diff --git a/.gitignore b/.gitignore index 2a888b23d..93aa862ec 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,6 @@ clog *.bz2 *.rpm *.orig +*.sign kernel-[234].*/ perf-man-*.tar.gz diff --git a/scripts/stable-update.sh b/scripts/stable-update.sh index eefd9a96d..2ea5fb78b 100755 --- a/scripts/stable-update.sh +++ b/scripts/stable-update.sh @@ -42,6 +42,21 @@ if [ ! -f patch-$1.xz ]; then fi fi +if [ ! -f "patch-$1.sign" ]; then + wget "https://cdn.kernel.org/pub/linux/kernel/v4.x/patch-$1.sign" + if [ ! $? -eq 0 ]; then + echo "Signature download failed" + exit 1 + fi +fi + +xzcat "patch-$1.xz" | gpg2 --verify "patch-$1.sign" - +if [ ! $? -eq 0 ]; then + echo "Patch file has invalid or untrusted signature!" + echo "See https://www.kernel.org/category/signatures.html" + exit 1 +fi + grep $1 sources &> /dev/null if [ ! $? -eq 0 ]; then fedpkg upload patch-$1.xz