1#!/bin/bash 2# Copyright 2021 Google LLC 3# 4# Licensed under the Apache License, Version 2.0 (the "License"); 5# you may not use this file except in compliance with the License. 6# You may obtain a copy of the License at 7# 8# http://www.apache.org/licenses/LICENSE-2.0 9# 10# Unless required by applicable law or agreed to in writing, software 11# distributed under the License is distributed on an "AS IS" BASIS, 12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13# See the License for the specific language governing permissions and 14# limitations under the License. 15 16help_out() { 17 echo "$ARG0 [--allow-dev] <image file> <sig file>" >&2 18 exit 2 19} 20 21opts="$(getopt -o 'd' -l 'allow-dev' -- "$@")" || exit 22dev= 23eval set -- "$opts" 24while true; do 25 case "$1" in 26 --allow-dev|-d) 27 dev=1 28 shift 29 ;; 30 --) 31 shift 32 break 33 ;; 34 *) 35 echo "Bad option: $1" >&2 36 help_out 37 ;; 38 esac 39done 40image_file="${1?Missing image file}" || help_out 41sig_file="${2?Missing sig file}" || help_out 42 43# gnupg needs a home directory even though we don't want to persist any 44# information. We always make a new temporary directory for this 45GNUPGHOME= 46cleanup() { 47 test -n "$GNUPGHOME" && rm -rf "$GNUPGHOME" 48} 49trap cleanup ERR EXIT INT 50GNUPGHOME="$(mktemp -d)" || exit 51export GNUPGHOME 52 53gpg() { 54 command gpg --batch --allow-non-selfsigned-uid --no-tty "$@" 55} 56import_key() { 57 gpg --import "/usr/share/google-key/$1.key" 58} 59 60import_key prod 61if [ -n "$dev" ]; then 62 import_key dev 63fi 64gpg --verify --ignore-time-conflict "$sig_file" "$image_file" 65