fetch-release: minor improvements

This script is potentially fetched from an untrusted source and should
be in good shape to be easily auditable.

- Create just one TMPDIR
- Improve comments
- Use `cut` to extract sha256
- Use camelCase var names like in other scripts
This commit is contained in:
Erik Arvstedt 2021-03-16 12:45:19 +01:00
parent 45d0964e27
commit 84b3217c3d
No known key found for this signature in database
GPG Key ID: 33312B944DD97846

View File

@ -1,36 +1,40 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg #!nix-shell -i bash -p bash coreutils curl jq gnupg
set -euo pipefail set -euo pipefail
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd) scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
REPO=fort-nix/nix-bitcoin repo=fort-nix/nix-bitcoin
if [[ ! -v VERSION ]]; then if [[ ! -v version ]]; then
VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2) version=$(curl --silent "https://api.github.com/repos/$repo/releases/latest" | jq -r '.tag_name' | tail -c +2)
fi fi
TMPDIR=$(mktemp -d) TMPDIR=$(mktemp -d)
GPG_HOME=$(mktemp -d) trap "rm -rf $TMPDIR" EXIT
trap "rm -rf $TMPDIR $GPG_HOME" EXIT
GPG_HOME=$TMPDIR/gpg-home
mkdir -p -m 700 "$GPG_HOME"
cd $TMPDIR cd $TMPDIR
BASEURL=https://github.com/$REPO/releases/download/v$VERSION baseUrl=https://github.com/$repo/releases/download/v$version
curl --silent -L -O $BASEURL/SHA256SUMS.txt curl --silent -L -O $baseUrl/SHA256SUMS.txt
curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc curl --silent -L -O $baseUrl/SHA256SUMS.txt.asc
# Import key and verify fingerprint # Import key
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
# Verify key fingerprint
gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
# Verify signature for SHA256SUMS.txt
gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || { gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
echo "ERROR: Signature verification failed. Please open an issue in the project repository." echo "Error: Signature verification failed. Please open an issue in the project repository."
exit 1 exit 1
} }
SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+') sha256=$(cat SHA256SUMS.txt | cut -d\ -f1)
cat <<EOF cat <<EOF
{ {
url = "$BASEURL/nix-bitcoin-$VERSION.tar.gz"; url = "$baseUrl/nix-bitcoin-$version.tar.gz";
sha256 = "$SHA256"; sha256 = "$sha256";
} }
EOF EOF