Index: trunk/util/sign/crl_repo.hu.pem
===================================================================
--- trunk/util/sign/crl_repo.hu.pem	(nonexistent)
+++ trunk/util/sign/crl_repo.hu.pem	(revision 30740)
@@ -0,0 +1,19 @@
+-----BEGIN X509 CRL-----
+MIIDGzCCAQMwDQYJKoZIhvcNAQELBQAwgb0xCzAJBgNVBAYTAkhVMREwDwYDVQQI
+EwhCdWRhcGVzdDERMA8GA1UEBxMIQnVkYXBlc3QxEDAOBgNVBAoTB3JlcG8uaHUx
+DjAMBgNVBAsTBUlnb3IyMRMwEQYDVQQDEwpyZXBvLmh1IENBMSwwKgYDVQQpEyNy
+ZXBvLmh1IHB1YmxpYyBzc2wgYW5kIGZpbGUgc2lnbmluZzEjMCEGCSqGSIb3DQEJ
+ARYUa2V5aW5nQGlnb3IyLnJlcG8uaHUXDTIwMDQyMTE1Mzk0M1oXDTIwMDUyMTE1
+Mzk0M1owFDASAgEBFw0yMDA0MjExNTM5NDNaMA0GCSqGSIb3DQEBCwUAA4ICAQDI
+m21vna5oUWP+H0S5bH7sGvOa3B5akETXTtieUx2+9+RCGaqnlnGYqHD6kgxNj4ly
+w6i8KNAHUFRHZGPis5GwEBkQE45FtQDm9ycQ/DJoR4uZ/wiwUz7iC2jf2D6oaqS5
+8efc2qIjPOc/HIHOcsyE98M6P9ch+XvsXL2dzvE1i/HJ6ETHk1S1rcpBvfP4SyeO
+7Me5MTYb5XT8Rxl1xVcKSeji90vMZt+byO3JVyUlzzaAr5bD+2HO+v+MDOAlnfQ1
+y8KW1/v3tztt1YQB4vpqtidE0+jVuIj6nQEvjckKQhoxMnJActPDqmPb+TS+UDhq
+QIt6T5ynC1JhqrnowS5C4WwmwQfUZwyDF+rTtPgWoe+XDWiGvo4xyWqMECsESTeX
+tuNxBLbfaVlMHE4/10KdjeqtiJbvOXuXoPtkiWF/5+259vT/ZWBy+0KJZL/F1kh7
+hpt9x8S089DBJ7ZoStOAmZQpA5rkklvf4hLpMJwy0mWdOQ/nnHG/LlggOjPDSa2u
+roVx7n1RknPuMlQz+YR7xhZ4ftwBNXXGC3qskpkNKu71k8mvvntt+BcFQdC1LTiT
+VoNfB+cLW+UL+KawGBogv7gPiMY1NG+OtEzpd4e7quuliyAMsnq6T7AKz+FJMaMd
+0Bd7sOPgntpk3gjfPtLa0IyC7CnP3bPdHlr9RrPBFQ==
+-----END X509 CRL-----
Index: trunk/util/sign/rootca_repo.hu_2020.crt
===================================================================
--- trunk/util/sign/rootca_repo.hu_2020.crt	(nonexistent)
+++ trunk/util/sign/rootca_repo.hu_2020.crt	(revision 30740)
@@ -0,0 +1,41 @@
+-----BEGIN CERTIFICATE-----
+MIIHJzCCBQ+gAwIBAgIJAOOTjzdHBDWkMA0GCSqGSIb3DQEBCwUAMIG9MQswCQYD
+VQQGEwJIVTERMA8GA1UECBMIQnVkYXBlc3QxETAPBgNVBAcTCEJ1ZGFwZXN0MRAw
+DgYDVQQKEwdyZXBvLmh1MQ4wDAYDVQQLEwVJZ29yMjETMBEGA1UEAxMKcmVwby5o
+dSBDQTEsMCoGA1UEKRMjcmVwby5odSBwdWJsaWMgc3NsIGFuZCBmaWxlIHNpZ25p
+bmcxIzAhBgkqhkiG9w0BCQEWFGtleWluZ0BpZ29yMi5yZXBvLmh1MB4XDTIwMDQy
+MTEyMjYwNVoXDTMwMDQxOTEyMjYwNVowgb0xCzAJBgNVBAYTAkhVMREwDwYDVQQI
+EwhCdWRhcGVzdDERMA8GA1UEBxMIQnVkYXBlc3QxEDAOBgNVBAoTB3JlcG8uaHUx
+DjAMBgNVBAsTBUlnb3IyMRMwEQYDVQQDEwpyZXBvLmh1IENBMSwwKgYDVQQpEyNy
+ZXBvLmh1IHB1YmxpYyBzc2wgYW5kIGZpbGUgc2lnbmluZzEjMCEGCSqGSIb3DQEJ
+ARYUa2V5aW5nQGlnb3IyLnJlcG8uaHUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQDXBFlluNaF/Pikec4TeEq/UsZAg1XhhmUJZnzAx7i84ramW0rvvdxN
+bdWAAjuaQG7qRSnZNQieDcHKq/xeAz3TMxmXGytclOh7HtXaTbg963dQd4sZ7wK+
+Nv1znTJSR5jx6u5ijiaKqktVRiRndUsWw/pKSZvEY8uCc+4vK0xzPM49cYMOG0VV
+Vs3IT47piONWbuCqXgi+ijHFHpPKLW2x4jDP6OXhXHWMg2J8+q/ggqURpUscNnvP
+NfIPGyr7ZRsVVrTRNHA1clYDJFbHrkqhcjSodWvEmAbmz31DfYrlxnDVEmYqOqxO
+K6y2cn0rYUbuM8yc1hO4MgncXZ1y+3SoFK/LvsPR1MlGeqMRBL4Ru/S7q8/NEak8
++gPYJiIdy5Pt9hzZv1C7cPlsxXS1xCHJOk2xNbDrUuDV98P0ZYYY/7K98fss43vZ
+UzbR/+eVhrjESFiHY/7Gcknaa9d0RMzSNWik/cBUwDty1C9OdxqeOmWE/uRqsViF
+6ypxRG9ZRJnuqWxa8+PT3EFJLARizz06uzD0nN0xqMI1k3s5hXDDSloH8eK4UF2j
+ZtHLo0m/4b6l3dZmkG5/eJAq2Kg8r6Bzx9oAnRUW8MPjJL95XrDClWAVrABTWs0E
+409AklGh8w4+hB2xD8ZbNXDMyu1S+ic1CzYPMa9a3NPsrG1/H9A2WwIDAQABo4IB
+JjCCASIwHQYDVR0OBBYEFOxDrX4j1c5ZbQdhCaRmlzxEAKx5MIHyBgNVHSMEgeow
+geeAFOxDrX4j1c5ZbQdhCaRmlzxEAKx5oYHDpIHAMIG9MQswCQYDVQQGEwJIVTER
+MA8GA1UECBMIQnVkYXBlc3QxETAPBgNVBAcTCEJ1ZGFwZXN0MRAwDgYDVQQKEwdy
+ZXBvLmh1MQ4wDAYDVQQLEwVJZ29yMjETMBEGA1UEAxMKcmVwby5odSBDQTEsMCoG
+A1UEKRMjcmVwby5odSBwdWJsaWMgc3NsIGFuZCBmaWxlIHNpZ25pbmcxIzAhBgkq
+hkiG9w0BCQEWFGtleWluZ0BpZ29yMi5yZXBvLmh1ggkA45OPN0cENaQwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJz/MUVFBYvWto1iDHYFQWz2hRitx
+AKtphsKtUF0fZ4mwZ/GN8/gItKaEndkFVQt250/ZlDqNOsR0WUwxHUuvKQnZj3yK
+QPWqJf4XAiXWD4UHm+xjIKub6K5SgrWKDF+2pM0vWHv80vinpwKCmn1qlFRY9hZY
+Cr40yGATb9Ebr5mO3Q+Xacj/EmPxogjPd0IkoC2sHnlaXIkDtD4sZtqQyJc1h1fQ
+xfxYh/w3kURTps856Y8wlvpc2R4B592sTf4p78Jv+tQxm400HNE4NNyNUwmHvQ9p
+gRW/HWBVy/vjGhYz4645VBwFQ7bt0qLFaEOQBxOHYY+J8uneH8vMGtJduS0gyHvb
+Qv/rOS71gPau2niTLH7CbKtqdG1RY1O6npjAxLIKsO5QJN1BN5svg8M6bIvY4KJZ
+n3f1ISJQTIUvyu+A2gOe2459qf1Bn3zalYVPWmDqBLkqnR1mnCEhOYuNR1ES05xx
+tJWzfQSerBJWQqTZ430E3zwapFVWCOky5H89xFPXBiodWfOzpdenAHBaoSqjG6fM
+tqJ0umljL+Xn6EzaHsAjEkJFTK4TZ71SAFugRNRrXlX9+efZmTHpNDXzZ1gs5j71
+o1IQ9wl2eSopft8NU0nbefnfQ1+QcEAqM9z9BM3u0I2kX7ddPI7KzGCqq3nxrP6c
+C7BZ2G6M6Jr7pXA=
+-----END CERTIFICATE-----
Index: trunk/util/sign/verify.sh
===================================================================
--- trunk/util/sign/verify.sh	(nonexistent)
+++ trunk/util/sign/verify.sh	(revision 30740)
@@ -0,0 +1,113 @@
+#!/bin/sh
+
+### defaults ###
+ca=rootca_repo.hu_2020.crt
+crl=crl_repo.hu.pem
+
+### implementation ###
+
+verify()
+{
+	local base="$1" sig="$1.sig" crt="$1.crt"
+
+	# check if all files are in place
+	if test ! -f "$base"
+	then
+		echo "Content file $base does not exist" >&2
+		return 1
+	fi
+
+	if test ! -f "$sig"
+	then
+		echo "Signature file $sig does not exist - please download that too!" >&2
+		return 1
+	fi
+
+	if test ! -f "$crt"
+	then
+		echo "Certificate file $crt does not exist - please download that too!" >&2
+		return 1
+	fi
+
+	if test ! -f "$ca"
+	then
+		echo "repo.hu CA cert $ca not found. Please download it from multiple sources" >&2
+		return 1
+	fi
+
+	if test ! -f "$crl"
+	then
+		echo "repo.hu CRL $crl not found. Please download it from multiple sources" >&2
+		return 1
+	fi
+
+	# step 4: check file's cert against repo.hu CA and CRL
+	cat $ca $crl > .ca_crl.pem
+	openssl verify -crl_check -CAfile .ca_crl.pem $crt >&2
+	if test $? != 0
+	then
+		return 1
+	fi
+
+	# step 5: check file's sig against file's cert
+	openssl x509 -pubkey -noout -in $crt > $crt.pem && \
+	openssl dgst -verify $crt.pem -signature $sig $base >&2
+}
+
+fingerprint()
+{
+	echo -n "CA  "
+	openssl x509 -fingerprint -noout -in $ca
+	echo -n "CRL "
+	openssl crl -fingerprint -noout -in $crl
+}
+
+help()
+{
+echo 'verify.sh - pcb-rnd download signature verify script
+Usage: ./verify.sh [--fp] [--ca CA_file] [--crl CRL_file] downloaded_file
+
+Download the CA and CRL files from multiple sources to make sure they match.
+Altneratively print the the fingerprint with --fp and check that from
+multiple sources.
+
+The verification process is documented at
+
+http://www.repo.hu/cgi-bin/pool.cgi?cmd=show&node=sign
+
+Remember:
+
+ - if you run this for the first time, you absolutely need to verify the CA
+   from multiple sources
+
+ - before running the script, please get the latest CRL, from multiple sources
+
+The effective security of this process largely depends on these two steps.
+'
+}
+
+### main ###
+
+bad=0
+while test $# -gt 0
+do
+	case "$1" in
+		--help) help "$@"; exit;;
+		--fp)  fingerprint ;;
+		--ca) shift 1; ca="$1";;
+		--crl) shift 1; crl="$1";;
+		*)
+			verify "$1"
+			if test $? = 0
+			then
+				echo "*** $1: ok"
+			else
+				echo "*** $1: FAILED"
+				bad=1
+			fi
+	esac
+
+	shift 1
+done
+
+exit $bad

Property changes on: trunk/util/sign/verify.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property