-
Notifications
You must be signed in to change notification settings - Fork 15
/
verify-build
executable file
·239 lines (219 loc) · 7.63 KB
/
verify-build
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
#!/bin/bash
# Attempts to verify that the latest build corresponds to the bytecode.
# Main requirement is to run the script on a system using the same Java compiler as the system that released it.
# For builds by toad, this is Sun 1.6.0_26 (sun-java6-jdk; 6.26-0squeeze1) on Debian Squeeze.
# For builds by operhiem1 build 1473 or later, this is openjdk-7-jdk 7u101-2.6.6-1~deb8u1 on Debian Jessie.
# TODO: update environment description
# Uses lib-pyFreenet to fetch the in-Freenet JAR over FCP,
# and so requires Python and lib-pyFreenet. (fcpget)
# Load configuration and utility functions.
source freenet-scripts-common || exit
## TODO MAJOR: Get the latest build number from somewhere other than the repository, e.g. Freenet, announcements, etc.
## TODO MAJOR: Verify the installers
## TODO: Automatically download freenet-ext.jar if not present, in a secure fashion.
## TODO: Deal with freenet-ext.jar updating automatically.
## TODO: Verify freenet-ext.jar itself.
## TODO: Hard-code the certificate for SSL see the code in update.sh in app-new_installer
## TODO: Detect who released it and complain if not the same compiler? Or even install several copies?
## TODO: Allow choosing Freenet jar sources: at least one of website, freenet.
## TODO: Also verify consistency of source archives.
# Avoid specifying this message multiple places. TODO: This may make more sense as a function?
failureWarning="FAILED TO VERIFY. If you determine that this failure is not due to build environent differences, then the source files used to build the published version of Freenet are different from the published source files. The build has been compromised. Take care to only run version of Freenet with published, reviewable source code, as compromised versions of Freenet could easily contain back doors."
# Exit with an error if freenet-ext does not exist.
if [[ ! -e "$freenetExtPath" ]]; then
echo "The path \"$freenetExtPath\" does not exist."
exit 10
fi
if ! fcpget --version; then
echo "fcpget - part of lib-pyFreenet - is not installed."
exit 10
fi
while :
do
case $1 in
--help | -h | -\?)
cat <<EOF
--tag TAG specifies build tag to checkout.
--tmpbase PATH specifies temporary directory. Default /tmp/
--online download dependencies automatically. Accesses the web.
EOF
exit 0
;;
--tag)
gitVersion="$2"
shift 2
;;
--online)
online="true"
shift
;;
--tmpbase)
tmpBase="$2"
shift 2
;;
--) # End of all options
shift
break
;;
-*)
echo "Unknown option: $1"
exit 1
;;
*) # No more options; stop parsing.
break
;;
esac
done
if [[ -z "$tmpBase" ]]; then
tmpBase="/tmp/"
fi
tmpDir=$(mktemp -d --tmpdir=$tmpBase)
echo Using "$tmpDir"
cd "$fredDir"
if ! git remote update; then
echo Unable to update git repository.
exit 13
fi
# The tag was not specified so autodetect.
if [[ -z "$gitVersion" ]]; then
getBuildInfo
else
getTagInfo $gitVersion
fi
echo Using build "$gitVersion"
cd "$tmpDir"
if ! git clone "$fredDir" fred; then
echo Unable to clone repo.
exit 14
fi
cd fred
if ! git checkout "$gitVersion"; then
echo Unable to checkout build tag.
exit 14
fi
if ! git tag -v "$gitVersion"; then
echo Failed to verify tag "$gitVersion"
exit 11
fi
echo Build number $buildNumber
mkdir -p lib/freenet/
if ! cp "$freenetExtPath" lib/freenet/freenet-ext.jar; then
echo Unable to copy freenet-ext.jar from "$freenetExtPath"
exit 12
fi
if [[ -z "$online" ]]; then
if ! ./gradlew --offline jar; then
echo Unable to build from repository.
exit 8
fi
else
if ! ./gradlew jar; then
echo Unable to build from repository.
exit 8
fi
fi
cd ..
mkdir unpacked-built
if ! unzip "fred/build/libs/freenet.jar" -d unpacked-built > /dev/null; then
echo Failed to unpack built jar
exit 9
fi
jarUrl="https://github.com/freenet/fred/releases/download/${gitVersion}/freenet-${gitVersion}.jar"
signatureUrl="$jarUrl.sig"
if ! wget "$signatureUrl" -O freenet.jar.sig; then
echo Unable to fetch signature "$signatureUrl" from the official Freenet repository.
exit 4
fi
if ! wget "$jarUrl" -O freenet.jar; then
echo Unable to fetch jar file "$jarUrl" from the official Freenet repository.
exit 5;
fi
if ! gpg --logger-fd 1 --verify freenet.jar.sig freenet.jar; then
echo "Unable to verify signature on jar"
exit 6;
fi
# Check that the website and hosted versions are identical.
# TODO: Detect update USK from node config
key="SSK@vCKGjQtKuticcaZ-dwOgmkYPVLj~N1dm9mb3j3Smg4Y,-wz5IYtd7PlhI2Kx4cAwpUu13fW~XBglPyOn8wABn60,AQACAAE/jar-$buildNumber"
# old key:
# SSK@sabn9HY9MKLbFPp851AO98uKtsCtYHM9rqB~A5cCGW4,3yps2z06rLnwf50QU4HvsILakRBYd4vBlPtLv0elUts,AQACAAE/jar-$buildNumber"
echo "" ; echo "Downloading from freenet - this can take a moment... key: $key"
fcpget --verbose --fcpHost="$fcpHost" --fcpPort="$fcpPort" "$key" inserted-freenet.jar
if [ ! -e "inserted-freenet.jar" ]; then
echo "Unable to fetch freenet.jar from Freenet."
exit 12
fi
if [ ! -s "inserted-freenet.jar" ]; then
echo "Fetched freenet.jar is empty. Trying again."
fcpget --verbose --fcpHost="$fcpHost" --fcpPort="$fcpPort" "$key" inserted-freenet.jar
if [ ! -s "inserted-freenet.jar" ]; then
echo "Fetched freenet.jar is empty after second try."
exit 12
fi
fi
echo "Downloaded file: "
sha512sum inserted-freenet.jar
echo "Comparing: "
if ! cmp freenet.jar inserted-freenet.jar; then
echo ""
echo ""
echo "ERROR - VERIFICATION FAILED"
echo FAILED TO VERIFY: The freenet.jar from the website and the
echo freenet.jar fetched from Freenet are different.
echo "Website jar SHA512: $(sha512sum freenet.jar)"
echo "Inserted jar SHA512: $(sha512sum inserted-freenet.jar)"
echo ""
echo "$failureWarning"
exit 11
else
echo ""
echo freenet.jar from the website and fetched from Freenet are the same.
echo "So far OK..."
fi
mkdir unpacked-official
if ! unzip freenet.jar -d unpacked-official > /dev/null; then
echo Failed to unpack official released jar
exit 7;
fi
# Ready to do the comparison
(cd unpacked-official; find -type f) | sort > unpacked-official.list
(cd unpacked-built; find -type f) | sort > unpacked-built.list
if ! cmp unpacked-official.list unpacked-built.list; then
echo FAILED TO VERIFY: Different files in official vs built
echo Files in official but not in built are marked as +
echo Files in built but not in official are marked with -
diff -u unpacked-built.list unpacked-official.list
echo ""
echo "$failureWarning"
exit 9
fi
while read x; do
if ! cmp "unpacked-official/$x" "unpacked-built/$x"; then
if [[ "$x" = "./META-INF/MANIFEST.MF" ]]; then
echo "Manifest file is different; this is expected."
echo "Please review the differences:"
diff "unpacked-official/$x" "unpacked-built/$x"
else
echo "File is different: $x"
echo "$x" >> "differences"
fi
fi
done < unpacked-official.list
summary() {
echo "Tag $gitVersion / build $buildNumber"
echo "Official jar SHA512: $(sha512sum freenet.jar)"
echo "Official jar signature SHA512: $(sha512sum freenet.jar.sig)"
echo "Git repository is at object $commitID"
}
if [[ -s "differences" ]]; then
echo VERIFY FAILED: FILES ARE DIFFERENT:
cat differences
summary
echo ""
echo "$failureWarning"
exit 10
fi
echo "Verification successful."
summary
cd ..
rm -Rf "$tmpDir"