git.stella-ops.org/tools/zastava-verify-evidence-tar.sh

#!/usr/bin/env bash
set -euo pipefail

TAR_PATH=${1:-evidence-locker/zastava/2025-12-02/zastava-evidence.tar}
EXPECTED_SHA=${EXPECTED_SHA:-e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9c62b8a1b735ae}

if [[ ! -f "$TAR_PATH" ]]; then
  echo "missing tar: $TAR_PATH" >&2
  exit 1
fi

sha=$(sha256sum "$TAR_PATH" | awk '{print $1}')
if [[ "$sha" != "$EXPECTED_SHA" ]]; then
  echo "sha mismatch: got $sha expected $EXPECTED_SHA" >&2
  exit 2
fi

tmpdir=$(mktemp -d)
trap 'rm -rf "$tmpdir"' EXIT

tar -xf "$TAR_PATH" -C "$tmpdir"
(cd "$tmpdir" && sha256sum --check SHA256SUMS)

echo "OK: tar hash matches and inner SHA256SUMS verified"