2 # Script to perform verified file downloads.
4 # 0 - File downloaded successfully and verified
5 # 1 - Failed to download requested file
6 # 2 - Failed to download sha256sums file
7 # 3 - Failed to download sha256sums.gpg file
8 # 4 - GnuPG is available but fails to verify the signature (missing pubkey, file integrity error, ...)
9 # 5 - The checksums do not match
10 # 6 - Unable to copy the requested file to its final destination
11 # 254 - The script got interrupted by a signal
12 # 255 - A suitable download or checksum utility is missing
15 echo "Usage: $0 <url>" >&2
20 [ -e "/tmp/verify.$$" ] && {
22 rm -r "/tmp/verify.$$"
27 trap "finish 254" INT TERM
31 image_file
="${image_url##*/}"
32 sha256_url
="${image_url%/*}/sha256sums"
33 gpgsig_url
="${image_url%/*}/sha256sums.gpg"
34 keyserver_url
="hkp://pool.sks-keyservers.net"
36 # Find a suitable download utility
37 if which curl
>/dev
/null
; then
38 download
() { curl
--progress-bar -o "$1" "$2"; }
39 elif which wget
>/dev
/null
; then
40 download
() { wget
-O "$1" "$2"; }
41 elif which fetch
>/dev
/null
; then
42 download
() { fetch
-o "$1" "$2"; }
44 echo "No suitable download utility found, cannot download files!" >&2
48 # Find a suitable checksum utility
49 if which sha256sum
>/dev
/null
; then
50 checksum
() { sha256sum
-c --ignore-missing "sha256sums"; }
51 elif which shasum
>/dev
/null
; then
53 local sum="$(shasum -a 256 "$image_file")";
54 grep -xF "${sum%% *} *$image_file" "sha256sums";
57 echo "No SHA256 checksum executable installed, cannot verify checksums!" >&2
61 # Check for gpg availability
62 if which gpg
>/dev
/null
; then
63 runpgp
() { gpg
"$@"; }
66 echo "WARNING: No GnuPG installed, cannot verify digital signature!" >&2
71 mkdir
-p "/tmp/verify.$$"
75 echo "1) Downloading image file"
76 echo "========================="
77 download
"$image_file" "$image_url" ||
{
78 echo "Failed to download image file!" >&2
83 echo "2) Downloading checksum file"
84 echo "============================"
85 download
"sha256sums" "$sha256_url" ||
{
86 echo "Failed to download checksum file!" >&2
91 echo "3) Downloading the GPG signature"
92 echo "================================"
93 download
"sha256sums.gpg" "$gpgsig_url" ||
{
94 echo "Failed to download GPG signature!" >&2
99 echo "4) Verifying GPG signature"
100 echo "=========================="
101 missing_key
=$
(runpgp
--status-fd 1 --with-fingerprint --verify \
102 "sha256sums.gpg" "sha256sums" 2>/dev
/null |
sed -ne 's!^.* NO_PUBKEY !!p')
104 if [ -n "$missing_key" ]; then
105 echo "The signature was signed by a public key with the id $missing_key" >&2
106 echo "which is not present on this system." >&2
109 echo "Provide a public keyserver url below or press enter to accept the" >&2
110 echo "default suggestion. Hit Ctrl-C to abort the operation." >&2
114 printf "Keyserver to use? [$keyserver_url] > "
115 read url
; case "${url:-$keyserver_url}" in
117 gpg
--keyserver "${url:-$keyserver_url}" --recv-keys "$missing_key" ||
{
118 echo "Failed to download public key." >&2
124 echo "Expecting a key server url in the form 'hkp://hostname'." >&2
130 runpgp
--with-fingerprint --verify "sha256sums.gpg" "sha256sums" ||
{
131 echo "Failed to verify checksum file with GPG signature!" >&2
136 echo "5) Verifying SHA256 checksum"
137 echo "============================"
139 echo "Checksums do not match!" >&2
143 cp "$image_file" "$destdir/$image_file" ||
{
144 echo "Failed to write '$destdir/$image_file'" >&2
149 echo "Verification done!"
150 echo "=================="
151 echo "Firmware image placed in '$destdir/$image_file'."