lilium-voyager/code/autoupdater/rsa_tools/build-libtom-unix.sh

80 lines
2.2 KiB
Bash
Raw Normal View History

Initial add of rsa_tools. This is just a simple RSA public key digital signature thing built on libtomcrypt. The gist: Some admin will generate a public/private key with rsa_make_keys, keeping the private key secret. Using the private key and rsa_sign, the admin will sign the autoupdater manifests, generating manifest.txt.sig. The public key ships with the game (adding 270 bytes to the download), the .sig is downloaded with the manifest by the autoupdater (256 bytes extra download), then the autoupdater checks the manifest against the signature with the public key. if the signature isn't valid (the manifest was tampered with or corrupt), the autoupdater refuses to continue. If the manifest is to be trusted, it lists sha256 checksums for every file to download, so there's no need to sign every file; if they can't tamper with the manifest, they can't tamper with any other file to be updated since the file's listed sha256 won't match. If the private key is compromised, we generate new keys and ship new installers, so new installations will be able to update but existing ones will need to do a new install to keep getting updates. Don't let the private key get compromised. The private key doesn't go on a public server. Maybe it doesn't even live on the admin's laptop hard drive. If the download server is compromised and serving malware, the autoupdater will reject it outright if they haven't compromised the private key, generated a new manifest, and signed it with the private key. libtomcrypt is sort of a big pile of source code, so instead of putting it in revision control, we have a script to download it. Most things don't need it. It lives on GitHub, so we _could_ do a git submodule, but most people don't need it, so why waste their disk and bandwidth? That said, when compiled you end up with a few hundred kilobytes of binary code to verify a signature and no external dependencies, so it seems like a win.
2017-06-04 00:26:07 +00:00
#!/bin/bash
TFMVER=0.13.1
LTCVER=1.17
set -e
OSTYPE=`uname -s`
if [ "$OSTYPE" = "Linux" ]; then
NCPU=`cat /proc/cpuinfo |grep vendor_id |wc -l`
let NCPU=$NCPU+1
elif [ "$OSTYPE" = "Darwin" ]; then
NCPU=`sysctl -n hw.ncpu`
2017-06-04 05:16:37 +00:00
export CFLAGS="$CFLAGS -mmacosx-version-min=10.7 -DMAC_OS_X_VERSION_MIN_REQUIRED=1070"
export LDFLAGS="$LDFLAGS -mmacosx-version-min=10.7"
Initial add of rsa_tools. This is just a simple RSA public key digital signature thing built on libtomcrypt. The gist: Some admin will generate a public/private key with rsa_make_keys, keeping the private key secret. Using the private key and rsa_sign, the admin will sign the autoupdater manifests, generating manifest.txt.sig. The public key ships with the game (adding 270 bytes to the download), the .sig is downloaded with the manifest by the autoupdater (256 bytes extra download), then the autoupdater checks the manifest against the signature with the public key. if the signature isn't valid (the manifest was tampered with or corrupt), the autoupdater refuses to continue. If the manifest is to be trusted, it lists sha256 checksums for every file to download, so there's no need to sign every file; if they can't tamper with the manifest, they can't tamper with any other file to be updated since the file's listed sha256 won't match. If the private key is compromised, we generate new keys and ship new installers, so new installations will be able to update but existing ones will need to do a new install to keep getting updates. Don't let the private key get compromised. The private key doesn't go on a public server. Maybe it doesn't even live on the admin's laptop hard drive. If the download server is compromised and serving malware, the autoupdater will reject it outright if they haven't compromised the private key, generated a new manifest, and signed it with the private key. libtomcrypt is sort of a big pile of source code, so instead of putting it in revision control, we have a script to download it. Most things don't need it. It lives on GitHub, so we _could_ do a git submodule, but most people don't need it, so why waste their disk and bandwidth? That said, when compiled you end up with a few hundred kilobytes of binary code to verify a signature and no external dependencies, so it seems like a win.
2017-06-04 00:26:07 +00:00
elif [ "$OSTYPE" = "SunOS" ]; then
NCPU=`/usr/sbin/psrinfo |wc -l |sed -e 's/^ *//g;s/ *$//g'`
else
NCPU=1
fi
if [ -z "$NCPU" ]; then
NCPU=1
elif [ "$NCPU" = "0" ]; then
NCPU=1
fi
if [ ! -f tfm-$TFMVER.tar.xz ]; then
echo "Downloading TomsFastMath $TFMVER sources..."
curl -L -o tfm-$TFMVER.tar.xz https://github.com/libtom/tomsfastmath/releases/download/v$TFMVER/tfm-$TFMVER.tar.xz || exit 1
fi
if [ ! -f ./crypt-$LTCVER.tar.bz2 ]; then
echo "Downloading LibTomCrypt $LTCVER sources..."
curl -L -o crypt-$LTCVER.tar.bz2 https://github.com/libtom/libtomcrypt/releases/download/$LTCVER/crypt-$LTCVER.tar.bz2 || exit 1
fi
Initial add of rsa_tools. This is just a simple RSA public key digital signature thing built on libtomcrypt. The gist: Some admin will generate a public/private key with rsa_make_keys, keeping the private key secret. Using the private key and rsa_sign, the admin will sign the autoupdater manifests, generating manifest.txt.sig. The public key ships with the game (adding 270 bytes to the download), the .sig is downloaded with the manifest by the autoupdater (256 bytes extra download), then the autoupdater checks the manifest against the signature with the public key. if the signature isn't valid (the manifest was tampered with or corrupt), the autoupdater refuses to continue. If the manifest is to be trusted, it lists sha256 checksums for every file to download, so there's no need to sign every file; if they can't tamper with the manifest, they can't tamper with any other file to be updated since the file's listed sha256 won't match. If the private key is compromised, we generate new keys and ship new installers, so new installations will be able to update but existing ones will need to do a new install to keep getting updates. Don't let the private key get compromised. The private key doesn't go on a public server. Maybe it doesn't even live on the admin's laptop hard drive. If the download server is compromised and serving malware, the autoupdater will reject it outright if they haven't compromised the private key, generated a new manifest, and signed it with the private key. libtomcrypt is sort of a big pile of source code, so instead of putting it in revision control, we have a script to download it. Most things don't need it. It lives on GitHub, so we _could_ do a git submodule, but most people don't need it, so why waste their disk and bandwidth? That said, when compiled you end up with a few hundred kilobytes of binary code to verify a signature and no external dependencies, so it seems like a win.
2017-06-04 00:26:07 +00:00
if [ ! -d tomsfastmath-$TFMVER ]; then
echo "Checking TomsFastMath archive hash..."
if [ "`shasum -a 256 tfm-$TFMVER.tar.xz |awk '{print $1;}'`" != "47c97a1ada3ccc9fcbd2a8a922d5859a84b4ba53778c84c1d509c1a955ac1738" ]; then
echo "Uhoh, tfm-$TFMVER.tar.xz does not have the sha256sum we expected!"
exit 1
fi
Initial add of rsa_tools. This is just a simple RSA public key digital signature thing built on libtomcrypt. The gist: Some admin will generate a public/private key with rsa_make_keys, keeping the private key secret. Using the private key and rsa_sign, the admin will sign the autoupdater manifests, generating manifest.txt.sig. The public key ships with the game (adding 270 bytes to the download), the .sig is downloaded with the manifest by the autoupdater (256 bytes extra download), then the autoupdater checks the manifest against the signature with the public key. if the signature isn't valid (the manifest was tampered with or corrupt), the autoupdater refuses to continue. If the manifest is to be trusted, it lists sha256 checksums for every file to download, so there's no need to sign every file; if they can't tamper with the manifest, they can't tamper with any other file to be updated since the file's listed sha256 won't match. If the private key is compromised, we generate new keys and ship new installers, so new installations will be able to update but existing ones will need to do a new install to keep getting updates. Don't let the private key get compromised. The private key doesn't go on a public server. Maybe it doesn't even live on the admin's laptop hard drive. If the download server is compromised and serving malware, the autoupdater will reject it outright if they haven't compromised the private key, generated a new manifest, and signed it with the private key. libtomcrypt is sort of a big pile of source code, so instead of putting it in revision control, we have a script to download it. Most things don't need it. It lives on GitHub, so we _could_ do a git submodule, but most people don't need it, so why waste their disk and bandwidth? That said, when compiled you end up with a few hundred kilobytes of binary code to verify a signature and no external dependencies, so it seems like a win.
2017-06-04 00:26:07 +00:00
echo "Unpacking TomsFastMath $TFMVER sources..."
tar -xJvvf ./tfm-$TFMVER.tar.xz
fi
if [ ! -d libtomcrypt-$LTCVER ]; then
if [ "`shasum -a 256 crypt-$LTCVER.tar.bz2 |awk '{print $1;}'`" != "e33b47d77a495091c8703175a25c8228aff043140b2554c08a3c3cd71f79d116" ]; then
echo "Uhoh, crypt-$LTCVER.tar.bz2 does not have the sha256sum we expected!"
exit 1
fi
Initial add of rsa_tools. This is just a simple RSA public key digital signature thing built on libtomcrypt. The gist: Some admin will generate a public/private key with rsa_make_keys, keeping the private key secret. Using the private key and rsa_sign, the admin will sign the autoupdater manifests, generating manifest.txt.sig. The public key ships with the game (adding 270 bytes to the download), the .sig is downloaded with the manifest by the autoupdater (256 bytes extra download), then the autoupdater checks the manifest against the signature with the public key. if the signature isn't valid (the manifest was tampered with or corrupt), the autoupdater refuses to continue. If the manifest is to be trusted, it lists sha256 checksums for every file to download, so there's no need to sign every file; if they can't tamper with the manifest, they can't tamper with any other file to be updated since the file's listed sha256 won't match. If the private key is compromised, we generate new keys and ship new installers, so new installations will be able to update but existing ones will need to do a new install to keep getting updates. Don't let the private key get compromised. The private key doesn't go on a public server. Maybe it doesn't even live on the admin's laptop hard drive. If the download server is compromised and serving malware, the autoupdater will reject it outright if they haven't compromised the private key, generated a new manifest, and signed it with the private key. libtomcrypt is sort of a big pile of source code, so instead of putting it in revision control, we have a script to download it. Most things don't need it. It lives on GitHub, so we _could_ do a git submodule, but most people don't need it, so why waste their disk and bandwidth? That said, when compiled you end up with a few hundred kilobytes of binary code to verify a signature and no external dependencies, so it seems like a win.
2017-06-04 00:26:07 +00:00
echo "Unpacking LibTomCrypt $LTCVER sources..."
tar -xjvvf ./crypt-$LTCVER.tar.bz2
fi
echo
echo
echo "Will use make -j$NCPU. If this is wrong, check NCPU at top of script."
echo
echo
set -e
set -x
# Some compilers can't handle the ROLC inline asm; just turn it off.
cd tomsfastmath-$TFMVER
make -j$NCPU
cd ..
export CFLAGS="$CFLAGS -DTFM_DESC -DLTC_NO_ROLC -I ../tomsfastmath-$TFMVER/src/headers"
cd libtomcrypt-$LTCVER
make -j$NCPU
cd ..
set +x
echo "All done."
# end of build-libtom-unix.sh ...