Merge pull request #2155 from coolcottontail/verify_binary

updated node.sh to verify the downloaded harmony binarnies
5 years ago · c5d51951c1
parent e0aaa6b0b1 3117c93179
commit c5d51951c1
1 changed files with 30 additions and 0 deletions
--- a/scripts/node.sh
+++ b/scripts/node.sh
@ -324,6 +324,20 @@ verify_checksum() {
   return 0
 }

+verify_signature() {
+   local dir file 
+   dir="${1}"
+   file="${dir}/${2}"
+   sigfile="${dir}/${2}.sig"
+
+   result=$(openssl dgst -sha256 -verify "${outdir}/harmony_pubkey.pem" -signature "${sigfile}" "${file}" 2>&1)
+   echo ${result}
+   if  [[ ${result} != "Verified OK" ]]; then
+	   return 1
+   fi
+   return 0
+}
+
 download_binaries() {
   local outdir status
   ${do_not_download} && return 0
@ -339,6 +353,17 @@ download_binaries() {
         return ${status}
         ;;
      esac
+
+      curl -sSf http://${BUCKET}.s3.amazonaws.com/${FOLDER}${bin}.sig -o "${outdir}/${bin}.sig" || status=$?
+      case "${status}" in
+      0) ;;
+      *)
+         msg "cannot download ${bin}.sig (status ${status})"
+         return ${status}
+         ;;
+      esac
+
+      verify_signature "${outdir}" "${bin}" || return $?
      verify_checksum "${outdir}" "${bin}" md5sum.txt || return $?
      msg "downloaded ${bin}"
   done
@ -442,6 +467,11 @@ any_new_binaries() {
   ${do_not_download} && return 0
   outdir="${1}"
   mkdir -p "${outdir}"
+   curl -L https://harmony.one/pubkey -o "${outdir}/harmony_pubkey.pem"
+   if ! grep -q "BEGIN\ PUBLIC\ KEY" "${outdir}/harmony_pubkey.pem"; then
+      msg "failed to downloaded harmony public signing key"
+      return 1
+   fi
   curl -sSf http://${BUCKET}.s3.amazonaws.com/${FOLDER}md5sum.txt -o "${outdir}/md5sum.txt.new" || return $?
   if diff $outdir/md5sum.txt.new md5sum.txt
   then