summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2019-03-20 09:02:06 +0000
committerintrigeri <intrigeri@boum.org>2019-03-20 09:08:12 +0000
commit6bd1ca64d9e895dfd0e71b733f7f1ba4051fab7d (patch)
tree011e04fbd460353f82ccc31ca028852d3113e791
parent91a3d74fb6610e171218debb7bf33424aec3b058 (diff)
Make verification process more straightforward (refs: #12629)
The previous instructions did the check we want… *transitively*: we checked that the published products matched SHA512SUMS.txt, in a step that claims to compare them with locally built products; this was only valid because of the implicit (and so far correct) assumption that, at this point, we've already verified that what you have built matches SHA512SUMS.txt. This adds complexity and makes it needlessly hard to understand and review this process. Instead, let's directly do the check we want.
-rw-r--r--wiki/src/contribute/release_process/test/reproducibility.mdwn19
1 files changed, 17 insertions, 2 deletions
diff --git a/wiki/src/contribute/release_process/test/reproducibility.mdwn b/wiki/src/contribute/release_process/test/reproducibility.mdwn
index a1569f1..8e37be6 100644
--- a/wiki/src/contribute/release_process/test/reproducibility.mdwn
+++ b/wiki/src/contribute/release_process/test/reproducibility.mdwn
@@ -189,8 +189,23 @@ the following steps have to be done only after the release has been made public.
### ISO and USB images
- cd "${PUBLISHED_ARTIFACTS:?}/tails-amd64-${VERSION:?}" && \
- sha512sum -c "${SHA512SUMS:?}"
+ for type in iso usb ; do
+ case "$type" in
+ iso)
+ ext=iso
+ ;;
+ usb)
+ ext=img
+ ;;
+ esac
+ if cmp --quiet \
+ "${ISOS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.$ext" \
+ "${PUBLISHED_ARTIFACTS:?}/tails-amd64-${VERSION:?}/tails-amd64-${VERSION:?}.$ext" ; then
+ echo "OK: locally built $type matches the published one"
+ else
+ echo "FAIL: locally built $type does not match the published one"
+ fi
+ done
### IDF