diff options
| author | Markus Pettersson <markus.pettersson@mullvad.net> | 2025-03-26 10:38:20 +0100 |
|---|---|---|
| committer | Markus Pettersson <markus.pettersson@mullvad.net> | 2025-03-26 10:38:20 +0100 |
| commit | 5a853f4799974f85bef6112407582355e43fae0d (patch) | |
| tree | eb0ad6f53589718412b8c52ed5f481b318eac181 /desktop/scripts | |
| parent | 0a0aaca1e151258a9961d20f9b28c2ce0bb8a25a (diff) | |
| parent | 093fbcd7a5e3bfe1abfb1233006cb1034ca69e7a (diff) | |
| download | mullvadvpn-5a853f4799974f85bef6112407582355e43fae0d.tar.xz mullvadvpn-5a853f4799974f85bef6112407582355e43fae0d.zip | |
Merge branch 'tighten-gpg-verify-check-in-4-make-release-script-des-1913'
Diffstat (limited to 'desktop/scripts')
| -rwxr-xr-x | desktop/scripts/release/download-release-artifacts | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/desktop/scripts/release/download-release-artifacts b/desktop/scripts/release/download-release-artifacts index b6444cbd66..8e8a77f0ad 100755 --- a/desktop/scripts/release/download-release-artifacts +++ b/desktop/scripts/release/download-release-artifacts @@ -21,8 +21,8 @@ URL_BASE="https://releases.mullvad.net/desktop/releases" mkdir -p $ARTIFACT_DIR -# Find GnuPG command to use. Prefer gpg2 -gpg_cmd=$(command -v gpg2 || command -v gpg) +# The signer key file "mullvad-code-signing-key.asc" is expected to exist in the current working directory. +SIGNER_KEY_FILE="./mullvad-code-signing-key.asc" for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}" @@ -45,7 +45,9 @@ for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.r echo "" echo ">>> Verifying integrity of $pkg_filename" - if ! $gpg_cmd --verify "$pkg_path.asc" "$pkg_path"; then + # We prefer sqv for PGP key verification as it a strict and easy-to-use implementation of PGP. + # gpg is also not suitable for use in scripting. + if ! sqv --keyring "$SIGNER_KEY_FILE" "$pkg_path.asc" "$pkg_path"; then echo "" echo "!!! INTEGRITY CHECKING FAILED !!!" rm "$pkg_path" "$pkg_path.asc" |
