verify-release: shell script that verifies a release tarball

This script remakes a provided curl release and verifies that the newly built version is identical to the original file. Due to bugs in releases up to and including curl 8.9.1, it does not work on tarballs generated before commit 754acd1a9d. Closes #14350
2024-08-02 08:46:06 +02:00 · 2024-08-02 08:46:06 +02:00 · 86039e6e42
commit 86039e6e42
parent fab526c032
2 changed files with 81 additions and 1 deletions
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@ -24,7 +24,7 @@

 EXTRA_DIST = coverage.sh completion.pl firefox-db2pem.sh checksrc.pl    \
 mk-ca-bundle.pl schemetable.c cd2nroff nroff2cd cdall cd2cd managen \
- dmaketgz release-tools.sh
+ dmaketgz release-tools.sh verify-release

 ZSH_FUNCTIONS_DIR = @ZSH_FUNCTIONS_DIR@
 FISH_FUNCTIONS_DIR = @FISH_FUNCTIONS_DIR@
--- a/scripts/verify-release
+++ b/scripts/verify-release
@ -0,0 +1,80 @@
+#!/bin/sh
+
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+# SPDX-License-Identifier: curl
+#
+###########################################################################
+
+# This script remakes a provided curl release and verifies that the newly
+# built version is identical to the original file.
+#
+# It is designed to be invoked in a clean directory with the path to the
+# release tarball as an argument.
+#
+
+set -eu
+
+tarball="${1:-}"
+
+if [ -z "$tarball" ]; then
+    echo "Provide a curl release tarball name as argument"
+    exit
+fi
+
+i="0"
+
+# shellcheck disable=SC2034
+for dl in curl-*; do
+    i=$((i + 1))
+done
+
+if test "$i" -gt 1; then
+    echo "multiple curl-* entries found, disambiguate please"
+    exit
+fi
+
+mkdir -p _tarballs
+rm -rf _tarballs/*
+
+# checksum the original tarball to compare with later
+sha256sum "$tarball" >_tarballs/checksum
+
+# extract the release contents
+tar xf "$tarball"
+
+curlver=$(grep '#define LIBCURL_VERSION ' curl-*/include/curl/curlver.h | sed 's/[^0-9.]//g')
+
+echo "version $curlver"
+
+timestamp=$(grep -Eo 'SOURCE_DATE_EPOCH=[0-9]*' curl-"$curlver"/docs/RELEASE-TOOLS.md | cut -d= -f2)
+
+pwd=$(pwd)
+cd "curl-$curlver"
+./configure --without-ssl
+./scripts/dmaketgz "$curlver" "$timestamp"
+
+mv curl-"$curlver"* ../_tarballs/
+cd "$pwd"
+cd "_tarballs"
+
+# compare the new tarball against the original
+sha256sum -c checksum