CD/CD consolidation
This commit is contained in:
StellaOps Bot
32
devops/tools/airgap/verify-offline-kit.sh
Normal file
32
devops/tools/airgap/verify-offline-kit.sh
Normal file
@@ -0,0 +1,32 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# Minimal verifier sample for AIRGAP-VERIFY-510-014. Adjust paths to your kit.
|
||||
|
||||
KIT_ROOT=${1:-./offline}
|
||||
MANIFEST="$KIT_ROOT/manifest.json"
|
||||
SIG="$KIT_ROOT/manifest.dsse"
|
||||
|
||||
echo "[*] Verifying manifest signature..."
|
||||
cosign verify-blob --key trust-roots/manifest.pub --signature "$SIG" "$MANIFEST"
|
||||
|
||||
echo "[*] Checking chunk hashes..."
|
||||
python - <<'PY'
|
||||
import json, hashlib, sys, os
|
||||
manifest_path=os.environ.get('MANIFEST') or sys.argv[1]
|
||||
with open(manifest_path) as f:
|
||||
data=json.load(f)
|
||||
ok=True
|
||||
for entry in data.get('chunks', []):
|
||||
path=os.path.join(os.path.dirname(manifest_path), entry['path'])
|
||||
h=hashlib.sha256()
|
||||
with open(path,'rb') as fh:
|
||||
h.update(fh.read())
|
||||
if h.hexdigest()!=entry['sha256']:
|
||||
ok=False
|
||||
print(f"HASH MISMATCH {entry['path']}")
|
||||
if not ok:
|
||||
sys.exit(4)
|
||||
PY
|
||||
|
||||
echo "[*] Done."
|
||||
Reference in New Issue
Block a user