scripts/verify-install: bump min required signatures to 5

2021-02-12 12:24:51 -08:00 · 2021-02-12 12:24:51 -08:00 · c03f95a63b
commit c03f95a63b
parent 12182d0fc9
1 changed files with 16 additions and 9 deletions
--- a/scripts/verify-install.sh
+++ b/scripts/verify-install.sh
@ -172,6 +172,22 @@ for signature in $SIGNATURES; do
  ((NUM_CHECKS=NUM_CHECKS+1))
 done

+# We want at least five signatures (out of seven public keys) that sign the
+# hashes of the binaries we have installed. If we arrive here without exiting,
+# it means no signature manifests were uploaded (yet) with the correct naming
+# pattern.
+MIN_REQUIRED_SIGNATURES=5
+if [[ $NUM_CHECKS -lt $MIN_REQUIRED_SIGNATURES ]]; then
+  echo "ERROR: Not enough valid signatures found!"
+  echo "  Valid signatures found: $NUM_CHECKS"
+  echo "  Valid signatures required: $MIN_REQUIRED_SIGNATURES"
+  echo
+  echo "  Make sure the release $LND_VERSION contains the required "
+  echo "  number of signatures on the manifest, or wait until more "
+  echo "  signatures have been added to the release."
+  exit 1
+fi
+
 # Then make sure that the hash of the installed binaries can be found in the
 # manifest that we now have verified the signatures for.
 if ! grep -q "^$LND_SUM" "$MANIFEST"; then
@ -195,14 +211,5 @@ fi
 echo ""
 echo "Verified lnd and lncli hashes against $MANIFEST"

-# We want at least one signature that signs the hashes of the binaries we have
-# installed. If we arrive here without exiting, it means no signature manifests
-# were uploaded (yet) with the correct naming pattern.
-if [[ $NUM_CHECKS -lt 1 ]]; then
-  echo "ERROR: No valid signatures found!"
-  echo "Make sure the release $LND_VERSION contains any signatures for the manifest."
-  exit 1
-fi
-
 echo ""
 echo "SUCCESS! Verified lnd and lncli against $NUM_CHECKS developer signature(s)."