git.stella-ops.org/offline/notifier/verify_notify_kit.sh

#!/usr/bin/env bash
set -euo pipefail

ROOT=$(cd "$(dirname "$0")" && pwd)

missing=0
for f in notify-kit.manifest.json notify-kit.manifest.dsse.json artifact-hashes.json; do
  if [ ! -f "$ROOT/$f" ]; then
    echo "[FAIL] missing $f" >&2
    missing=1
  fi
done

if [ "$missing" -ne 0 ]; then
  exit 1
fi

python - <<'PY'
import json, sys, pathlib, base64
try:
    import blake3
except ImportError:
    sys.stderr.write("blake3 module missing; install with `python -m pip install blake3`\n")
    sys.exit(1)

if '__file__' in globals() and __file__ not in (None, '<stdin>'):
    root = pathlib.Path(__file__).resolve().parent
else:
    root = pathlib.Path.cwd()
hashes = json.loads((root / "artifact-hashes.json").read_text())

def h(path: pathlib.Path):
    if path.suffix == ".json":
        data = json.dumps(json.loads(path.read_text()), sort_keys=True, separators=(',', ':')).encode()
    else:
        data = path.read_bytes()
    return blake3.blake3(data).hexdigest()

ok = True
for entry in hashes["entries"]:
    path = root.parent.parent / entry["path"]
    digest = entry["digest"]
    if not path.exists():
        sys.stderr.write(f"[FAIL] missing file {path}\n")
        ok = False
        continue
    actual = h(path)
    if actual != digest:
        sys.stderr.write(f"[FAIL] digest mismatch {path}: expected {digest}, got {actual}\n")
        ok = False

if not ok:
    sys.exit(1)

print("[OK] All artifact hashes verified with blake3.")
PY