#!/usr/bin/env bash set -euo pipefail ROOT=$(cd "$(dirname "$0")" && pwd) missing=0 for f in notify-kit.manifest.json notify-kit.manifest.dsse.json artifact-hashes.json; do if [ ! -f "$ROOT/$f" ]; then echo "[FAIL] missing $f" >&2 missing=1 fi done if [ "$missing" -ne 0 ]; then exit 1 fi python - <<'PY' import json, sys, pathlib, base64 try: import blake3 except ImportError: sys.stderr.write("blake3 module missing; install with `python -m pip install blake3`\n") sys.exit(1) if '__file__' in globals() and __file__ not in (None, ''): root = pathlib.Path(__file__).resolve().parent else: root = pathlib.Path.cwd() hashes = json.loads((root / "artifact-hashes.json").read_text()) def h(path: pathlib.Path): if path.suffix == ".json": data = json.dumps(json.loads(path.read_text()), sort_keys=True, separators=(',', ':')).encode() else: data = path.read_bytes() return blake3.blake3(data).hexdigest() ok = True for entry in hashes["entries"]: path = root.parent.parent / entry["path"] digest = entry["digest"] if not path.exists(): sys.stderr.write(f"[FAIL] missing file {path}\n") ok = False continue actual = h(path) if actual != digest: sys.stderr.write(f"[FAIL] digest mismatch {path}: expected {digest}, got {actual}\n") ok = False if not ok: sys.exit(1) print("[OK] All artifact hashes verified with blake3.") PY