Last active
December 5, 2015 16:44
-
-
Save ClashTheBunny/588e8ff9ca5123edd019 to your computer and use it in GitHub Desktop.
Verify checksums of Ubuntu or Debian files.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Install the keys for the distribution (apt-cache search keyring | grep -i pg | grep -i keyring): | |
| # e.g. (Ubuntu): apt-get install debian-archive-keyring debian-keyring ubuntu-keyring ubuntu-extras-keyring | |
| # e.g. (Debian): apt-get install debian-archive-keyring debian-keyring ubuntu-archive-keyring | |
| # Download all of the *SUMS and *SUMS.gpg from the mirror that you use and check them by running verify.sh <file-to-verify>: | |
| # I wanted to verify netboot.tar.gz, so I ran "verify.sh netboot.tar.gz" and got: | |
| # sh ./588e8ff9ca5123edd019/verify.sh netboot.tar.gz | |
| # MD5SUMS.gpg | |
| # gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using DSA key ID 437D05B5 | |
| # gpg: Good signature from "Ubuntu Archive Automatic Signing Key <[email protected]>" | |
| # gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using RSA key ID C0B21F32 | |
| # gpg: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <[email protected]>" | |
| # SHA1SUMS.gpg | |
| # gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using DSA key ID 437D05B5 | |
| # gpg: Good signature from "Ubuntu Archive Automatic Signing Key <[email protected]>" | |
| # gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using RSA key ID C0B21F32 | |
| # gpg: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <[email protected]>" | |
| # SHA256SUMS.gpg | |
| # gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using DSA key ID 437D05B5 | |
| # gpg: Good signature from "Ubuntu Archive Automatic Signing Key <[email protected]>" | |
| # gpg: Signature made Wed 22 Oct 2014 08:40:30 PM EEST using RSA key ID C0B21F32 | |
| # gpg: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <[email protected]>" | |
| # SHA1SUMS:22aa4d98b0cb7e104bb83b6cc9efad49a5d060d9 ./netboot/netboot.tar.gz | |
| # MD5SUMS:fba795b43d8400caef912f91469099d0 ./netboot/netboot.tar.gz | |
| # SHA256SUMS:dd8cdc7138be73618c5b42a2eee80dbdd4e304bbb75abce0954c66b51eb5343f ./netboot/netboot.tar.gz | |
| # Since all of the sum files have a good signature and since the sums match the sum of the file, it's a good | |
| # download as far as I can trust the machine where I'm verifying the data. | |
| # Import the keys into the local user's keychain if needed: | |
| gpg --verify MD5SUMS.gpg MD5SUMS 2>&1 | grep -i "key ID" | sed -e 's/.* key ID //' | xargs gpg --list-keys 2>/dev/null| grep -q "." || dpkg -l | grep -i -- -keyring | grep PG | awk '{print $2}' | while read keyring; do dpkg -L $keyring | grep gpg$ | xargs gpg --import; done | |
| # Verify the checksum files: | |
| for foo in *gpg; do echo $foo; gpg --verify $foo ${foo/.gpg/} 2>&1 | grep -i -e "using .* key" -e "good signature"; done | |
| # Did each SUM file say that it had a good signature from somebody that you trust? | |
| #check the file against the SUM files: | |
| for sum in sha1 md5 sha256; do grep $(${sum}sum $1 | awk '{print $1}') *SUMS; done | |
| for sum in sha1 md5 sha256; do grep $(${sum}sum Packages.xz | awk '{print $1}') Release; done | |
| for foo in sha1 md5 sha256; do grep $(${foo}sum $1 | awk '{print $1}') <(xzcat Packages.xz | grep -A15 $1); done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment