ci/contributing: verify donation address/qr's are signed #122
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Validate Hashes | |
on: | |
push: | |
paths: | |
- 'downloads/hashes.txt' | |
- '_data/downloads.yml' | |
- '_data/contributing.yml' | |
pull_request: | |
paths: | |
- 'downloads/hashes.txt' | |
- '_data/downloads.yml' | |
- '_data/contributing.yml' | |
jobs: | |
validate-hashes: | |
name: Validate Hashes | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Install dependencies | |
run: | | |
sudo apt-get install -y --no-install-recommends curl gpg jq python3-pip zbartools | |
sudo pip3 install yq | |
- name: Verify hashes.txt + contributing.yml signature | |
run: | | |
curl -sL https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc | | |
gpg --import | |
gpg --verify downloads/hashes.txt | |
# signed by myself for testing purposes only | |
curl -sL https://raw.githubusercontent.com/plowsof/pgp/refs/heads/main/plowsofsmol.asc | gpg --import | |
gpg --verify _data/contributing.yml.asc | |
- name: Verify General Fund donation QR's | |
run: | | |
yaml="_data/contributing.yml" | |
get_yaml_value() { | |
awk -v key="$1:" '$1 == key {print $2}' "$yaml" | |
} | |
for coin in xmr btc; do | |
qr_checksum=$(get_yaml_value "qr_${coin}_checksum") | |
qr_filename=$(get_yaml_value "qr_${coin}_filename") | |
qr_content=$(get_yaml_value "qr_${coin}_content") | |
echo "DEBUG: $qr_checksum $qr_filename" | |
echo "DEBUG: $qr_content" | |
# Confirm hashes match | |
echo "$qr_checksum $file" | sha256sum -c | |
# Get QR content | |
qr_scanned=$(zbarimg -q --raw "$qr_filename") | |
# Compare scanned content with expected content | |
if [ "$qr_scanned" = "$qr_content" ]; then | |
echo "${coin^^} QR code content matches exactly" | |
else | |
echo "${coin^^} QR code content does not match" | |
echo "Scanned: $qr_scanned" | |
echo "Expected: $qr_content" | |
fi | |
echo "---" | |
done | |
- name: Verify filenames | |
run: | | |
lines="$(grep -v ^# downloads/hashes.txt)" | |
SAVEIFS=$IFS | |
IFS=$'\n' | |
lines=($lines) | |
IFS=$SAVEIFS | |
version_gui=$(awk '/monero-gui-source-v/ {print $2}' downloads/hashes.txt | awk -F".tar.bz2" '{print $1}' | awk -F"-" '{print $4}') | |
version_cli=$(awk '/monero-source-v/ {print $2}' downloads/hashes.txt | awk -F".tar.bz2" '{print $1}' | awk -F"-" '{print $3}') | |
filenames_cli=() | |
filenames_gui=() | |
get_filename(){ | |
line=$1 | |
the_line=($line) | |
length="${#the_line[@]}" | |
((length-=1)) | |
filename="${the_line[$length]}" | |
echo "${filename}" | |
} | |
# expects cli files between lines 2-14 and gui 15-19 (comments do not count, 1st line = 0) | |
# to add a new file to the cli, $num must be -gt 1 and -lt 16. | |
# gui $num is now -gt 15 and -lt 21 (new line has been added above) | |
# a new gui file will only increase the -lt number by 1 | |
# changes to extensions / new files must be reflected in the cli_files / gui_files lists below | |
num=0 | |
for line in "${lines[@]}"; do | |
if [ $num -gt 1 ] && [ $num -lt 15 ] ; then | |
#CLI | |
filename=$(get_filename "${line}") | |
filenames_cli+=("${filename}") | |
elif [ $num -gt 14 ] && [ $num -lt 21 ] ; then | |
#GUI | |
filename=$(get_filename "${line}") | |
filenames_gui+=("${filename}") | |
fi | |
((num+=1)) | |
done | |
# edit/add/remove filenames below | |
cli_files=(\ | |
"monero-android-armv7-${version_cli}.tar.bz2" \ | |
"monero-android-armv8-${version_cli}.tar.bz2" \ | |
"monero-freebsd-x64-${version_cli}.tar.bz2" \ | |
"monero-linux-armv7-${version_cli}.tar.bz2" \ | |
"monero-linux-armv8-${version_cli}.tar.bz2" \ | |
"monero-linux-riscv64-${version_cli}.tar.bz2" \ | |
"monero-linux-x64-${version_cli}.tar.bz2" \ | |
"monero-linux-x86-${version_cli}.tar.bz2" \ | |
"monero-mac-armv8-${version_cli}.tar.bz2" \ | |
"monero-mac-x64-${version_cli}.tar.bz2" \ | |
"monero-win-x64-${version_cli}.zip" \ | |
"monero-win-x86-${version_cli}.zip" \ | |
"monero-source-${version_cli}.tar.bz2") | |
gui_files=(\ | |
"monero-gui-install-win-x64-${version_gui}.exe" \ | |
"monero-gui-linux-x64-${version_gui}.tar.bz2" \ | |
"monero-gui-mac-x64-${version_gui}.dmg" \ | |
"monero-gui-mac-armv8-${version_gui}.dmg" \ | |
"monero-gui-win-x64-${version_gui}.zip" \ | |
"monero-gui-source-${version_gui}.tar.bz2") | |
check_filenames(){ | |
local -n file_list=$1 | |
local -n hardcoded=$2 | |
for f in "${file_list[@]}"; do | |
if [[ "${hardcoded[*]}" =~ "${f}" ]]; then | |
echo "Filename OK: ${f}" | |
else | |
echo "Filename BAD: ${f}" | |
exit 1 | |
fi | |
done | |
} | |
check_filenames filenames_cli cli_files | |
check_filenames filenames_gui gui_files | |
- name: Download releases | |
run: | | |
for file in $(awk '/monero-/ {print $2}' downloads/hashes.txt); do | |
[ -f $file ] && continue | |
echo Downloading $file... | |
dir=cli | |
if [[ $file =~ gui ]]; then | |
dir=gui | |
fi | |
url=https://dlsrc.getmonero.org/${dir}/${file} | |
curl -sLO $url | |
done | |
- name: Verify hashes.txt hashes | |
run: | | |
grep monero- downloads/hashes.txt | sha256sum -c | |
- name: Verify downloads.yml hashes | |
run: | | |
yq -r '.[] | .[0].downloads[] | "\(.link)|\(.hash)"' _data/downloads.yml | grep -v github | | |
while read line; do | |
[ -z "$line" ] && continue | |
url=$(echo $line | cut -d'|' -f1) | |
hash=$(echo $line | cut -d'|' -f2) | |
filename= | |
case $url in | |
*gui/win64install) filename=monero-gui-install-win-x64 ;; | |
*gui/win64) filename=monero-gui-win-x64 ;; | |
*gui/mac64) filename=monero-gui-mac-x64 ;; | |
*gui/macarm8) filename=monero-gui-mac-armv8 ;; | |
*gui/linux64) filename=monero-gui-linux-x64 ;; | |
*gui/source) filename=monero-gui-source ;; | |
*cli/win64) filename=monero-win-x64 ;; | |
*cli/win32) filename=monero-win-x86 ;; | |
*cli/mac64) filename=monero-mac-x64 ;; | |
*cli/macarm8) filename=monero-mac-armv8 ;; | |
*cli/linux64) filename=monero-linux-x64 ;; | |
*cli/linux32) filename=monero-linux-x86 ;; | |
*cli/linuxarm8) filename=monero-linux-armv8 ;; | |
*cli/linuxarm7) filename=monero-linux-armv7 ;; | |
*cli/linuxriscv64) filename=monero-linux-riscv64 ;; | |
*cli/androidarm8) filename=monero-android-armv8 ;; | |
*cli/androidarm7) filename=monero-android-armv7 ;; | |
*cli/freebsd64) filename=monero-freebsd-x64 ;; | |
*cli/source) filename=monero-source ;; | |
*) | |
echo "Unknown url $url" >&2 | |
exit 1 | |
;; | |
esac | |
filename=$(awk "/${filename}/ {print \$2}" downloads/hashes.txt) | |
echo "$hash $filename" | sha256sum -c | |
done | |
- name: Validate source integrity | |
run: | | |
version_gui=$(awk '/monero-gui-source-v/ {print $2}' downloads/hashes.txt | awk -F".tar.bz2" '{print $1}' | awk -F"-" '{print $4}') | |
version_cli=$(awk '/monero-source-v/ {print $2}' downloads/hashes.txt | awk -F".tar.bz2" '{print $1}' | awk -F"-" '{print $3}') | |
echo -e "\n--> GUI version: $version_gui \n--> CLI version: $version_cli" | |
mkdir validate_sources | |
cd validate_sources | |
# Download / verify git-archive-all.sh | |
curl -O https://raw.githubusercontent.com/fabacab/git-archive-all.sh/fc86194f00b678438f9210859597f6eead28e765/git-archive-all.sh | |
echo "db62e9a824866989c9d080f008ec06d81421cf94bed3762acba3b9148607af2d git-archive-all.sh" | sha256sum -c | |
chmod +x git-archive-all.sh | |
echo -e "--> Generating tarballs..." | |
# CLI | |
git clone --recursive -b $version_cli --depth 1 --shallow-submodule https://github.com/monero-project/monero.git monero.git && cd monero.git && ../git-archive-all.sh --prefix monero-source-${version_cli}/ --format tar --tree-ish $version_cli ../monero-source-${version_cli}.tar && cd .. && bzip2 monero-source-${version_cli}.tar | |
# GUI | |
git clone --recursive -b $version_gui --depth 1 --shallow-submodule https://github.com/monero-project/monero-gui.git monero-gui.git && cd monero-gui.git && ../git-archive-all.sh --prefix monero-gui-source-${version_gui}/ --format tar --tree-ish $version_gui ../monero-gui-source-${version_gui}.tar && cd .. && bzip2 monero-gui-source-${version_gui}.tar | |
mkdir yours | |
cp monero-gui-source-${version_gui}.tar.bz2 yours/. | |
cp monero-source-${version_cli}.tar.bz2 yours/. | |
mkdir from_website | |
echo -e "\n--> Move tarballs from getmonero..." | |
mv ../monero-gui-source-${version_gui}.tar.bz2 from_website/. | |
mv ../monero-source-${version_cli}.tar.bz2 from_website/. | |
echo -e "\n--> Unpacking all..." | |
bunzip2 yours/*.bz2 | |
bunzip2 from_website/*.bz2 | |
tar xf yours/monero-source-${version_cli}.tar -C yours/ | |
tar xf yours/monero-gui-source-${version_gui}.tar -C yours/ | |
tar xf from_website/monero-source-${version_cli}.tar -C from_website/ | |
tar xf from_website/monero-gui-source-${version_gui}.tar -C from_website | |
# Compare directories | |
echo -e "\n--> Comparing CLI directories" | |
diff -r yours/monero-source-$version_cli from_website/monero-source-$version_cli | |
echo -e "\n--> Comparing GUI directories" | |
diff -r yours/monero-gui-source-$version_gui from_website/monero-gui-source-$version_gui |