blob: cac229a94559c20fefacfe52beadedb8a2e3142e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
#!/bin/bash
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
help_out() {
echo "$ARG0 [--allow-dev] <image file> <sig file>" >&2
exit 2
}
opts="$(getopt -o 'd' -l 'allow-dev' -- "$@")" || exit
dev=
eval set -- "$opts"
while true; do
case "$1" in
--allow-dev|-d)
dev=1
shift
;;
--)
shift
break
;;
*)
echo "Bad option: $1" >&2
help_out
;;
esac
done
image_file="${1?Missing image file}" || help_out
sig_file="${2?Missing sig file}" || help_out
# gnupg needs a home directory even though we don't want to persist any
# information. We always make a new temporary directory for this
GNUPGHOME=
cleanup() {
test -n "$GNUPGHOME" && rm -rf "$GNUPGHOME"
}
trap cleanup ERR EXIT INT
export GNUPGHOME="$(mktemp -d)" || exit
gpg() {
command gpg --batch --allow-non-selfsigned-uid --no-tty "$@"
}
import_key() {
gpg --import "/usr/share/google-key/$1.key"
}
import_key prod
if [ -n "$dev" ]; then
import_key dev
fi
gpg --verify --ignore-time-conflict "$sig_file" "$image_file"
|
