From 192ccb6e5f187877d6fa461993727dbd3a528e3c Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jeremy@jcline.org>
Date: Mon, 2 Apr 2018 14:55:36 -0400
Subject: Download patch signatures and verify them

Before uploading the source files, verify the GPG signature is good.

Signed-off-by: Jeremy Cline <jeremy@jcline.org>
---
 scripts/stable-update.sh | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'scripts')

diff --git a/scripts/stable-update.sh b/scripts/stable-update.sh
index eefd9a96d..2ea5fb78b 100755
--- a/scripts/stable-update.sh
+++ b/scripts/stable-update.sh
@@ -42,6 +42,21 @@ if [ ! -f patch-$1.xz ]; then
 	fi
 fi
 
+if [ ! -f "patch-$1.sign" ]; then
+        wget "https://cdn.kernel.org/pub/linux/kernel/v4.x/patch-$1.sign"
+        if [ ! $? -eq 0 ]; then
+                echo "Signature download failed"
+                exit 1
+        fi
+fi
+
+xzcat "patch-$1.xz" | gpg2 --verify "patch-$1.sign" -
+if [ ! $? -eq 0 ]; then
+        echo "Patch file has invalid or untrusted signature!"
+        echo "See https://www.kernel.org/category/signatures.html"
+        exit 1
+fi
+
 grep $1 sources &> /dev/null
 if [ ! $? -eq 0 ]; then
 	fedpkg upload patch-$1.xz
-- 
cgit