feat: verify package signatures (#1220)

rdmitr · web-flow · commit 004884c07fbc · 2025-04-15T23:54:58.000+07:00
* feat: archive integrity verification WIP

* feat: archive integrity verification in the aarch64 update script

* chore: extract verification into a separate file

* feat: add signature verification to all installation and update scripts

* fix: pass correct filenames when invoking the verification script
diff --git a/scripts/linux-aarch64/install.sh b/scripts/linux-aarch64/install.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 ALBYHUB_URL="https://getalby.com/install/hub/server-linux-aarch64.tar.bz2"
+VERIFIER_URL="https://getalby.com/install/hub/verify.sh"
 echo ""
 echo ""
 echo "⚡️ Welcome to Alby Hub"
@@ -17,6 +18,22 @@ cd $INSTALL_DIR
 
 # download and extract the Alby Hub executable
 wget $ALBYHUB_URL
+
+if [[ ! -f "verify.sh" ]]; then
+  echo "Downloading the verification script..."
+  if ! wget -q "$VERIFIER_URL"; then
+    echo "❌ Failed to download the verification script." >&2
+    exit 1
+  fi
+  chmod +x verify.sh
+fi
+
+./verify.sh server-linux-aarch64.tar.bz2 albyhub-Server-Linux-aarch64.tar.bz2
+if [[ $? -ne 0 ]]; then
+  echo "❌ Verification failed, aborting installation"
+  exit 1
+fi
+
 tar xvf server-linux-aarch64.tar.bz2
 if [[ $? -ne 0 ]]; then
   echo "Failed to unpack Alby Hub. Potentially bzip2 is missing"
diff --git a/scripts/linux-aarch64/update.sh b/scripts/linux-aarch64/update.sh
@@ -57,6 +57,13 @@ cp -r data albyhub-backup
 
 echo "Downloading latest version"
 wget $ALBYHUB_URL
+
+./verify.sh server-linux-aarch64.tar.bz2 albyhub-Server-Linux-aarch64.tar.bz2
+if [[ $? -ne 0 ]]; then
+  echo "❌ Verification failed, aborting installation"
+  exit 1
+fi
+
 tar -xvf server-linux-aarch64.tar.bz2
 rm server-linux-aarch64.tar.bz2
 
diff --git a/scripts/linux-x86_64/install.sh b/scripts/linux-x86_64/install.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 ALBYHUB_URL="https://getalby.com/install/hub/server-linux-x86_64.tar.bz2"
+VERIFIER_URL="https://getalby.com/install/hub/verify.sh"
 echo ""
 echo ""
 echo "⚡️ Welcome to Alby Hub"
@@ -17,6 +18,22 @@ cd $INSTALL_DIR
 
 # download and extract the Alby Hub executable
 wget $ALBYHUB_URL
+
+if [[ ! -f "verify.sh" ]]; then
+  echo "Downloading the verification script..."
+  if ! wget -q "$VERIFIER_URL"; then
+    echo "❌ Failed to download the verification script." >&2
+    exit 1
+  fi
+  chmod +x verify.sh
+fi
+
+./verify.sh server-linux-x86_64.tar.bz2 albyhub-Server-Linux-x86_64.tar.bz2
+if [[ $? -ne 0 ]]; then
+  echo "❌ Verification failed, aborting installation"
+  exit 1
+fi
+
 tar xvf server-linux-x86_64.tar.bz2
 if [[ $? -ne 0 ]]; then
   echo "Failed to unpack Alby Hub. Potentially bzip2 is missing"
diff --git a/scripts/linux-x86_64/update.sh b/scripts/linux-x86_64/update.sh
@@ -57,6 +57,13 @@ cp -r data albyhub-backup
 
 echo "Downloading latest version"
 wget $ALBYHUB_URL
+
+./verify.sh server-linux-x86_64.tar.bz2 albyhub-Server-Linux-x86_64.tar.bz2
+if [[ $? -ne 0 ]]; then
+  echo "❌ Verification failed, aborting installation"
+  exit 1
+fi
+
 tar -xvf server-linux-x86_64.tar.bz2
 rm server-linux-x86_64.tar.bz2
 
diff --git a/scripts/pi-aarch64/install.sh b/scripts/pi-aarch64/install.sh
@@ -1,3 +1,5 @@
+VERIFIER_URL="https://getalby.com/install/hub/verify.sh"
+
 echo ""
 echo ""
 echo "⚡️ Welcome to Alby Hub"
@@ -10,6 +12,21 @@ sudo chown -R $USER:$USER /opt/albyhub
 cd /opt/albyhub
 wget https://getalby.com/install/hub/server-linux-aarch64.tar.bz2
 
+if [[ ! -f "verify.sh" ]]; then
+  echo "Downloading the verification script..."
+  if ! wget -q "$VERIFIER_URL"; then
+    echo "❌ Failed to download the verification script." >&2
+    exit 1
+  fi
+  chmod +x verify.sh
+fi
+
+./verify.sh server-linux-aarch64.tar.bz2 albyhub-Server-Linux-aarch64.tar.bz2
+if [[ $? -ne 0 ]]; then
+  echo "❌ Verification failed, aborting installation"
+  exit 1
+fi
+
 # Extract archives
 tar -xvf server-linux-aarch64.tar.bz2
 if [[ $? -ne 0 ]]; then
diff --git a/scripts/pi-aarch64/update.sh b/scripts/pi-aarch64/update.sh
@@ -13,6 +13,12 @@ cp -r data albyhub-backup
 
 wget https://getalby.com/install/hub/server-linux-aarch64.tar.bz2
 
+./verify.sh server-linux-aarch64.tar.bz2 albyhub-Server-Linux-aarch64.tar.bz2
+if [[ $? -ne 0 ]]; then
+  echo "❌ Verification failed, aborting installation"
+  exit 1
+fi
+
 # Extract archives
 tar -xvf server-linux-aarch64.tar.bz2
 
diff --git a/scripts/pi-arm/install.sh b/scripts/pi-arm/install.sh
@@ -1,3 +1,5 @@
+VERIFIER_URL="https://getalby.com/install/hub/verify.sh"
+
 echo ""
 echo ""
 echo "⚡️ Welcome to Alby Hub"
@@ -10,6 +12,21 @@ sudo chown -R $USER:$USER /opt/albyhub
 cd /opt/albyhub
 wget https://getalby.com/install/hub/server-linux-armv6.tar.bz2
 
+if [[ ! -f "verify.sh" ]]; then
+  echo "Downloading the verification script..."
+  if ! wget -q "$VERIFIER_URL"; then
+    echo "❌ Failed to download the verification script." >&2
+    exit 1
+  fi
+  chmod +x verify.sh
+fi
+
+./verify.sh server-linux-armv6.tar.bz2 albyhub-Server-Linux-armv6.tar.bz2
+if [[ $? -ne 0 ]]; then
+  echo "❌ Verification failed, aborting installation"
+  exit 1
+fi
+
 # Extract archives
 tar -xvf server-linux-armv6.tar.bz2
 if [[ $? -ne 0 ]]; then
diff --git a/scripts/pi-arm/update.sh b/scripts/pi-arm/update.sh
@@ -13,6 +13,12 @@ cp -r data albyhub-backup
 
 wget https://getalby.com/install/hub/server-linux-armv6.tar.bz2
 
+./verify.sh server-linux-armv6.tar.bz2 albyhub-Server-Linux-armv6.tar.bz2
+if [[ $? -ne 0 ]]; then
+  echo "❌ Verification failed, aborting installation"
+  exit 1
+fi
+
 # Extract archives
 tar -xvf server-linux-armv6.tar.bz2
 
diff --git a/scripts/verify.sh b/scripts/verify.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+MANIFEST_URL="https://getalby.com/install/hub/manifest.txt"
+SIGNATURE_URL="https://getalby.com/install/hub/manifest.txt.asc"
+
+verify_package() {
+  local archive_file="${1}"
+  local filename_in_manifest="${2}"
+  local response=""
+
+  while true; do
+    read -r -p "Verify package signature and integrity? (Y/N): " response
+    case "$response" in
+      [Yy]) break ;;
+      [Nn]) echo "Verification skipped." ; return 0 ;;
+      *) echo "Invalid input. Please enter Y or N." ;;
+    esac
+  done
+
+  for cmd in gpg sha256sum; do
+    if ! command -v "$cmd" &>/dev/null; then
+      echo "❌ Required command '$cmd' is not available." >&2
+      return 1
+    fi
+  done
+
+  echo "Downloading manifest file..."
+  if ! wget -q "$MANIFEST_URL"; then
+    echo "❌ Failed to download manifest file." >&2
+    return 1
+  fi
+
+  echo "Downloading manifest signature file..."
+  if ! wget -q "$SIGNATURE_URL"; then
+    echo "❌ Failed to download manifest signature file." >&2
+    return 1
+  fi
+
+  if ! gpg --batch --verify "manifest.txt.asc" "manifest.txt"; then
+    echo "❌ GPG signature verification failed!" >&2
+    echo "Visit https://github.com/getAlby/hub/releases for more information on how to verify the release" >&2
+    return 1
+  fi
+
+  local expected_hash
+  expected_hash=$(grep "${filename_in_manifest}" "manifest.txt" | awk '{print $1}') || true
+  if [[ -z "$expected_hash" ]]; then
+    echo "❌ No hash entry found for ${filename_in_manifest} in the manifest." >&2
+    return 1
+  fi
+
+  local actual_hash
+  actual_hash=$(sha256sum "$archive_file" | awk '{print $1}')
+
+  if [[ "$expected_hash" != "$actual_hash" ]]; then
+    echo "❌ SHA256 hash mismatch! The file may be corrupted or tampered with." >&2
+    return 1
+  fi
+
+  echo "✅ Verification successful. The package is authentic and intact."
+  return 0
+}
+
+if [[ $# -ne 2 ]]; then
+  echo "Usage: $0 <archive_file> <filename_in_manifest>"
+  exit 1
+fi
+
+verify_package "$1" "$2"
+if [[ $? -ne 0 ]]; then
+  exit 1
+fi
