script to validate whether the hash of the trustanchors folder changed
this is useful to make sure the same set of TSA are used on different machines and that they haven't been changed. E.g. I want to make sure I use the same TSA on my local machine as in CI and I want to make sure the imported certificates in CI are the same as in my local machine, so that I can trust them.
This commit is contained in:
Artur Neumann
26
hooks/validate_trustanchors_hash.sh
Executable file
26
hooks/validate_trustanchors_hash.sh
Executable file
@@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (c) 2024 JankariTech UG
|
||||
# Authors: Artur Neumann
|
||||
# Script to check if the trustanchors have been changed
|
||||
|
||||
TRUSTANCHOR_DIR="$1"
|
||||
EXPECTED_COMMIT_HASH="$2"
|
||||
|
||||
if [[ $# -ne 2 ]]; then
|
||||
echo "Usage: $0 <trustanchor_dir> <expected_commit_hash>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$EXPECTED_COMMIT_HASH" ]; then
|
||||
echo "No expected hash provided"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# get the sha256 hash of all files in the trustanchor directory
|
||||
ACTUAL_COMMIT_HASH=$(find "$TRUSTANCHOR_DIR" -type f -exec sha256sum {} \; | sort | sha256sum | cut -d ' ' -f 1)
|
||||
|
||||
if [ "$EXPECTED_COMMIT_HASH" != "$ACTUAL_COMMIT_HASH" ]; then
|
||||
echo "The trustanchors have been changed, please review the provided hash"
|
||||
exit 1
|
||||
fi
|
||||
Reference in New Issue
Block a user