Checking MD5 and signatures with a shell script

By on

We are currently voting on the upcoming Apache log4php 2.1.0 release. An Apache release usually contains the src package, an asc file a nd an md5 file. The asc contains the signature of the release manager, which is accessible from the projects page. The md5 file contains the checksum for the release.

I wrote a small script which helps to check the md5 and the signature. It has been developed on OS X 10.6.7. I use the preinstalled md5 tool and installed gpg with:

port install gpg

The latter one is pretty similar to pgp, just GPL licensed.

You might tweak this script so it fits to your release. May it give you a good start ;-)

#!/bin/bash

file1=`md5 -q $1`
file2=`cut -d* -f1 $1.md5`

echo "Checking file: $1"
echo "Using MD5 file: $1.md5"
echo $file1
echo $file2

if [ $file1 != $file2 ]
then
  echo "md5 sums mismatch"
else
  echo "checksums OK"
fi

echo "GPG verification output"
gpg --verify $1.asc $1

To call it, you need to pass the filename to check as a parameter:

$ ./verify.sh Apache_log4php-2.1.0-pear.tgz

That's it. The output should look like:

Checking file: Apache_log4php-2.1.0-pear.tgz
Using MD5 file: Apache_log4php-2.1.0-pear.tgz.md5
b39f7d2b216542cc7fb81c3a126b07e6
b39f7d2b216542cc7fb81c3a126b07e6
checksums OK
GPG verification output
gpg: Unterschrift vom Di 28 Jun 11:09:39 2011 CEST mittels RSA-Schl├╝ssel ID xxx
gpg: Korrekte Unterschrift von "xxx"
Haupt-Fingerabdruck  = xxxxxx
Tags: Apache Log4PHP, Open Source, OS X, Shell