verify-release: shell script that verifies a release tarball

This script remakes a provided curl release and verifies that the newly
built version is identical to the original file.

Due to bugs in releases up to and including curl 8.9.1, it does not work
on tarballs generated before commit 754acd1a9dc6.

Closes #14350

diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 1b8c4e7366a1178c9abc36a7063b43573b636400..1a9a283cc5988e3f954300a0513c8203dd8ede12 100644 (file)
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -24,7 +24,7 @@
 
 EXTRA_DIST = coverage.sh completion.pl firefox-db2pem.sh checksrc.pl    \
  mk-ca-bundle.pl schemetable.c cd2nroff nroff2cd cdall cd2cd managen \
- dmaketgz release-tools.sh
+ dmaketgz release-tools.sh verify-release
 
 ZSH_FUNCTIONS_DIR = @ZSH_FUNCTIONS_DIR@
 FISH_FUNCTIONS_DIR = @FISH_FUNCTIONS_DIR@

diff --git a/scripts/verify-release b/scripts/verify-release
new file mode 100755 (executable)
index 0000000..3b8977d
--- /dev/null
+++ b/scripts/verify-release
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+# SPDX-License-Identifier: curl
+#
+###########################################################################
+
+# This script remakes a provided curl release and verifies that the newly
+# built version is identical to the original file.
+#
+# It is designed to be invoked in a clean directory with the path to the
+# release tarball as an argument.
+#
+
+set -eu
+
+tarball="${1:-}"
+
+if [ -z "$tarball" ]; then
+    echo "Provide a curl release tarball name as argument"
+    exit
+fi
+
+i="0"
+
+# shellcheck disable=SC2034
+for dl in curl-*; do
+    i=$((i + 1))
+done
+
+if test "$i" -gt 1; then
+    echo "multiple curl-* entries found, disambiguate please"
+    exit
+fi
+
+mkdir -p _tarballs
+rm -rf _tarballs/*
+
+# checksum the original tarball to compare with later
+sha256sum "$tarball" >_tarballs/checksum
+
+# extract the release contents
+tar xf "$tarball"
+
+curlver=$(grep '#define LIBCURL_VERSION ' curl-*/include/curl/curlver.h | sed 's/[^0-9.]//g')
+
+echo "version $curlver"
+
+timestamp=$(grep -Eo 'SOURCE_DATE_EPOCH=[0-9]*' curl-"$curlver"/docs/RELEASE-TOOLS.md | cut -d= -f2)
+
+pwd=$(pwd)
+cd "curl-$curlver"
+./configure --without-ssl
+./scripts/dmaketgz "$curlver" "$timestamp"
+
+mv curl-"$curlver"* ../_tarballs/
+cd "$pwd"
+cd "_tarballs"
+
+# compare the new tarball against the original
+sha256sum -c checksum