-
Notifications
You must be signed in to change notification settings - Fork 394
223 lines (217 loc) · 10.5 KB
/
hashes.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
---
name: Validate Hashes
on:
push:
paths:
- 'downloads/hashes.txt'
- '_data/downloads.yml'
- '_data/contributing.yml'
pull_request:
paths:
- 'downloads/hashes.txt'
- '_data/downloads.yml'
- '_data/contributing.yml'
jobs:
validate-hashes:
name: Validate Hashes
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v2
- name: Install dependencies
run: |
sudo apt-get install -y --no-install-recommends curl gpg jq python3-pip zbar-tools
sudo pip3 install yq
- name: Verify hashes.txt + contributing.yml signature
run: |
curl -sL https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc |
gpg --import
gpg --verify downloads/hashes.txt
# signed by myself for test purposes only.
curl -sL https://raw.githubusercontent.com/plowsof/pgp/refs/heads/main/plowsofsmol.asc |
gpg --import
gpg --verify _data/contributing.yml.asc
- name: Verify General Fund donation QR's
run: |
yaml="_data/contributing.yml"
get_yaml_value() {
awk -v key="$1:" '$1 == key {print $2}' "$yaml"
}
for coin in xmr btc; do
qr_checksum=$(get_yaml_value "qr_${coin}_checksum")
qr_filename=$(get_yaml_value "qr_${coin}_filename")
qr_content=$(get_yaml_value "qr_${coin}_content")
echo "DEBUG: $qr_checksum $qr_filename"
echo "DEBUG: $qr_content"
# Confirm hashes match
echo "$qr_checksum $qr_filename" | sha256sum -c
# Scan QR content
qr_scanned=$(zbarimg -q --raw "$qr_filename")
# Compare scanned content with expected content
if [ "$qr_scanned" = "$qr_content" ]; then
echo "${coin^^} QR code content matches exactly"
else
echo "${coin^^} QR code content does not match"
echo "Scanned: $qr_scanned"
echo "Expected: $qr_content"
exit 1
fi
done
- name: Verify filenames
run: |
lines="$(grep -v ^# downloads/hashes.txt)"
SAVEIFS=$IFS
IFS=$'\n'
lines=($lines)
IFS=$SAVEIFS
version_gui=$(awk '/monero-gui-source-v/ {print $2}' downloads/hashes.txt | awk -F".tar.bz2" '{print $1}' | awk -F"-" '{print $4}')
version_cli=$(awk '/monero-source-v/ {print $2}' downloads/hashes.txt | awk -F".tar.bz2" '{print $1}' | awk -F"-" '{print $3}')
filenames_cli=()
filenames_gui=()
get_filename(){
line=$1
the_line=($line)
length="${#the_line[@]}"
((length-=1))
filename="${the_line[$length]}"
echo "${filename}"
}
# expects cli files between lines 2-14 and gui 15-19 (comments do not count, 1st line = 0)
# to add a new file to the cli, $num must be -gt 1 and -lt 16.
# gui $num is now -gt 15 and -lt 21 (new line has been added above)
# a new gui file will only increase the -lt number by 1
# changes to extensions / new files must be reflected in the cli_files / gui_files lists below
num=0
for line in "${lines[@]}"; do
if [ $num -gt 1 ] && [ $num -lt 15 ] ; then
#CLI
filename=$(get_filename "${line}")
filenames_cli+=("${filename}")
elif [ $num -gt 14 ] && [ $num -lt 21 ] ; then
#GUI
filename=$(get_filename "${line}")
filenames_gui+=("${filename}")
fi
((num+=1))
done
# edit/add/remove filenames below
cli_files=(\
"monero-android-armv7-${version_cli}.tar.bz2" \
"monero-android-armv8-${version_cli}.tar.bz2" \
"monero-freebsd-x64-${version_cli}.tar.bz2" \
"monero-linux-armv7-${version_cli}.tar.bz2" \
"monero-linux-armv8-${version_cli}.tar.bz2" \
"monero-linux-riscv64-${version_cli}.tar.bz2" \
"monero-linux-x64-${version_cli}.tar.bz2" \
"monero-linux-x86-${version_cli}.tar.bz2" \
"monero-mac-armv8-${version_cli}.tar.bz2" \
"monero-mac-x64-${version_cli}.tar.bz2" \
"monero-win-x64-${version_cli}.zip" \
"monero-win-x86-${version_cli}.zip" \
"monero-source-${version_cli}.tar.bz2")
gui_files=(\
"monero-gui-install-win-x64-${version_gui}.exe" \
"monero-gui-linux-x64-${version_gui}.tar.bz2" \
"monero-gui-mac-x64-${version_gui}.dmg" \
"monero-gui-mac-armv8-${version_gui}.dmg" \
"monero-gui-win-x64-${version_gui}.zip" \
"monero-gui-source-${version_gui}.tar.bz2")
check_filenames(){
local -n file_list=$1
local -n hardcoded=$2
for f in "${file_list[@]}"; do
if [[ "${hardcoded[*]}" =~ "${f}" ]]; then
echo "Filename OK: ${f}"
else
echo "Filename BAD: ${f}"
exit 1
fi
done
}
check_filenames filenames_cli cli_files
check_filenames filenames_gui gui_files
- name: Download releases
run: |
for file in $(awk '/monero-/ {print $2}' downloads/hashes.txt); do
[ -f $file ] && continue
echo Downloading $file...
dir=cli
if [[ $file =~ gui ]]; then
dir=gui
fi
url=https://dlsrc.getmonero.org/${dir}/${file}
curl -sLO $url
done
- name: Verify hashes.txt hashes
run: |
grep monero- downloads/hashes.txt | sha256sum -c
- name: Verify downloads.yml hashes
run: |
yq -r '.[] | .[0].downloads[] | "\(.link)|\(.hash)"' _data/downloads.yml | grep -v github |
while read line; do
[ -z "$line" ] && continue
url=$(echo $line | cut -d'|' -f1)
hash=$(echo $line | cut -d'|' -f2)
filename=
case $url in
*gui/win64install) filename=monero-gui-install-win-x64 ;;
*gui/win64) filename=monero-gui-win-x64 ;;
*gui/mac64) filename=monero-gui-mac-x64 ;;
*gui/macarm8) filename=monero-gui-mac-armv8 ;;
*gui/linux64) filename=monero-gui-linux-x64 ;;
*gui/source) filename=monero-gui-source ;;
*cli/win64) filename=monero-win-x64 ;;
*cli/win32) filename=monero-win-x86 ;;
*cli/mac64) filename=monero-mac-x64 ;;
*cli/macarm8) filename=monero-mac-armv8 ;;
*cli/linux64) filename=monero-linux-x64 ;;
*cli/linux32) filename=monero-linux-x86 ;;
*cli/linuxarm8) filename=monero-linux-armv8 ;;
*cli/linuxarm7) filename=monero-linux-armv7 ;;
*cli/linuxriscv64) filename=monero-linux-riscv64 ;;
*cli/androidarm8) filename=monero-android-armv8 ;;
*cli/androidarm7) filename=monero-android-armv7 ;;
*cli/freebsd64) filename=monero-freebsd-x64 ;;
*cli/source) filename=monero-source ;;
*)
echo "Unknown url $url" >&2
exit 1
;;
esac
filename=$(awk "/${filename}/ {print \$2}" downloads/hashes.txt)
echo "$hash $filename" | sha256sum -c
done
- name: Validate source integrity
run: |
version_gui=$(awk '/monero-gui-source-v/ {print $2}' downloads/hashes.txt | awk -F".tar.bz2" '{print $1}' | awk -F"-" '{print $4}')
version_cli=$(awk '/monero-source-v/ {print $2}' downloads/hashes.txt | awk -F".tar.bz2" '{print $1}' | awk -F"-" '{print $3}')
echo -e "\n--> GUI version: $version_gui \n--> CLI version: $version_cli"
mkdir validate_sources
cd validate_sources
# Download / verify git-archive-all.sh
curl -O https://raw.githubusercontent.com/fabacab/git-archive-all.sh/fc86194f00b678438f9210859597f6eead28e765/git-archive-all.sh
echo "db62e9a824866989c9d080f008ec06d81421cf94bed3762acba3b9148607af2d git-archive-all.sh" | sha256sum -c
chmod +x git-archive-all.sh
echo -e "--> Generating tarballs..."
# CLI
git clone --recursive -b $version_cli --depth 1 --shallow-submodule https://github.com/monero-project/monero.git monero.git && cd monero.git && ../git-archive-all.sh --prefix monero-source-${version_cli}/ --format tar --tree-ish $version_cli ../monero-source-${version_cli}.tar && cd .. && bzip2 monero-source-${version_cli}.tar
# GUI
git clone --recursive -b $version_gui --depth 1 --shallow-submodule https://github.com/monero-project/monero-gui.git monero-gui.git && cd monero-gui.git && ../git-archive-all.sh --prefix monero-gui-source-${version_gui}/ --format tar --tree-ish $version_gui ../monero-gui-source-${version_gui}.tar && cd .. && bzip2 monero-gui-source-${version_gui}.tar
mkdir yours
cp monero-gui-source-${version_gui}.tar.bz2 yours/.
cp monero-source-${version_cli}.tar.bz2 yours/.
mkdir from_website
echo -e "\n--> Move tarballs from getmonero..."
mv ../monero-gui-source-${version_gui}.tar.bz2 from_website/.
mv ../monero-source-${version_cli}.tar.bz2 from_website/.
echo -e "\n--> Unpacking all..."
bunzip2 yours/*.bz2
bunzip2 from_website/*.bz2
tar xf yours/monero-source-${version_cli}.tar -C yours/
tar xf yours/monero-gui-source-${version_gui}.tar -C yours/
tar xf from_website/monero-source-${version_cli}.tar -C from_website/
tar xf from_website/monero-gui-source-${version_gui}.tar -C from_website
# Compare directories
echo -e "\n--> Comparing CLI directories"
diff -r yours/monero-source-$version_cli from_website/monero-source-$version_cli
echo -e "\n--> Comparing GUI directories"
diff -r yours/monero-gui-source-$version_gui from_website/monero-gui-source-$version_gui