Download patch signatures and verify them

Before uploading the source files, verify the GPG signature is good. Signed-off-by: Jeremy Cline <jeremy@jcline.org>
2018-04-02 14:55:36 -04:00 · 2018-04-02 14:55:36 -04:00 · 192ccb6e5f
commit 192ccb6e5f
parent 5324c74646
2 changed files with 16 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,5 +3,6 @@ clog
 *.bz2
 *.rpm
 *.orig
+*.sign
 kernel-[234].*/
 perf-man-*.tar.gz
--- a/scripts/stable-update.sh
+++ b/scripts/stable-update.sh
@ -42,6 +42,21 @@ if [ ! -f patch-$1.xz ]; then
 	fi
 fi

+if [ ! -f "patch-$1.sign" ]; then
+        wget "https://cdn.kernel.org/pub/linux/kernel/v4.x/patch-$1.sign"
+        if [ ! $? -eq 0 ]; then
+                echo "Signature download failed"
+                exit 1
+        fi
+fi
+
+xzcat "patch-$1.xz" | gpg2 --verify "patch-$1.sign" -
+if [ ! $? -eq 0 ]; then
+        echo "Patch file has invalid or untrusted signature!"
+        echo "See https://www.kernel.org/category/signatures.html"
+        exit 1
+fi
+
 grep $1 sources &> /dev/null
 if [ ! $? -eq 0 ]; then
 	fedpkg upload patch-$1.xz