blob: aec0fbfe3e36f0ef2df994f1155ac67c08e99e29 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
#!/usr/bin/env bash
# This script downloads the build artifacts along with the signatures, and verifies them.
set -eu
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd "$SCRIPT_DIR"
if [ $# -ne 2 ]; then
echo "Please provide the following arguments:"
echo " $(basename "$0") \\"
echo " <product version> \\"
echo " <artifact download directory> "
exit 1
fi
# The app version to download
PRODUCT_VERSION=$1
# The directory where the artifacts will be downloaded to
ARTIFACT_DIR=$2
URL_BASE="https://releases.mullvad.net/desktop/releases"
mkdir -p "$ARTIFACT_DIR"
# The signer key file "mullvad-code-signing-key.asc" is expected to exist in the current working directory.
SIGNER_KEY_FILE="./mullvad-code-signing-key.asc"
for ext in .exe _arm64.exe _x64.exe _amd64.deb _arm64.deb _x86_64.rpm _aarch64.rpm .pkg; do
pkg_filename="MullvadVPN-${PRODUCT_VERSION}${ext}"
pkg_path="$ARTIFACT_DIR/$pkg_filename"
url="$URL_BASE/$PRODUCT_VERSION/$pkg_filename"
if [ -f "$pkg_path" ]; then
echo ">>> Using existing file: $pkg_filename"
else
echo ">>> Downloading $pkg_filename - $url"
curl -o "$pkg_path" --progress-bar --fail "$url"
fi
if [ -f "$pkg_path.asc" ]; then
echo ">>> Using existing file: $pkg_filename.asc"
else
echo ">>> Downloading $pkg_filename.asc - $url.asc"
curl -o "$pkg_path.asc" --progress-bar --fail "$url.asc"
fi
echo ""
echo ">>> Verifying integrity of $pkg_filename"
# We prefer sqv for PGP key verification as it a strict and easy-to-use implementation of PGP.
# gpg is also not suitable for use in scripting.
if ! sqv --keyring "$SIGNER_KEY_FILE" "$pkg_path.asc" "$pkg_path"; then
echo ""
echo "!!! INTEGRITY CHECKING FAILED !!!"
rm "$pkg_path" "$pkg_path.asc"
exit 1
fi
echo ""
echo "GOOD SIGNATURE FOR $pkg_filename"
echo ""
done
|
