Commit Graph

12 Commits

Author SHA1 Message Date
Oliver Gugger
591954ff61
scripts: detect whether sha256sum or shasum is available
The shasum command isn't available in Alpine linux while the sha256sum
command isn't available on MacOS. We add a simple switch that tries to
detect which one is available.
2021-02-17 18:11:42 +01:00
Conner Fromknecht
95eadfee2f
scripts/verify-install.sh: combine final SUCCESS logs 2021-02-15 10:00:42 -08:00
Conner Fromknecht
c03f95a63b
scripts/verify-install: bump min required signatures to 5 2021-02-15 09:59:59 -08:00
Oliver Gugger
85c42b0b79
scripts: add more verbose error messages to verification
We want to be more precise in what exactly went wrong and what the cause
could be.
2021-02-15 10:47:46 +01:00
Oliver Gugger
99ba272822
docs+scripts: switch to detached signatures
Due to a misunderstanding of how the gpg command line options work, we
didn't actually create detached signatures because the --clear-sign
flag would overwrite that. We update our verification script to now only
download the detached signatures and verify them against the main
manifest file.
We also update the signing instructions.
2021-02-15 10:33:20 +01:00
Oliver Gugger
132d23c964
scripts: verify hash length
To make sure we've actually calculated the hash correctly, we make sure
it's 64 characters long.
2021-02-15 10:26:17 +01:00
Oliver Gugger
644424296b
scripts: use shasum instead of sha256sum
Because the sha256sum binary isn't available on MacOS we instead use the
shasum -a 256 command that was used before.
2021-02-15 10:26:15 +01:00
Oliver Gugger
aca93199cf
scripts: allow verification of custom binary
Instead of only allowing the installed versions of lnd and lncli to be
verified, we now also support specifying explicit paths to binaries that
we want to verify.
2021-02-12 13:22:13 +01:00
Oliver Gugger
688a8045f0
Merge pull request from guggero/verify-no-key-fix
scripts: don't fail signature verification on missing public key
2021-01-28 14:52:22 +01:00
Oliver Gugger
734441d6c0
scripts: don't fail on missing public key
When verifying the release signatures, we don't want to fail if a
signer's signature is not available in the gpg key ring. Instead we just
don't want to count the signature for now and still succeed if there's
at least one other good sig with a known key.
2021-01-27 11:12:04 +01:00
Johan T. Halseth
991e077bf3
scripts: add halseth key to verify script 2021-01-27 10:43:32 +01:00
Oliver Gugger
97a141e7af
docker: add verification script to production image
The verification script makes sure the hashes of the binaries inside of
a docker image match those of an official release.
The script first downloads all signatures, validates them, then compares
the hashes of the installed binaries to those contained in the detached
signature files.
2021-01-14 21:48:32 +01:00