From d22f203ab5b04e04de0dbcdf0fce3ec6a18dbf51 Mon Sep 17 00:00:00 2001
From: Artur Neumann <artur@jankaritech.com>
Date: Wed, 22 Jan 2025 13:58:00 +0545
Subject: [PATCH 1/2] script to validate whether the hash of the trustanchors
 folder changed

this is useful to make sure the same set of TSA are used on different
machines and that they haven't been changed.
E.g. I want to make sure I use the same TSA on my local machine as in CI
and I want to make sure the imported certificates in CI are the same as
in my local machine, so that I can trust them.
---
 hooks/validate_trustanchors_hash.sh | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100755 hooks/validate_trustanchors_hash.sh

diff --git a/hooks/validate_trustanchors_hash.sh b/hooks/validate_trustanchors_hash.sh
new file mode 100755
index 0000000..d11592c
--- /dev/null
+++ b/hooks/validate_trustanchors_hash.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+#    Copyright (c) 2024 JankariTech UG
+#    Authors: Artur Neumann
+#    Script to check if the trustanchors have been changed
+
+TRUSTANCHOR_DIR="$1"
+EXPECTED_COMMIT_HASH="$2"
+
+if [[ $# -ne 2 ]]; then
+    echo "Usage: $0 <trustanchor_dir> <expected_commit_hash>"
+    exit 1
+fi
+
+if [ -z "$EXPECTED_COMMIT_HASH" ]; then
+    echo "No expected hash provided"
+    exit 1
+fi
+
+# get the sha256 hash of all files in the trustanchor directory
+ACTUAL_COMMIT_HASH=$(find "$TRUSTANCHOR_DIR" -type f -exec sha256sum {} \; | sort | sha256sum | cut -d ' ' -f 1)
+
+if [ "$EXPECTED_COMMIT_HASH" != "$ACTUAL_COMMIT_HASH" ]; then
+    echo "The trustanchors have been changed, please review the provided hash"
+    exit 1
+fi
-- 
2.40.1