Skip to content

Instantly share code, notes, and snippets.

@sethforprivacy
Last active June 5, 2024 22:43
Show Gist options
  • Save sethforprivacy/ad5848767d9319520a6905b7111dc021 to your computer and use it in GitHub Desktop.
Save sethforprivacy/ad5848767d9319520a6905b7111dc021 to your computer and use it in GitHub Desktop.
Bash script that downloads and verifies the latest Linux x64/x86 binaries.
#!/bin/bash
# Download binaryfate's GPG key
wget -q -O binaryfate.asc https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc
# Verify binaryfate's GPG key
echo "1. Verify binaryfate's GPG key: "
gpg --keyid-format long --with-fingerprint binaryfate.asc
# Prompt user to confirm the key matches that posted on https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html
echo
read -p "Does the above output match https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html?" -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
# Import binaryfate's GPG key
echo
echo "----------------------------"
echo "2. Import binaryfate's GPG key"
gpg --import binaryfate.asc
fi
# Delete stale .bz2 Monero downloads
rm monero-linux-x64-*.tar.bz2
# Download hashes.txt
wget -q -O hashes.txt https://getmonero.org/downloads/hashes.txt
# Verify hashes.txt
echo
echo "--------------------"
echo "3. Verify hashes.txt"
gpg --verify hashes.txt
# Download latest 64-bit binaries
echo
echo "-------------------------------------"
echo "4. Download latest Linux binaries"
echo "Downloading..."
wget -q --content-disposition https://downloads.getmonero.org/cli/linux64
# Verify shasum of downloaded binaries
echo
echo "---------------------------------------"
echo "5. Verify hashes of downloaded binaries"
if shasum -a 256 -c hashes.txt -s --ignore-missing
then
echo
echo "Success: The downloaded binaries verified properly!"
else
echo
echo -e "\e[31mDANGER: The download binaries have been tampered with or corrupted\e[0m"
rm -rf monero-linux-x64-*.tar.bz2
exit 1
fi
@w3irdrobot
Copy link

w3irdrobot commented Jan 1, 2021

I'm not sure the hash checking is doing what you think it does. I think it could be improved by making the conditional on line 42 into

if shasum -a 256 -c hashes.txt -s --ignore-missing

@sethforprivacy
Copy link
Author

How would you propose implementing that?

The current version does properly verify that the hash of the file is in hashes.txt, and errors out if not.

@w3irdrobot
Copy link

I am just suggesting you use what I put above. If I'm reading your code right, it's not necessarily validating that the hash you generate is equal to the one you made the SHA of. You're just checking that the SHA is in the file. Using shasum to check actually validates that the hash on a line matches the SHA sum of the file that is on the same line.

@sethforprivacy
Copy link
Author

sethforprivacy commented Jan 4, 2021

Running that command when I've forced the SHA hash to not match does not change output at all, as you're just ignoring missing files.

Did you mean to have it be something like:

shasum -a 256 -c hashes.txt --ignore-missing | grep 'FAILED' | wc -l

If I replace line 42 with if shasum -a 256 -c hashes.txt --ignore-missing | grep 'FAILED' | wc -l, I get the following output which works properly:

---------------------------------------
5. Verify hashes of downloaded binaries
shasum: WARNING: 19 lines are improperly formatted
0

Success: The downloaded binaries verified properly!

@w3irdrobot
Copy link

The --ignore-missing is there because you're only downloading one tar. If you had them all, then you wouldn't need it. The -s causes it to be silent but still output a non-zero exit code on failure. This allows your conditional to still function correctly without polluting the terminal output. What you're suggesting looks like it would work as well but it would probably still output a number and may cause your conditional to always pass since I believe that wc will give you a positive exit code no matter what you do. So that conditional will actually not be good at all now that I'm thinking about it because I think it will always pass

@sethforprivacy
Copy link
Author

Thanks, that makes sense to me after taking a deeper look at how shasum works 👍

Made the change!

@sMtzDczDq
Copy link

shasum was missing from debian 11 in my case. Installing libdigest-sha-perl solves this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment