levigroker · December 10, 2016 02:20
diff --git a/spikeroak.sh b/spikeroak.sh
 #!/bin/bash
 #
 # spideroak.sh
 #
 # A bash script to download and verify spideroak.com's warrant canary file.
 # Requires GnuPG to be installed ( https://gpgtools.org https://www.gnupg.org )
 #
 # by Levi Brown
 # [email protected]
 # December 9, 2016
 # Your constructive comments and feedback are always welcome.
 # This work is licensed via the Creative Commons Attribution 4.0 International
 # https://creativecommons.org/licenses/by/4.0/
 ##

 DEBUG=${DEBUG:-0}
 export DEBUG

 set -eu
 [ $DEBUG -ne 0 ] && set -x

 ## Config
 CANARY_FILE="spideroak_canary.txt"
 CANARY_LATEST_FILE="spideroak_canary_latest.txt"
 CANARY_BODY_FILE="spideroak_canary_body.txt"
 SIG_FILE_PREFIX="spideroak_sig"
 SIG_FILE_EXT=".asc"

 # Fully qualified binaries (_B suffix to prevent collisions)
 AWK_B="/usr/bin/awk"
 CAT_B="/bin/cat"
 CURL_B="/usr/bin/curl"
 LS_B="/bin/ls"
 GPG_B="/usr/local/bin/gpg"
 RM_B="/bin/rm"

 ## Functions
 function clean()
 {
  local RM_FILES=("${CANARY_FILE}" "${CANARY_LATEST_FILE}" "${CANARY_BODY_FILE}")
  local SIGS=("${SIG_FILE_PREFIX}"?"${SIG_FILE_EXT}")
  local RM_FILES=( "${SIGS[@]}" "${RM_FILES[@]}" )
  for RM_FILE in ${RM_FILES[@]}; do
    $RM_B -f "${RM_FILE}"
  done
 }

 ## Start

 # Be sure we are starting cleanly
 clean

 # Fetch the full canary file from spideroak into `CANARY_FILE`
 $CURL_B -S -s "https://spideroak.com/canary" -o "${CANARY_FILE}"

 # Get just the most recent canary into `CANARY_LATEST_FILE`
 $CAT_B "${CANARY_FILE}" | $AWK_B 'BEGIN { FS="\n" } { if ( $1 == "-----CANARY UPDATE SEPARATOR-----" ) { exit }; print; }' > "${CANARY_LATEST_FILE}"

 # Parse the `CANARY_LATEST_FILE` for the signed body into `CANARY_BODY_FILE`
 $CAT_B "${CANARY_LATEST_FILE}" | $AWK_B 'BEGIN { FS="\n" } { if ( $1 == "-----BEGIN PGP SIGNATURE-----" ) { exit }; print; }' > "${CANARY_BODY_FILE}"

 # Parse the `CANARY_LATEST_FILE` for all signature blocks and save them as `SIG_FILE_PREFIX`N`SIG_FILE_EXT`
 $CAT_B "${CANARY_LATEST_FILE}" | $AWK_B 'BEGIN { FS="\n" } { if ( $1 == "-----CANARY UPDATE SEPARATOR-----" ) { exit }; print; }' | $AWK_B "BEGIN { FS=\"\n\"; n=0; r=0} { if ( \$1 == \"-----BEGIN PGP SIGNATURE-----\" ) { n=1; ++r; f=\"${SIG_FILE_PREFIX}\"r\"${SIG_FILE_EXT}\"; print>f; next }; if (n == 1) { print>f; }; if ( \$1 == \"-----BEGIN PGP SIGNATURE-----\") { n=0; }; next };"

 # Validate the `CANARY_BODY_FILE` with each `SIG_FILE_PREFIX`N`SIG_FILE_EXT` signature
 SIGS=("${SIG_FILE_PREFIX}"?"${SIG_FILE_EXT}")
 for SIG in ${SIGS[@]}; do
  $GPG_B --verify "$SIG" "${CANARY_BODY_FILE}"
 done

 # Clean up after ourselves
 clean
	#!/bin/bash
	#
	# spideroak.sh
	#
	# A bash script to download and verify spideroak.com's warrant canary file.
	# Requires GnuPG to be installed ( https://gpgtools.org https://www.gnupg.org )
	#
	# by Levi Brown
	# [email protected]
	# December 9, 2016
	# Your constructive comments and feedback are always welcome.
	# This work is licensed via the Creative Commons Attribution 4.0 International
	# https://creativecommons.org/licenses/by/4.0/
	##

	DEBUG=${DEBUG:-0}
	export DEBUG

	set -eu
	[ $DEBUG -ne 0 ] && set -x

	## Config
	CANARY_FILE="spideroak_canary.txt"
	CANARY_LATEST_FILE="spideroak_canary_latest.txt"
	CANARY_BODY_FILE="spideroak_canary_body.txt"
	SIG_FILE_PREFIX="spideroak_sig"
	SIG_FILE_EXT=".asc"

	# Fully qualified binaries (_B suffix to prevent collisions)
	AWK_B="/usr/bin/awk"
	CAT_B="/bin/cat"
	CURL_B="/usr/bin/curl"
	LS_B="/bin/ls"
	GPG_B="/usr/local/bin/gpg"
	RM_B="/bin/rm"

	## Functions
	function clean()
	{
	local RM_FILES=("${CANARY_FILE}" "${CANARY_LATEST_FILE}" "${CANARY_BODY_FILE}")
	local SIGS=("${SIG_FILE_PREFIX}"?"${SIG_FILE_EXT}")
	local RM_FILES=( "${SIGS[@]}" "${RM_FILES[@]}" )
	for RM_FILE in ${RM_FILES[@]}; do
	$RM_B -f "${RM_FILE}"
	done
	}

	## Start

	# Be sure we are starting cleanly
	clean

	# Fetch the full canary file from spideroak into `CANARY_FILE`
	$CURL_B -S -s "https://spideroak.com/canary" -o "${CANARY_FILE}"

	# Get just the most recent canary into `CANARY_LATEST_FILE`
	$CAT_B "${CANARY_FILE}" \| $AWK_B 'BEGIN { FS="\n" } { if ( $1 == "-----CANARY UPDATE SEPARATOR-----" ) { exit }; print; }' > "${CANARY_LATEST_FILE}"

	# Parse the `CANARY_LATEST_FILE` for the signed body into `CANARY_BODY_FILE`
	$CAT_B "${CANARY_LATEST_FILE}" \| $AWK_B 'BEGIN { FS="\n" } { if ( $1 == "-----BEGIN PGP SIGNATURE-----" ) { exit }; print; }' > "${CANARY_BODY_FILE}"

	# Parse the `CANARY_LATEST_FILE` for all signature blocks and save them as `SIG_FILE_PREFIX`N`SIG_FILE_EXT`
	$CAT_B "${CANARY_LATEST_FILE}" \| $AWK_B 'BEGIN { FS="\n" } { if ( $1 == "-----CANARY UPDATE SEPARATOR-----" ) { exit }; print; }' \| $AWK_B "BEGIN { FS=\"\n\"; n=0; r=0} { if ( \$1 == \"-----BEGIN PGP SIGNATURE-----\" ) { n=1; ++r; f=\"${SIG_FILE_PREFIX}\"r\"${SIG_FILE_EXT}\"; print>f; next }; if (n == 1) { print>f; }; if ( \$1 == \"-----BEGIN PGP SIGNATURE-----\") { n=0; }; next };"

	# Validate the `CANARY_BODY_FILE` with each `SIG_FILE_PREFIX`N`SIG_FILE_EXT` signature
	SIGS=("${SIG_FILE_PREFIX}"?"${SIG_FILE_EXT}")
	for SIG in ${SIGS[@]}; do
	$GPG_B --verify "$SIG" "${CANARY_BODY_FILE}"
	done

	# Clean up after ourselves
	clean