romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-06-18 07:35:43 +03:00
Code Issues Projects Releases Packages Wiki Activity
curl/scripts/verify-release
Daniel Stenberg 6ce740403e
verify-release: verify more thoroughly with git 
If the script is invoked in a git repository it verifies the tarball
better.

Closes #22018
2026-06-15 15:44:08 +02:00

108 lines
3.1 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh
#***************************************************************************
# _ _ ____ _
# Project ___| | | | _ \| |
# / __| | | | |_) | |
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at https://curl.se/docs/copyright.html.
#
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
# copies of the Software, and permit persons to whom the Software is
# furnished to do so, under the terms of the COPYING file.
#
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
# KIND, either express or implied.
#
# SPDX-License-Identifier: curl
#
###########################################################################
# This script remakes a provided curl release and verifies that the newly
# built version is identical to the original file.
#
# Invoke in a clean directory with the path to the release tarball as an
# argument for basic verification.
#
# For maximum verification: run the script in an up-to-date curl git
# repository.
#
set -eu
tarball="${1:-}"
if [ -z "$tarball" ]; then
echo "Provide a curl release tarball name as argument"
exit
fi
i="$(find . -maxdepth 1 -type d -name 'curl-*' | wc -l)"
if test "$i" -gt 1; then
echo "multiple curl-* entries found, disambiguate please"
exit
fi
# check if this is in a git clone directory
if git log -1 include/curl/curl.h 2>/dev/null >/dev/null; then
echo "*** Detected a git checkout, do full verification"
withgit=1
else
echo "*** Lacking a full git checkout, do the lesser verification"
withgit=0
fi
mkdir -p _tarballs
rm -rf _tarballs/*
# checksum the original tarball to compare with later
sha256sum "$tarball" >_tarballs/checksum
# extract the release contents
tar xf "$tarball"
curlver=$(grep '#define LIBCURL_VERSION ' curl-*/include/curl/curlver.h | sed 's/[^0-9.]//g')
echo "version $curlver"
timestamp=$(grep -Eo 'SOURCE_DATE_EPOCH=[0-9]*' curl-"$curlver"/docs/RELEASE-TOOLS.md | cut -d= -f2)
if test "$withgit" = 0; then
# without git
pwd=$(pwd)
cd "curl-$curlver"
./configure --without-ssl --without-libpsl
./scripts/dmaketgz "$curlver" "$timestamp"
for f in "curl-$curlver.tar.gz" "curl-$curlver.tar.bz2" "curl-$curlver.tar.xz" "curl-$curlver.zip"; do
mv "$f" ../_tarballs/
done
cd "$pwd"
else
tag=$(grep -Eo 'tag/commit: curl-[0-9_]*' curl-"$curlver"/docs/RELEASE-TOOLS.md | head -n 1 | sed 's/^tag\/commit: //')
echo "*** Use git tag $tag"
prevtag=$(git symbolic-ref -q --short HEAD || git rev-parse HEAD)
git checkout -f "$tag"
./scripts/dmaketgz "$curlver" "$timestamp"
# switch back to where it was
git checkout -f "$prevtag"
for f in "curl-$curlver.tar.gz" "curl-$curlver.tar.bz2" "curl-$curlver.tar.xz" "curl-$curlver.zip"; do
mv "$f" _tarballs/
done
fi
cd "_tarballs"
# compare the new tarball against the original
sha256sum -c checksum
Reference in a new issue View git blame Copy permalink