up

2025-12-03 00:10:19 +02:00
parent ea1d58a89b
commit 37cba83708
158 changed files with 147438 additions and 867 deletions
--- a/src/AirGap/scripts/verify-manifest.sh
+++ b/src/AirGap/scripts/verify-manifest.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Offline verifier for AirGap manifest/bundle hashes.
+# Usage: verify-manifest.sh path/to/manifest.json path/to/bundle.tar.gz [manifest-signature.bin] [pubkey.pem]
+
+manifest=${1:?manifest path required}
+bundle=${2:?bundle path required}
+sig=${3:-}
+pub=${4:-}
+
+if ! command -v jq >/dev/null; then
+  echo "jq is required for offline validation" >&2
+  exit 2
+fi
+
+calc_sha() {
+  sha256sum "$1" | awk '{print $1}'
+}
+
+manifest_hash=$(calc_sha "$manifest")
+expected_manifest_hash=$(jq -r '.hashes.manifestSha256' "$manifest")
+
+if [[ "$manifest_hash" != "$expected_manifest_hash" ]]; then
+  echo "manifest hash mismatch: got $manifest_hash expected $expected_manifest_hash" >&2
+  exit 3
+fi
+
+bundle_hash=$(calc_sha "$bundle")
+expected_bundle_hash=$(jq -r '.hashes.bundleSha256' "$manifest")
+
+if [[ "$bundle_hash" != "$expected_bundle_hash" ]]; then
+  echo "bundle hash mismatch: got $bundle_hash expected $expected_bundle_hash" >&2
+  exit 4
+fi
+
+if [[ -n "$sig" && -n "$pub" ]]; then
+  if ! command -v openssl >/dev/null; then
+    echo "openssl required for signature verification" >&2
+    exit 5
+  fi
+  openssl dgst -sha256 -verify "$pub" -signature "$sig" "$manifest" >/dev/null
+fi
+
+echo "Manifest and bundle hashes verified${sig:+; signature verified}."