rw-r--r--@  1 usr  staff  5093 Oct  1 11:22 RELEASE-NOTES.txt
 #   drwxr-xr-x@ 10 usr  staff   320 Oct  1 11:22 binaries
 #   -rw-r--r--@  1 usr  staff  3900 Oct  1 13:40 signature-validation.sh
 #   drwxr-xr-x@ 44 usr  staff  1408 Oct  1 11:22 site
 #   drwxr-xr-x@ 10 usr  staff   320 Oct  1 11:37 source
 #
 # From here you run ./signature-validation.sh and it will create a directory "artifacts-for-validation-deletable-post-validation
 # in which all of the binaries generated by a release are copied and then it checks to see that all of the signatures and hashes
 # are infact correct for the artifacts.
 #
 ###########

 if test "$#" != "1"
 then
   echo "ERROR:"
   echo "We expect the a url like https://repository.apache.org/content/repositories/orgapachecommons-1531/commons-net/commons-net/3.7.1/"
   echo "to be passed in as a parameter to the script."
 fi


 BASEDIR="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 VALIDATION_DIR=${BASEDIR}/artifacts-for-validation-deletable-post-validation
 BINARIES_DIR=${BASEDIR}/binaries
 SOURCE_DIR=${BASEDIR}/source

 BASE_NEXUS_URL="$1"

 function clean_and_build_validation_dir() {
 	mkdir -p ${VALIDATION_DIR}
 }

 function copy_in_checked_out_artifacts() {
 	cp ${BASEDIR}/binaries/commons* ${VALIDATION_DIR}
 	cp ${BASEDIR}/source/commons* ${VALIDATION_DIR}
 }

 function download_nexus_artifacts_to_validation_directory() {
 	# Curls html page and does text modification to put artifacts in semicolon delimited list
 	# ...(ugly but works, debug by removing pipes one at a time)
 	echo "INFO: Downloading artifacts from nexus"
 	NEXUS_ARTIFACTS=$(curl ${BASE_NEXUS_URL} \
 	                       | grep "${BASE_NEXUS_URL}" \
 	                       | cut -d '>' -f3 \
 	                       | sed "s|</a|;|g" \
 	                       | sed ':a;N;$!ba;s/\n/ /g' \
 	                       | sed 's/ //g'
 	                )

 	IFS=';' read -r -a array <<< "${NEXUS_ARTIFACTS}"

 	for element in "${array[@]}"
 	do
 		ARTIFACT_NAME=$(echo $element | cut -d '/' -f7)
 		echo $ARTIFACT_NAME
 		URL="${BASE_NEXUS_URL}${element}"
 		curl $URL -o ${VALIDATION_DIR}/$ARTIFACT_NAME
 	done
 }

 function validate_signatures() {
 	echo "INFO: Validating Signatures in ${VALIDATION_DIR}"
 	ALL_ARTIFACTS=$(ls -Al ${VALIDATION_DIR} \
 	                                  | awk -F':[0-9]* ' '/:/{print $2}' \
 	                                  | sed ':a;N;$!ba;s/\n/;/g'
 	                         )

   ARTIFACTS_FOR_VALIDATION=()

   IFS=';' read -r -a array <<< "${ALL_ARTIFACTS}"

   for element in "${array[@]}"
   do
     if [[ ! (${element} =~ ^.*asc$ || ${element} =~ ^.*sha512$ || ${element} =~ ^.*md5$ || ${element} =~ ^.*sha1$) ]];
     then
       ARTIFACTS_FOR_VALIDATION=("${ARTIFACTS_FOR_VALIDATION[@]}" $element)
     fi
   done

 	for element in "${ARTIFACTS_FOR_VALIDATION[@]}"
   do
     if [[ ${element} =~ ^.*tar.gz.*$ || ${element} =~ ^.*zip.*$ ]];
     then
       ARTIFACT_SHA512=$(openssl sha512 ${VALIDATION_DIR}/$element | cut -d '=' -f2 | cut -d ' ' -f2)
       FILE_SHA512=$(cut -d$'\r' -f1 ${VALIDATION_DIR}/$element.sha512)
       if test "${ARTIFACT_SHA512}" != "${FILE_SHA512}"
       then
         echo "$element failed sha512 check"
         echo "==${ARTIFACT_SHA512}=="
         echo "==${FILE_SHA512}=="
         exit 1;
       fi
     else
       ARTIFACT_MD5=$(openssl md5 ${VALIDATION_DIR}/$element | cut -d '=' -f2 | cut -d ' ' -f2)
       FILE_MD5=$(cut -d$'\r' -f1 ${VALIDATION_DIR}/$element.md5)
       ARTIFACT_SHA1=$(openssl sha1 ${VALIDATION_DIR}/$element | cut -d '=' -f2 | cut -d ' ' -f2)
       FILE_SHA1=$(cut -d$'\r' -f1 ${VALIDATION_DIR}/$element.sha1)
       if test "${ARTIFACT_MD5}" != "${FILE_MD5}"
       then
         echo "$element failed md5 check"
         echo "==${ARTIFACT_MD5}=="
         echo "==${FILE_MD5}=="
         exit 1;
       fi
       if test "${ARTIFACT_SHA1}" != "${FILE_SHA1}"
       then
         echo "$element failed sha1 check"
         echo "==${ARTIFACT_SHA1}=="
         echo "==${FILE_SHA1}=="
         exit 1;
       fi


       gpg --verify ${VALIDATION_DIR}/$element.asc ${VALIDATION_DIR}/$element > /dev/null 2>&1
       if test "$?" != "0"
       then
         echo "$element failed gpg signature check"
         exit 1;
       fi
     fi
   done

   echo "SUCCESSFUL VALIDATION"
 }

 function clean_up_afterwards() {
   rm -rf ${VALIDATION_DIR}
 }


 echo $(clean_and_build_validation_dir)
 echo $(copy_in_checked_out_artifacts)
 echo $(download_nexus_artifacts_to_validation_directory)
 echo $(validate_signatures)
 #clean_up_afterwards
	#!/bin/bash
	###########
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	###########
	# DOCUMENTATION.
	# This script is to be placed in the root of the svn dist checkout.
	# For example, my directory looks like:
	#
	# drwxr-xr-x@ 8 usr staff 256 Oct 1 11:22 .svn
	# -rw-r--r--@ 1 usr staff 1230 Oct 1 11:22 HEADER.html
	# -rw-r--r--@ 1 usr staff 2649 Oct 1 11:22 README.html
	# -rw-r--r--@ 1 usr staff 5093 Oct 1 11:22 RELEASE-NOTES.txt
	# drwxr-xr-x@ 10 usr staff 320 Oct 1 11:22 binaries
	# -rw-r--r--@ 1 usr staff 3900 Oct 1 13:40 signature-validation.sh
	# drwxr-xr-x@ 44 usr staff 1408 Oct 1 11:22 site
	# drwxr-xr-x@ 10 usr staff 320 Oct 1 11:37 source
	#
	# From here you run ./signature-validation.sh and it will create a directory "artifacts-for-validation-deletable-post-validation
	# in which all of the binaries generated by a release are copied and then it checks to see that all of the signatures and hashes
	# are infact correct for the artifacts.
	#
	###########

	if test "$#" != "1"
	then
	echo "ERROR:"
	echo "We expect the a url like https://repository.apache.org/content/repositories/orgapachecommons-1531/commons-net/commons-net/3.7.1/"
	echo "to be passed in as a parameter to the script."
	fi



	BASEDIR="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
	VALIDATION_DIR=${BASEDIR}/artifacts-for-validation-deletable-post-validation
	BINARIES_DIR=${BASEDIR}/binaries
	SOURCE_DIR=${BASEDIR}/source

	BASE_NEXUS_URL="$1"

	function clean_and_build_validation_dir() {
	mkdir -p ${VALIDATION_DIR}
	}

	function copy_in_checked_out_artifacts() {
	cp ${BASEDIR}/binaries/commons* ${VALIDATION_DIR}
	cp ${BASEDIR}/source/commons* ${VALIDATION_DIR}
	}

	function download_nexus_artifacts_to_validation_directory() {
	# Curls html page and does text modification to put artifacts in semicolon delimited list
	# ...(ugly but works, debug by removing pipes one at a time)
	echo "INFO: Downloading artifacts from nexus"
	NEXUS_ARTIFACTS=$(curl ${BASE_NEXUS_URL} \
	\| grep "${BASE_NEXUS_URL}" \
	\| cut -d '>' -f3 \
	\| sed "s\|</a\|;\|g" \
	\| sed ':a;N;$!ba;s/\n/ /g' \
	\| sed 's/ //g'
	)

	IFS=';' read -r -a array <<< "${NEXUS_ARTIFACTS}"

	for element in "${array[@]}"
	do
	ARTIFACT_NAME=$(echo $element \| cut -d '/' -f7)
	echo $ARTIFACT_NAME
	URL="${BASE_NEXUS_URL}${element}"
	curl $URL -o ${VALIDATION_DIR}/$ARTIFACT_NAME
	done
	}

	function validate_signatures() {
	echo "INFO: Validating Signatures in ${VALIDATION_DIR}"
	ALL_ARTIFACTS=$(ls -Al ${VALIDATION_DIR} \
	\| awk -F':[0-9]* ' '/:/{print $2}' \
	\| sed ':a;N;$!ba;s/\n/;/g'
	)

	ARTIFACTS_FOR_VALIDATION=()

	IFS=';' read -r -a array <<< "${ALL_ARTIFACTS}"

	for element in "${array[@]}"
	do
	if [[ ! (${element} =~ ^.asc$ \|\| ${element} =~ ^.sha512$ \|\| ${element} =~ ^.md5$ \|\| ${element} =~ ^.sha1$) ]];
	then
	ARTIFACTS_FOR_VALIDATION=("${ARTIFACTS_FOR_VALIDATION[@]}" $element)
	fi
	done

	for element in "${ARTIFACTS_FOR_VALIDATION[@]}"
	do
	if [[ ${element} =~ ^.tar.gz.$ \|\| ${element} =~ ^.zip.$ ]];
	then
	ARTIFACT_SHA512=$(openssl sha512 ${VALIDATION_DIR}/$element \| cut -d '=' -f2 \| cut -d ' ' -f2)
	FILE_SHA512=$(cut -d$'\r' -f1 ${VALIDATION_DIR}/$element.sha512)
	if test "${ARTIFACT_SHA512}" != "${FILE_SHA512}"
	then
	echo "$element failed sha512 check"
	echo "==${ARTIFACT_SHA512}=="
	echo "==${FILE_SHA512}=="
	exit 1;
	fi
	else
	ARTIFACT_MD5=$(openssl md5 ${VALIDATION_DIR}/$element \| cut -d '=' -f2 \| cut -d ' ' -f2)
	FILE_MD5=$(cut -d$'\r' -f1 ${VALIDATION_DIR}/$element.md5)
	ARTIFACT_SHA1=$(openssl sha1 ${VALIDATION_DIR}/$element \| cut -d '=' -f2 \| cut -d ' ' -f2)
	FILE_SHA1=$(cut -d$'\r' -f1 ${VALIDATION_DIR}/$element.sha1)
	if test "${ARTIFACT_MD5}" != "${FILE_MD5}"
	then
	echo "$element failed md5 check"
	echo "==${ARTIFACT_MD5}=="
	echo "==${FILE_MD5}=="
	exit 1;
	fi
	if test "${ARTIFACT_SHA1}" != "${FILE_SHA1}"
	then
	echo "$element failed sha1 check"
	echo "==${ARTIFACT_SHA1}=="
	echo "==${FILE_SHA1}=="
	exit 1;
	fi


	gpg --verify ${VALIDATION_DIR}/$element.asc ${VALIDATION_DIR}/$element > /dev/null 2>&1
	if test "$?" != "0"
	then
	echo "$element failed gpg signature check"
	exit 1;
	fi
	fi
	done

	echo "SUCCESSFUL VALIDATION"
	}

	function clean_up_afterwards() {
	rm -rf ${VALIDATION_DIR}
	}


	echo $(clean_and_build_validation_dir)
	echo $(copy_in_checked_out_artifacts)
	echo $(download_nexus_artifacts_to_validation_directory)
	echo $(validate_signatures)
	#clean_up_afterwards