-
Notifications
You must be signed in to change notification settings - Fork 4
/
signify-firmware
executable file
·62 lines (51 loc) · 1.26 KB
/
signify-firmware
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/bin/sh
# verify all firmware with signify
set -eu
if [ $# != 0 ]
then
echo usage: signify-firmware >&2
exit 2
fi
versions=`jot - 99 64 -1`
debug="${debug:=debug}"
fw="/data/mirror/openbsd/firmware"
tag="signify-firmware[$$]"
logger -p daemon.info -t "$tag" "openbsd start"
for version in $versions snapshots
do
if [ "$version" = snapshots ]
then
release="$version"
else
release="${version%[0-9]}.${version##[0-9]}"
fi
dir="$fw/firmware/$release"
[ -d "$dir" ] || continue
logger -p daemon.info -t "$tag" "openbsd $version start"
# verify release directory
if [ "$version" = snapshots ]
then
sig="$dir/SHA256.sig"
if ! [ -f "$sig" ]
then
logger -p daemon.warning -s -t "$tag" \
"openbsd $dir no SHA256.sig"
exit 1
fi
key="/etc/signify/`sed -n 's/^untrusted comment: verify with //p' $sig`"
logger -p daemon.info -t "$tag" \
"openbsd snapshot signify key $key"
else
key="/etc/signify/openbsd-$version-fw.pub"
fi
if ! ( cd "$dir" && signify -C -p $key -x SHA256.sig )
then
logger -p daemon.warning -s -t "$tag" \
"openbsd $dir fail"
else
logger -p daemon.notice -t "$tag" \
"openbsd $version success"
fi | logger -p "daemon.$debug" -t signify
done
logger -p daemon.notice -t "$tag" "openbsd finished"
exit 0