diff --git a/.github/workflows/hashes.yaml b/.github/workflows/hashes.yaml new file mode 100644 index 00000000..df0950fd --- /dev/null +++ b/.github/workflows/hashes.yaml @@ -0,0 +1,50 @@ +--- +name: Validate Hashes +on: + push: + paths: + - 'downloads/hashes.txt' + - '_data/downloads.yml' + pull_request: + paths: + - 'downloads/hashes.txt' + - '_data/downloads.yml' +jobs: + validate-hashes: + name: Validate Hashes + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install dependencies + run: | + sudo apt-get install -y --no-install-recommends curl gpg jq python-pip + sudo pip install yq + - name: Verify hashes.txt signature + run: | + gpg --recv-keys 81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92 + gpg --verify downloads/hashes.txt + - name: Download releases + run: | + for file in $(awk '/monero-/ {print $2}' downloads/hashes.txt); do + [ -f $file ] && continue + echo Downloading $file... + dir=cli + if [[ $file =~ gui ]]; then + dir=gui + fi + url=https://dlsrc.getmonero.org/${dir}/${file} + curl -sLO $url + done + - name: Verify hashes.txt hashes + run: | + grep monero- downloads/hashes.txt | sha256sum -c + - name: Verify downloads.yml hashes + run: | + yq -r '.[] | .[0].downloads[] | "\(.link)|\(.hash)"' _data/downloads.yml | grep -v github | + while read line; do + [ -z "$line" ] && continue + url=$(echo $line | cut -d'|' -f1) + hash=$(echo $line | cut -d'|' -f2) + filename=$(curl -sLI $url | awk -F '/' '/^Location:/ {print $NF}' | tail -n1 | sed 's/\r//') + echo "$hash $filename" | sha256sum -c + done