blob: e51f93a240c7627d14c5f365685907cd1cccb06c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
#!/bin/bash
# Unified mirror sync + verification script
# Docβs βNot my circus, not my monkeysβ edition π + runtime tracking + before/after trust
set -euo pipefail
umask 022
LOGBASE="/var/log/mirror-verify"
GPGDIR="/etc/mirror-gpg"
MIRRORS=(
# name|rsync_source|local_dir|logfile|manifest_url|sig_url|gpg_keyring
"archlinux|rsync://arch.mirror.constant.com/archlinux/|/brimstone2/mirror/archlinux|$LOGBASE/arch-mirror-sync.log|https://geo.mirror.pkgbuild.com/iso/latest/archlinux-x86_64.iso|https://geo.mirror.pkgbuild.com/iso/latest/archlinux-x86_64.iso.sig|$GPGDIR/archlinux.gpg"
"gentoo|rsync://masterdistfiles.gentoo.org/gentoo/|/brimstone2/mirror/gentoo|$LOGBASE/gentoo-mirror-sync.log|https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64/sha256sum.txt|https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64/sha256sum.txt.sig|$GPGDIR/gentoo.gpg"
"hardenedbsd|rsync://rsync.hardenedbsd.org/all/|/mnt/brimstone/mirror/hardenedbsd|$LOGBASE/hbsd-sync.log|https://hardenedbsd.org/releases/CHECKSUMS.SHA256|https://hardenedbsd.org/releases/CHECKSUMS.SHA256.sig|$GPGDIR/hbsd.gpg"
"void|rsync://repo-sync.voidlinux.org/voidlinux/|/mnt/brimstone/mirror/void|$LOGBASE/void-sync.log|https://repo.voidlinux.org/live/current/sha256sum.txt|https://repo.voidlinux.org/live/current/sha256sum.txt.sig|$GPGDIR/void.gpg"
"slackware|rsync://mirrors.kernel.org/slackware/|/mnt/brimstone/mirror/slackware|$LOGBASE/slackware-sync.log|https://mirrors.slackware.com/slackware/slackware64-current/CHECKSUMS.md5|https://mirrors.slackware.com/slackware/slackware64-current/CHECKSUMS.md5.asc|$GPGDIR/slackware.gpg"
)
for entry in "${MIRRORS[@]}"; do
IFS="|" read -r NAME SOURCE DEST LOG MANIFEST SIG KEYRING <<< "$entry"
{
echo "========== [$(date)] Starting $NAME =========="
START=$(date +%s)
# Banner title
case "$NAME" in
archlinux) TITLE="Arch Linux Mirror Verifier" ;;
gentoo) TITLE="Gentoo Mirror Verifier" ;;
hardenedbsd) TITLE="HardenedBSD Mirror Verifier" ;;
void) TITLE="Void Linux Mirror Verifier" ;;
slackware) TITLE="Slackware Mirror Verifier" ;;
*) TITLE="Mirror Verifier" ;;
esac
cat << EOF
__ __ _
| \/ (_) ___ _ __ ___ ___ _ __ ___
| |\/| | |/ __| '_ \` _ \ / _ \| '__/ _ \\
| | | | | (__| | | | | | (_) | | | __/
|_| |_|_|\___|_| |_| |_|\___/|_| \___| v1.0
π $TITLE β Not my circus
EOF
echo "========== BEFORE Keyring Trust (fingerprints) for $NAME =========="
if [ -f "$KEYRING" ]; then
gpg --no-default-keyring --keyring "$KEYRING" --fingerprint || true
else
echo "[$NAME] No keyring available β cannot verify signatures."
fi
echo "========== Syncing $NAME =========="
rsync -avhr --delete "$SOURCE" "$DEST"
echo "========== Dry-run verification for $NAME =========="
DRYRUN=$(rsync -nrv --delete "$SOURCE" "$DEST")
if [[ -z "$DRYRUN" ]]; then
echo "[$NAME] In sync: no differences found"
else
echo "[$NAME] OUT OF SYNC β differences detected!"
echo "$DRYRUN"
fi
echo "========== Signature verification for $NAME =========="
TMPDIR=$(mktemp -d)
curl -s -L -o "$TMPDIR/manifest" "$MANIFEST"
curl -s -L -o "$TMPDIR/sig" "$SIG"
if [ ! -s "$TMPDIR/sig" ]; then
echo "[$NAME] No valid signature upstream β Not my circus, not my monkeys π"
else
if gpg --no-default-keyring --keyring "$KEYRING" \
--verify "$TMPDIR/sig" "$TMPDIR/manifest" 2>&1; then
echo "[$NAME] Signature verified successfully β
"
else
echo "[$NAME] Signature verification FAILED β (Upstream problem?)"
fi
fi
rm -rf "$TMPDIR"
echo "========== AFTER Keyring Trust (fingerprints) for $NAME =========="
if [ -f "$KEYRING" ]; then
gpg --no-default-keyring --keyring "$KEYRING" --fingerprint || true
fi
END=$(date +%s)
RUNTIME=$(( (END - START) / 60 ))
echo "[$NAME] Completed in $RUNTIME minutes"
echo "========== [$(date)] Done with $NAME =========="
} >> "$LOG" 2>&1
done
|
