Skip to content

Commit 996127a

Browse files
islandryuislandryu
committed
tools: verify with gpg if md5 is not present in update-icu
ICU releases may not include md5 files to verify code Added a branch to verify from .asc file using gpg in such cases Fixes: #50498
1 parent a037b88 commit 996127a

File tree

1 file changed

+25
-6
lines changed

1 file changed

+25
-6
lines changed

tools/dep_updaters/update-icu.sh

+25-6
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,9 @@ NEW_VERSION_TGZ="icu4c-${LOW_DASHED_NEW_VERSION}-src.tgz"
4141
NEW_VERSION_TGZ_URL="https://github.com/unicode-org/icu/releases/download/release-${DASHED_NEW_VERSION}/$NEW_VERSION_TGZ"
4242

4343
NEW_VERSION_MD5="https://github.com/unicode-org/icu/releases/download/release-${DASHED_NEW_VERSION}/icu4c-${LOW_DASHED_NEW_VERSION}-src.md5"
44+
NEW_VERSION_TGZ_ASC_URL="https://github.com/unicode-org/icu/releases/download/release-${DASHED_NEW_VERSION}/icu4c-${LOW_DASHED_NEW_VERSION}-src.tgz.asc"
45+
46+
KEY_URL="https://raw.githubusercontent.com/unicode-org/icu/release-$(echo $NEW_VERSION | sed 's/\./-/')/KEYS"
4447

4548
./configure --with-intl=full-icu --with-icu-source="$NEW_VERSION_TGZ_URL"
4649

@@ -50,13 +53,29 @@ rm -rf "$DEPS_DIR/icu"
5053

5154
CHECKSUM=$(curl -sL "$NEW_VERSION_MD5" | grep "$NEW_VERSION_TGZ" | grep -v "\.asc$" | awk '{print $1}')
5255

53-
GENERATED_CHECKSUM=$( curl -sL "$NEW_VERSION_TGZ_URL" | md5sum | cut -d ' ' -f1)
54-
55-
echo "Comparing checksums: deposited $CHECKSUM with $GENERATED_CHECKSUM"
5656

57-
if [ "$CHECKSUM" != "$GENERATED_CHECKSUM" ]; then
58-
echo "Skipped because checksums do not match."
59-
exit 0
57+
if [ -n "$CHECKSUM" ]; then
58+
GENERATED_CHECKSUM=$( curl -sL "$NEW_VERSION_TGZ_URL" | md5sum | cut -d ' ' -f1)
59+
echo "Comparing checksums: deposited $CHECKSUM with $GENERATED_CHECKSUM"
60+
if [ "$CHECKSUM" != "$GENERATED_CHECKSUM" ]; then
61+
echo "Skipped because checksums do not match."
62+
exit 0
63+
fi
64+
else
65+
echo "Checksum not found"
66+
echo "check with gpg"
67+
curl -sL "$KEY_URL" > KEYS
68+
curl -sL "$NEW_VERSION_TGZ_URL" > data.tgz
69+
curl -sL "$NEW_VERSION_TGZ_ASC_URL" > signature.asc
70+
gpg --import KEYS
71+
if gpg --verify signature.asc data.tgz; then
72+
echo "Signature verified"
73+
rm data.tgz signature.asc KEYS
74+
else
75+
echo "Skipped because signature verification failed."
76+
rm data.tgz signature.asc KEYS
77+
exit 1
78+
fi
6079
fi
6180

6281
perl -i -pe "s|\"url\": .*|\"url\": \"$NEW_VERSION_TGZ_URL\",|" "$TOOLS_DIR/icu/current_ver.dep"

0 commit comments

Comments
 (0)