| #!/bin/bash |
| # |
| # Attempts to verify a Bloom bundle with all verification keys in the |
| # bundle key directory. If any succeeds, returns 0. Else, prints the errors |
| # from all attmepts. |
| set -euo pipefail |
| |
| AUDIT_MODE=false |
| while [[ "$#" -gt 0 ]]; do |
| case "$1" in |
| --audit) |
| AUDIT_MODE=true |
| shift |
| ;; |
| *) |
| echo "Unknown option: $1" >&2 |
| exit 1 |
| ;; |
| esac |
| done |
| |
| readonly BUNDLE_KEY_DIR="/usr/share/bloom-bundle-key/" |
| readonly INSTALLER_MAIN="/usr/bin/installer_main" |
| declare -a FAILED_LOGS |
| SUCCESS=false |
| |
| for key in "${BUNDLE_KEY_DIR}"/*.pem; do |
| if [[ ! -f "${key}" ]]; then |
| continue |
| fi |
| |
| # Attempt to verify the signature with the current key. |
| if output=$("${INSTALLER_MAIN}" --mode signature_check --public_key "${key}" 2>&1); then |
| echo "Signature verification succeeded with key: ${key}" |
| SUCCESS=true |
| break |
| else |
| FAILED_LOGS+=("--- Log for key ${key} --- |
| ${output}") |
| fi |
| done |
| |
| if [[ "${SUCCESS}" == "true" ]]; then |
| exit 0 |
| fi |
| |
| # If we reach here, no key worked. Print all logs. |
| echo "Signature verification failed for all keys." |
| for log in "${FAILED_LOGS[@]}"; do |
| printf "%b\n" "${log}" |
| done |
| |
| if [[ "${AUDIT_MODE}" == "true" ]]; then |
| echo "Audit mode enabled, exiting with 0 despite failures." |
| exit 0 |
| fi |
| |
| exit 1 |
