add verification of binary signature

rotkonetworks · Apr 3, 2024 · 5441a83 · 5441a83
1 parent ed32072
commit 5441a83
Showing 1 changed file with 10 additions and 15 deletions.
diff --git a/scripts/install.sh b/scripts/install.sh
@@ -2,36 +2,31 @@
 
 # URLs for the assets
 binary_url=$(curl -s https://api.github.com/repos/rotkonetworks/genpeerid/releases/latest | grep -oP '"browser_download_url": "\K(.*genpeerid)(?=")')
+binary_signature_url=$(curl -s https://api.github.com/repos/rotkonetworks/genpeerid/releases/latest | grep -oP '"browser_download_url": "\K(.*genpeerid.sig)(?=")')
 hash_url=$(curl -s https://api.github.com/repos/rotkonetworks/genpeerid/releases/latest | grep -oP '"browser_download_url": "\K(.*genpeerid.sha512)(?=")')
-signature_url=$(curl -s https://api.github.com/repos/rotkonetworks/genpeerid/releases/latest | grep -oP '"browser_download_url": "\K(.*genpeerid.sha512.sig)(?=")')
+hash_signature_url=$(curl -s https://api.github.com/repos/rotkonetworks/genpeerid/releases/latest | grep -oP '"browser_download_url": "\K(.*genpeerid.sha512.sig)(?=")')
 public_key_url="https://github.com/hitchhooker.gpg"
 
 # Download the binary, SHA512 hash, and the GPG signature of the hash
 curl -sL "${binary_url}" -o genpeerid
+curl -sL "${binary_signature_url}" -o genpeerid.sig
 curl -sL "${hash_url}" -o genpeerid.sha512
-curl -sL "${signature_url}" -o genpeerid.sha512.sig
+curl -sL "${hash_signature_url}" -o genpeerid.sha512.sig
 curl -sL "${public_key_url}" -o public_key.gpg
 
 # Import the public key
 gpg --import public_key.gpg
 
-# Verify the SHA512 hash against the downloaded binary
 echo "Verifying SHA512 hash..."
-sha512sum -c genpeerid.sha512
-
-if [ $? -ne 0 ]; then
-    echo "SHA512 verification failed!"
-    exit 1
-fi
+sha512sum -c genpeerid.sha512 || { echo "SHA512 verification failed!"; exit 1; }
 
 # Verify the GPG signature of the SHA512 hash
-echo "Verifying GPG signature..."
-gpg --verify genpeerid.sha512.sig genpeerid.sha512
+echo "Verifying GPG signature of SHA512 hash..."
+gpg --verify genpeerid.sha512.sig genpeerid.sha512 || { echo "GPG signature verification of SHA512 hash failed!"; exit 1; }
 
-if [ $? -ne 0 ]; then
-    echo "GPG signature verification failed!"
-    exit 1
-fi
+# New Step: Verify the GPG signature of the binary itself
+echo "Verifying GPG signature of the binary..."
+gpg --verify genpeerid.sig genpeerid || { echo "GPG signature verification of the binary failed!"; exit 1; }
 
 # If all verifications passed, proceed to use the binary
 chmod +x genpeerid