tools: Add verify-release.sh

2026-06-08 11:43:40 -04:00 · 2026-05-14 00:16:24 +02:00 · 2026-05-14 00:16:24 +02:00 · 3980e94f72
commit 3980e94f72
parent 6e6b491f94
1 changed files with 122 additions and 0 deletions
--- a/tools/verify-release.sh
+++ b/tools/verify-release.sh
@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+
+# Copyright Citra Emulator Project / Azahar Emulator Project
+# Licensed under GPLv2 or any later version
+# Refer to the license.txt file included.
+
+set -euo pipefail
+
+# Usage:
+#   ./verify-release.sh <owner/repo> <tag>
+#
+# Example:
+#   ./verify-release.sh azahar-emu/azahar 2126.0
+#
+# Behavior:
+#   - Downloads all release assets
+#   - Verifies asset is published in the release
+#   - Verifies SPDX attestations for every asset
+#
+# Notes:
+#   - Draft release support requires authentication with permission
+#     to view the draft release.
+#   - gh release verify-asset currently does NOT support draft releases.
+
+if [[ $# -ne 2 ]]; then
+    echo "Usage: $0 <owner/repo> <tag>"
+    exit 1
+fi
+
+command -v gh >/dev/null 2>&1 || {
+    echo "ERROR: GitHub CLI (gh) is not installed or not in PATH"
+    exit 1
+}
+
+REPO="$1"
+TAG="$2"
+
+echo "==> Fetching release metadata"
+
+IS_DRAFT=$(
+    gh release view "$TAG" \
+        --repo "$REPO" \
+        --json isDraft \
+        --jq '.isDraft'
+)
+
+WORKDIR="release-${TAG}"
+
+rm -rf "$WORKDIR"
+mkdir -p "$WORKDIR"
+cd "$WORKDIR"
+
+echo
+echo "==> Downloading release assets"
+
+gh release download "$TAG" \
+    --repo "$REPO"
+
+echo
+echo "==> Fetching asset list"
+
+mapfile -t ASSETS < <(
+    gh release view "$TAG" \
+        --repo "$REPO" \
+        --json assets \
+        --jq '.assets[].name'
+)
+
+echo
+echo "==> Release type: $(
+    [[ "$IS_DRAFT" == "true" ]] && echo "draft" || echo "published"
+)"
+
+echo
+echo "==> Verifying assets"
+
+for asset in "${ASSETS[@]}"; do
+    # Skip attestation files themselves
+    if [[ "$asset" == *.intoto.jsonl ]]; then
+        continue
+    fi
+
+    if [[ ! -f "$asset" ]]; then
+        echo "ERROR: Missing downloaded asset: $asset"
+        exit 1
+    fi
+
+    echo
+    echo "========================================"
+    echo "Asset: $asset"
+    echo "========================================"
+
+    echo "1/2 release verify-asset"
+    
+    if [[ "$IS_DRAFT" != "true" ]]; then
+        gh release verify-asset "$TAG" "$asset" \
+            --repo "$REPO"
+        echo
+    else
+        echo "SKIPPED (draft releases unsupported)"
+        echo
+    fi
+
+    echo "2/2 attestation verify (SPDX)"
+    
+    if [[ "$asset" == *.sha256sum ]]; then
+        echo "SKIPPED (sha256sum does not need verification)"
+    else
+        gh attestation verify "$asset" \
+            --repo "$REPO" \
+            --predicate-type https://spdx.dev/Document
+    fi
+
+    echo "OK: $asset"
+done
+
+rm -rf "$WORKDIR"
+
+echo
+echo "========================================"
+echo "All assets verified successfully"
+echo "========================================"