summaryrefslogtreecommitdiffhomepage
path: root/desktop/scripts/release/download-release-artifacts
blob: 4a83ac672f10cc2af1f596985b2a7111e7727444 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

#!/usr/bin/env bash

# This script downloads the build artifacts along with the signatures, and verifies them.

set -eu

SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd "$SCRIPT_DIR"

if [ $# -ne 2 ]; then
    echo "Please provide the following arguments:"
    echo "    $(basename "$0") \\"
    echo "        <product version> \\"
    echo "        <artifact download directory> "
    exit 1
fi

# The app version to download
PRODUCT_VERSION=$1
# The directory where the artifacts will be downloaded to
ARTIFACT_DIR=$2

URL_BASE="https://releases.mullvad.net/desktop/releases"

# shellcheck source-path=desktop/scripts/release
source ./release-config.sh

mkdir -p "$ARTIFACT_DIR"

fingerprint_in_file=$(sq keyring list "$MULLVAD_CODE_SIGNING_KEY_PATH" | awk '{print $2}')
test "$fingerprint_in_file" = "$MULLVAD_CODE_SIGNING_KEY_FINGERPRINT"

for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do
    pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}"
    pkg_path="$ARTIFACT_DIR/$pkg_filename"
    url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename"

    if [ -f "$pkg_path" ]; then
        echo ">>> Using existing file: $pkg_filename"
    else
        echo ">>> Downloading $pkg_filename - $url"
        curl -o "$pkg_path" --progress-bar --fail "$url"
    fi

    if [ -f "$pkg_path.asc" ]; then
        echo ">>> Using existing file: $pkg_filename.asc"
    else
        echo ">>> Downloading $pkg_filename.asc - $url.asc"
        curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc"
    fi

    echo ""
    echo ">>> Verifying integrity of $pkg_filename"
    # We prefer sqv for PGP key verification as it a strict and easy-to-use implementation of PGP.
    # gpg is also not suitable for use in scripting.
    if ! sqv --keyring "$MULLVAD_CODE_SIGNING_KEY_PATH" "$pkg_path.asc" "$pkg_path"; then
        echo ""
        echo "!!! INTEGRITY CHECKING FAILED !!!"
        rm "$pkg_path" "$pkg_path.asc"
        exit 1
    fi
    echo ""
    echo "GOOD SIGNATURE FOR $pkg_filename"
    echo ""
done
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.