#!/usr/bin/env bash # This script downloads the build artifacts along with the signatures, and verifies them. set -eu SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" cd "$SCRIPT_DIR" if [ $# -ne 2 ]; then echo "Please provide the following arguments:" echo " $(basename "$0") \\" echo " \\" echo " " exit 1 fi # The app version to download PRODUCT_VERSION=$1 # The directory where the artifacts will be downloaded to ARTIFACT_DIR=$2 URL_BASE="https://releases.mullvad.net/desktop/releases" # shellcheck source-path=desktop/scripts/release source ./release-config.sh mkdir -p "$ARTIFACT_DIR" fingerprint_in_file=$(sq keyring list "$MULLVAD_CODE_SIGNING_KEY_PATH" | awk '{print $2}') test "$fingerprint_in_file" = "$MULLVAD_CODE_SIGNING_KEY_FINGERPRINT" for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}" pkg_path="$ARTIFACT_DIR/$pkg_filename" url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename" if [ -f "$pkg_path" ]; then echo ">>> Using existing file: $pkg_filename" else echo ">>> Downloading $pkg_filename - $url" curl -o "$pkg_path" --progress-bar --fail "$url" fi if [ -f "$pkg_path.asc" ]; then echo ">>> Using existing file: $pkg_filename.asc" else echo ">>> Downloading $pkg_filename.asc - $url.asc" curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc" fi echo "" echo ">>> Verifying integrity of $pkg_filename" # We prefer sqv for PGP key verification as it a strict and easy-to-use implementation of PGP. # gpg is also not suitable for use in scripting. if ! sqv --keyring "$MULLVAD_CODE_SIGNING_KEY_PATH" "$pkg_path.asc" "$pkg_path"; then echo "" echo "!!! INTEGRITY CHECKING FAILED !!!" rm "$pkg_path" "$pkg_path.asc" exit 1 fi echo "" echo "GOOD SIGNATURE FOR $pkg_filename" echo "" done