signing/verify.sh

#!/bin/bash
#
# Verify the integrity and authenticity of this model release.
#
# Usage: bash signing/verify.sh
#
# This script verifies:
#   1. The signing certificate is issued by a trusted CA
#   2. The SHA256SUMS manifest was signed by Nasjonalbiblioteket
#   3. All file checksums match the manifest
#

set -euo pipefail

RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'

pass() { echo -e "${GREEN}[PASS]${NC} $*"; }
fail() { echo -e "${RED}[FAIL]${NC} $*" >&2; }

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
MODEL_DIR="$(dirname "$SCRIPT_DIR")"
SIGNING_DIR="$SCRIPT_DIR"

cd "$MODEL_DIR"

errors=0

# Check required files exist
for f in "$SIGNING_DIR/SHA256SUMS" "$SIGNING_DIR/SHA256SUMS.sig" \
         "$SIGNING_DIR/cert.pem" "$SIGNING_DIR/ca-chain.pem"; do
    if [[ ! -f "$f" ]]; then
        fail "Missing file: $f"
        errors=$((errors + 1))
    fi
done

if [[ $errors -gt 0 ]]; then
    echo ""
    fail "Required signing files are missing. Cannot verify."
    exit 1
fi

echo "=== Nasjonalbiblioteket Model Verification ==="
echo ""

# Show certificate info
echo "Certificate subject:"
openssl x509 -in "$SIGNING_DIR/cert.pem" -subject -noout 2>/dev/null | sed 's/^subject=/  /'
echo "Certificate issuer:"
openssl x509 -in "$SIGNING_DIR/cert.pem" -issuer -noout 2>/dev/null | sed 's/^issuer=/  /'
echo "Certificate fingerprint (SHA-256):"
openssl x509 -in "$SIGNING_DIR/cert.pem" -fingerprint -sha256 -noout 2>/dev/null | sed 's/^.*=/  /'
echo ""

# 1. Verify certificate chain
echo "--- Step 1: Verify certificate chain ---"
if openssl verify -CAfile "$SIGNING_DIR/ca-chain.pem" "$SIGNING_DIR/cert.pem" > /dev/null 2>&1; then
    pass "Certificate chain is valid."
else
    fail "Certificate chain verification failed!"
    errors=$((errors + 1))
fi

# 2. Verify signature
echo "--- Step 2: Verify manifest signature ---"
PUBKEY=$(mktemp)
trap "rm -f '$PUBKEY'" EXIT
openssl x509 -in "$SIGNING_DIR/cert.pem" -pubkey -noout > "$PUBKEY" 2>/dev/null

if openssl dgst -sha256 -verify "$PUBKEY" \
     -signature "$SIGNING_DIR/SHA256SUMS.sig" \
     "$SIGNING_DIR/SHA256SUMS" > /dev/null 2>&1; then
    pass "Manifest signature is valid."
else
    fail "Manifest signature verification failed!"
    errors=$((errors + 1))
fi

# 3. Verify file checksums
echo "--- Step 3: Verify file checksums ---"
if sha256sum -c "$SIGNING_DIR/SHA256SUMS" 2>/dev/null; then
    pass "All file checksums match."
else
    fail "One or more file checksums do not match!"
    errors=$((errors + 1))
fi

# Summary
echo ""
if [[ $errors -eq 0 ]]; then
    echo -e "${GREEN}✅ Verification successful. All files are authentic and unmodified.${NC}"
    exit 0
else
    echo -e "${RED}❌ Verification failed with $errors error(s).${NC}"
    exit 1
fi