romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-06-18 09:35:39 +03:00
Code Issues Projects Releases Packages Wiki Activity

verify-release: don't unpack in git repo

Browse source 
- Clarify that the tarball to verify should be put in the same dir you
  run the script.

- Verify that the curl version number in the file name matches the
  version number within the tarball. To reduce risk for mistakes.

- When verifying using git, do not unpack the tarball. It avoids the
  security risk with malicious tarball contents playing tricks on git.

- Only unpack the tarball for git-less verfication.

- Move the source tarball into _tarballs/ instead of overwriting it,
  which can be useful in case the verification fails

Closes #22032
This commit is contained in:
Daniel Stenberg 2026-06-15 17:11:53 +02:00
parent bb72413b03
commit 7f57aeec40
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 23 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

33
scripts/verify-release
View file

@ -27,11 +27,10 @@
# This script remakes a provided curl release and verifies that the newly
# built version is identical to the original file.
#
# Invoke in a clean directory with the path to the release tarball as an
# argument for basic verification.
# Invoke in a clean directory with the release tarball file (stored in the
# same directory) as an argument for basic verification.
#
# For maximum verification: run the script in an up-to-date curl git
# repository.
# For full verification: run the script in an up-to-date curl git repository.
#
set -eu
@ -66,18 +65,28 @@ rm -rf _tarballs/*
# checksum the original tarball to compare with later
sha256sum "$tarball" >_tarballs/checksum
# extract the release contents
tar xf "$tarball"
# extract version number from file name
tarver=$(echo "$tarball" | sed 's/curl-\([0-9.]*\)\..*/\1/')
curlver=$(grep '#define LIBCURL_VERSION ' curl-*/include/curl/curlver.h | sed 's/[^0-9.]//g')
# extract the version from the official header file
curlver=$(tar xOf "$tarball" "curl-$tarver/include/curl/curlver.h" | grep '#define LIBCURL_VERSION ' | sed 's/[^0-9.]//g')
echo "version $curlver"
if test "$tarver" != "$curlver"; then
echo "Tarball file version ($tarver) mismatches contents of tarball ($curlver)"
exit 1
fi
timestamp=$(grep -Eo 'SOURCE_DATE_EPOCH=[0-9]*' curl-"$curlver"/docs/RELEASE-TOOLS.md | cut -d= -f2)
timestamp=$(tar xOf "$tarball" "curl-$tarver/docs/RELEASE-TOOLS.md" | grep 'SOURCE_DATE_EPOCH=' | sed 's/[^0-9.]//g')
if test "$withgit" = 0; then
# without git
# extract the release contents
tar xf "$tarball"
# move away the original tarball
mv "$tarball" "_tarballs/orig-$tarball"
pwd=$(pwd)
cd "curl-$curlver"
./configure --without-ssl --without-libpsl
@ -88,8 +97,12 @@ if test "$withgit" = 0; then
done
cd "$pwd"
else
tag=$(grep -Eo 'tag/commit: curl-[0-9_]*' curl-"$curlver"/docs/RELEASE-TOOLS.md | head -n 1 | sed 's/^tag\/commit: //')
tag=$(tar xOf "$tarball" "curl-$tarver/docs/RELEASE-TOOLS.md" | grep 'tag/commit: curl-' | head -n 1 | sed 's/.*\(curl-[0-9_]*\).*/\1/')
echo "*** Use git tag $tag"
# move away the original tarball
mv "$tarball" "_tarballs/orig-$tarball"
prevtag=$(git symbolic-ref -q --short HEAD || git rev-parse HEAD)
git checkout -f "$tag"