GPG file in the HEAD repository

Any questions? Need some help?
User avatar
Sheldon
Posts: 188
Joined: 14 Apr 2014, 14:39

GPG file in the HEAD repository

Post by Sheldon » 16 Apr 2017, 17:18

Hi,

currently I only see a GPG file in the HEAD repository.
Will you continue providing the plane jar as before?

Otherwise GPG is not very easy to handle on a Windows machine.
Do i need a key?

Kind regards,

Sheldon

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 16 Apr 2017, 17:30

The HEAD jar is used for unattended updates by alot of people these days. It's now digitally signed with GnuPG for security reasons. You can use this public key to verify that the package has been uploaded by me and that is has not been modified by a 3rd party.
:idea: Please read the FAQ and How to Request Help.

User avatar
Sheldon
Posts: 188
Joined: 14 Apr 2014, 14:39

Re: GPG file in the HEAD repository

Post by Sheldon » 16 Apr 2017, 22:08

I understand but if I try to decrypt the current gpg file using gpg4win it tells me that there is no data.

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 17 Apr 2017, 02:07

Works fine with the gpg.exe command-line tool as far as I can tell. Maybe there's a bug in the software you're using.


0. Fetch public key (only required once):

Code: Select all

gpg --recv-keys 4E402EBF7C3C6A71
1. Verify signature and extract signed data:

Code: Select all

gpg --trusted-key 4E402EBF7C3C6A71 --output FileBot.jar.xz --decrypt FileBot.jar.xz.gpg
2. Unpack data:

Code: Select all

xz --decompress FileBot.jar.xz

If you use Windows Bash then update-filebot.sh should work out of the box. If you're stuck with CMD then you can make your own little script with the commands above. Since I update the jar every other day, automating the processing of updating the jar is probably a good idea. ;)
:idea: Please read the FAQ and How to Request Help.

User avatar
Sheldon
Posts: 188
Joined: 14 Apr 2014, 14:39

Re: GPG file in the HEAD repository

Post by Sheldon » 17 Apr 2017, 06:34

Thanks! Please provide a download link to the command line tool gpg.exe you are using. Google didn't find it! :-)

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 17 Apr 2017, 06:36

1.
It's on the official site. It's the second download for Windows:
https://www.gnupg.org/ftp/gcrypt/binary ... 170403.exe

@see https://www.gnupg.org/download/index.en.html


2.
xz binaries for Windows are here:
http://tukaani.org/xz/xz-5.2.3-windows.7z

@see http://tukaani.org/xz/
:idea: Please read the FAQ and How to Request Help.

User avatar
Sheldon
Posts: 188
Joined: 14 Apr 2014, 14:39

Re: GPG file in the HEAD repository

Post by Sheldon » 17 Apr 2017, 07:56

That works fine! Thanks for your help!

User avatar
Sheldon
Posts: 188
Joined: 14 Apr 2014, 14:39

Re: GPG file in the HEAD repository

Post by Sheldon » 17 Apr 2017, 14:36

Will the url remain like this

Code: Select all

https://sourceforge.net/projects/filebot/files/filebot/HEAD/FileBot.jar.xz.gpg/download
without the version in the jar?
Without the version it is easier to automize. :)

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 17 Apr 2017, 15:35

Yep. That's pretty much how update-filebot.sh works.
:idea: Please read the FAQ and How to Request Help.

User avatar
Sheldon
Posts: 188
Joined: 14 Apr 2014, 14:39

Re: GPG file in the HEAD repository

Post by Sheldon » 17 Apr 2017, 15:39

Great! Thanks!

Chryses
Posts: 66
Joined: 26 Aug 2012, 19:11

Re: GPG file in the HEAD repository

Post by Chryses » 17 Apr 2017, 18:34

Wow. Sorry if I jump to this thread.

I always update the FileBot head with a custom script, today I tried to update FileBot because the cleaner script don't works anymore and if I understand the situation, I need to keep update FileBot.

So I discovered this thread and the link for the update-filebot.sh, I downloaded it and the maintainer.pub, put both in the FileBot directory and launched the sh file, but I've some error

Code: Select all

[~] # sh /share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/update-filebot.sh
/share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/FileBot.jar.xz.gpg: No such file or directory
Update /share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/FileBot.jar.xz.gpg
Warning: Illegal date format for -z, --timecond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0 15547    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0   357    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0   439    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0   353    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
100 17.7M  100 17.7M    0     0  2902k      0  0:00:06  0:00:06 --:--:-- 5672k
/share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/FileBot.jar.xz.gpg [d71088da176c5aaf3e314e4d6309bf07]
gpg: keyring `/share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/data/.gpg/secring.gpg' created
gpg: keyring `/share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/data/.gpg/pubring.gpg' created
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: Signature made Sun 16 Apr 2017 07:11:50 PM CEST using RSA key ID 7C3C6A71
gpg: Can't check signature: public key not found
and at the end I've the FileBot.jar.xz file

Any idea?

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 17 Apr 2017, 19:48

1.
Console output says that it failed to import the public key:

Code: Select all

gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
Looks like this line doesn't work for some reason:

Code: Select all

gpg --homedir "$GPG_HOME" --import "$APP_ROOT/maintainer.pub"
@see https://github.com/filebot/filebot/blob ... bot.sh#L62


2.
If you want to update to the latest stable release, then you can just do this:

Code: Select all

cd /path/to/filebot
curl https://raw.githubusercontent.com/filebot/plugins/master/installer/portable.sh | sh -xu
:idea: I recommend always using the latest stable release. The latest revision (that this thread is all about) may not always be stable and sometimes may not work at all.
:idea: Please read the FAQ and How to Request Help.

Chryses
Posts: 66
Joined: 26 Aug 2012, 19:11

Re: GPG file in the HEAD repository

Post by Chryses » 20 Apr 2017, 11:31

Tnx like always.

Btw, your excellent file, is made for "normal" linux, I use a qnap with entware, so I installed the coreutils-sha256sum.

I think the sha approach to check first if there's a new version is the best! Do you think is possible to use this way on this? https://raw.githubusercontent.com/fileb ... ortable.sh

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 20 Apr 2017, 14:26

The SHA256 is used to verify portable package to make sure that it hasn't been tampered with. Future releases will use GPG signatures as well.
:idea: Please read the FAQ and How to Request Help.

Chryses
Posts: 66
Joined: 26 Aug 2012, 19:11

Re: GPG file in the HEAD repository

Post by Chryses » 21 Apr 2017, 10:52

I mean this

Code: Select all

if [ "$PACKAGE_HASH" == "$PACKAGE_HASH_EXPECTED" ]; then
	echo "$PACKAGE_FILE [$PACKAGE_HASH]"
	exit 0
fi
Is a very good idea to prevent to download each time the whole file!

So in future also the latest stable release will use GPG?

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 21 Apr 2017, 13:18

1.
The hash was primarily used to make sure that the data received from the untrusted mirror wasn't tampered with, but still gave ultimate trust to SourceForge. This problem has been fixed with GPG signatures which give ultimate trust to nobody but me.


2.
Yes, GPG signatures will be used for all files, except maybe for the packages where sha256 digests are known and verified by the package manager (i.e. synology and brew cask packages).
:idea: Please read the FAQ and How to Request Help.

viking
Power User
Posts: 128
Joined: 14 Jul 2013, 08:21

Re: GPG file in the HEAD repository

Post by viking » 22 Apr 2017, 04:57

Sorry for my ignorance....I am quite lost.

I am on Windows and I use the portable version.
In the past, I have just downloaded the jar (e.g. filebot-r4991.jar.xz) and replaced the old jar file.
How do I update on windows now without having to download extra programs?

Do I use "update-filebot.sh"? What is this and how do I use it?

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 22 Apr 2017, 05:50

Does installing the Windows subsystem for Linux count as downloading extra programs?

You will need a program they can verify gpg signatures and a program that can decompress xz archives. On Windows, neither is installed by default. On Linux, including WSL, it'll work out of the box.
:idea: Please read the FAQ and How to Request Help.

viking
Power User
Posts: 128
Joined: 14 Jul 2013, 08:21

Re: GPG file in the HEAD repository

Post by viking » 22 Apr 2017, 08:31

I have a program that can decompress the archives (Winrar). That is how I did it before the gpg was added.
Now I can't just unrar anymore...

I didn't understand your comment about Linux. Do I need to use Linux to use "update-filebot.sh"? Can I use it with Windows directly? What is "update-filebot.sh" and how do I use it?

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 22 Apr 2017, 09:31

Option A: Use gpg.exe and xz.exe

You just need gpg.exe and xz.exe to verify and unpack the jar.


Option B: Use WSL

If you want to use update-filebot.sh then you need the Windows Subsystem for Linux.


:idea: I'm sure there's GUI tools that can deal with gpg and xz files. I'd automate the process with the curl, gpg and xz commands though.
:idea: Please read the FAQ and How to Request Help.

User avatar
MindTooth
Donor
Posts: 13
Joined: 20 Mar 2017, 07:23

Re: GPG file in the HEAD repository

Post by MindTooth » 22 Apr 2017, 09:53

Code: Select all

○ → ./update-filebot.sh
./update-filebot.sh: 38: [: 970ab82154b44551c2510e4c0ec42e70: unexpected operator
Update /home/mt/filebot/FileBot.jar.xz.gpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   370    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0 15534    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0   429    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0   343    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
/home/mt/filebot/FileBot.jar.xz.gpg [970ab82154b44551c2510e4c0ec42e70]
gpg: Problem reading source (2111675 bytes remaining)
gpg: handle plaintext failed: file read error
Can't seem to pull a working copy. Also, some script error. This is on OpenMediaVault 3.0 (Debian Jessie I believe).

Ed1t: Worked fine to decrypt yesterdays r5040 release, I guess this is the new r5041 you talked about?

User avatar
Sheldon
Posts: 188
Joined: 14 Apr 2014, 14:39

Re: GPG file in the HEAD repository

Post by Sheldon » 22 Apr 2017, 12:26

The current xz file can't be decompressed using XZ Utils
Yesterday's file worked fine. Please check!

User avatar
rednoah
The Source
Posts: 18634
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: GPG file in the HEAD repository

Post by rednoah » 22 Apr 2017, 14:04

File size looks off. I guess the file wasn't uploaded completely.
:idea: Please read the FAQ and How to Request Help.

User avatar
Sheldon
Posts: 188
Joined: 14 Apr 2014, 14:39

Re: GPG file in the HEAD repository

Post by Sheldon » 22 Apr 2017, 14:46

Now it works fine! Thanks!

viking
Power User
Posts: 128
Joined: 14 Jul 2013, 08:21

Re: GPG file in the HEAD repository

Post by viking » 22 Apr 2017, 16:53

rednoah wrote:
Option B: Use WSL

If you want to use update-filebot.sh then you need the Windows Subsystem for Linux.


:idea: I'm sure there's GUI tools that can deal with gpg and xz files. I'd automate the process with the curl, gpg and xz commands though.

The link above takes me to Bash On Windows, However, I need to run Windows 10 but I run Windows 7. Thus not an option for me :(

(There is no help section on this forum for Windows 7 users)

Post Reply