GPG file in the HEAD repository

[Sheldon]

Hi,

currently I only see a GPG file in the HEAD repository.
Will you continue providing the plane jar as before?

Otherwise GPG is not very easy to handle on a Windows machine.
Do i need a key?

Kind regards,

Sheldon

[rednoah]

The HEAD jar is used for unattended updates by alot of people these days. It's now digitally signed with GnuPG for security reasons. You can use this public key to verify that the package has been uploaded by me and that is has not been modified by a 3rd party.

[Sheldon]

I understand but if I try to decrypt the current gpg file using gpg4win it tells me that there is no data.

[rednoah]

Works fine with the gpg.exe command-line tool as far as I can tell. Maybe there's a bug in the software you're using.


0. Fetch public key (only required once):

Code: Select all

gpg --recv-keys 4E402EBF7C3C6A71

1. Verify signature and extract signed data:

Code: Select all

gpg --trusted-key 4E402EBF7C3C6A71 --output FileBot.jar.xz --decrypt FileBot.jar.xz.gpg

2. Unpack data:

Code: Select all

xz --decompress FileBot.jar.xz

If you use Windows Bash then update-filebot.sh should work out of the box. If you're stuck with CMD then you can make your own little script with the commands above. Since I update the jar every other day, automating the processing of updating the jar is probably a good idea.

[Sheldon]

Thanks! Please provide a download link to the command line tool gpg.exe you are using. Google didn't find it!

[rednoah]

1.
It's on the official site. It's the second download for Windows:
https://www.gnupg.org/ftp/gcrypt/binary ... 170403.exe

@see https://www.gnupg.org/download/index.en.html


2.
xz binaries for Windows are here:
http://tukaani.org/xz/xz-5.2.3-windows.7z

@see http://tukaani.org/xz/

[Sheldon]

That works fine! Thanks for your help!

[Sheldon]

Will the url remain like this

Code: Select all

https://sourceforge.net/projects/filebot/files/filebot/HEAD/FileBot.jar.xz.gpg/download

without the version in the jar?
Without the version it is easier to automize.

[rednoah]

Yep. That's pretty much how update-filebot.sh works.

[Sheldon]

Great! Thanks!

[Chryses]

Wow. Sorry if I jump to this thread.

I always update the FileBot head with a custom script, today I tried to update FileBot because the cleaner script don't works anymore and if I understand the situation, I need to keep update FileBot.

So I discovered this thread and the link for the update-filebot.sh, I downloaded it and the maintainer.pub, put both in the FileBot directory and launched the sh file, but I've some error

Code: Select all

[~] # sh /share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/update-filebot.sh
/share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/FileBot.jar.xz.gpg: No such file or directory
Update /share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/FileBot.jar.xz.gpg
Warning: Illegal date format for -z, --timecond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0 15547    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0   357    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0   439    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0   353    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
100 17.7M  100 17.7M    0     0  2902k      0  0:00:06  0:00:06 --:--:-- 5672k
/share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/FileBot.jar.xz.gpg [d71088da176c5aaf3e314e4d6309bf07]
gpg: keyring `/share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/data/.gpg/secring.gpg' created
gpg: keyring `/share/CACHEDEV1_DATA/.qpkg/Entware-ng/share/filebot/data/.gpg/pubring.gpg' created
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: Signature made Sun 16 Apr 2017 07:11:50 PM CEST using RSA key ID 7C3C6A71
gpg: Can't check signature: public key not found

and at the end I've the FileBot.jar.xz file

Any idea?

[rednoah]

1.
Console output says that it failed to import the public key:

Code: Select all

gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Looks like this line doesn't work for some reason:

Code: Select all

gpg --homedir "$GPG_HOME" --import "$APP_ROOT/maintainer.pub"

@see https://github.com/filebot/filebot/blob ... bot.sh#L62


2.
If you want to update to the latest stable release, then you can just do this:

Code: Select all

cd /path/to/filebot
curl https://raw.githubusercontent.com/filebot/plugins/master/installer/portable.sh | sh -xu

I recommend always using the latest stable release. The latest revision (that this thread is all about) may not always be stable and sometimes may not work at all.

[Chryses]

Tnx like always.

Btw, your excellent file, is made for "normal" linux, I use a qnap with entware, so I installed the coreutils-sha256sum.

I think the sha approach to check first if there's a new version is the best! Do you think is possible to use this way on this? https://raw.githubusercontent.com/fileb ... ortable.sh

[rednoah]

The SHA256 is used to verify portable package to make sure that it hasn't been tampered with. Future releases will use GPG signatures as well.

[Chryses]

I mean this

Code: Select all

if [ "$PACKAGE_HASH" == "$PACKAGE_HASH_EXPECTED" ]; then
	echo "$PACKAGE_FILE [$PACKAGE_HASH]"
	exit 0
fi

Is a very good idea to prevent to download each time the whole file!

So in future also the latest stable release will use GPG?

[rednoah]

1.
The hash was primarily used to make sure that the data received from the untrusted mirror wasn't tampered with, but still gave ultimate trust to SourceForge. This problem has been fixed with GPG signatures which give ultimate trust to nobody but me.


2.
Yes, GPG signatures will be used for all files, except maybe for the packages where sha256 digests are known and verified by the package manager (i.e. synology and brew cask packages).

[viking]

Sorry for my ignorance....I am quite lost.

I am on Windows and I use the portable version.
In the past, I have just downloaded the jar (e.g. filebot-r4991.jar.xz) and replaced the old jar file.
How do I update on windows now without having to download extra programs?

Do I use "update-filebot.sh"? What is this and how do I use it?

[rednoah]

Does installing the Windows subsystem for Linux count as downloading extra programs?

You will need a program they can verify gpg signatures and a program that can decompress xz archives. On Windows, neither is installed by default. On Linux, including WSL, it'll work out of the box.

[viking]

I have a program that can decompress the archives (Winrar). That is how I did it before the gpg was added.
Now I can't just unrar anymore...

I didn't understand your comment about Linux. Do I need to use Linux to use "update-filebot.sh"? Can I use it with Windows directly? What is "update-filebot.sh" and how do I use it?

[rednoah]

Option A: Use gpg.exe and xz.exe

You just need gpg.exe and xz.exe to verify and unpack the jar.


Option B: Use WSL

If you want to use update-filebot.sh then you need the Windows Subsystem for Linux.


I'm sure there's GUI tools that can deal with gpg and xz files. I'd automate the process with the curl, gpg and xz commands though.

[MindTooth]

Code: Select all

○ → ./update-filebot.sh
./update-filebot.sh: 38: [: 970ab82154b44551c2510e4c0ec42e70: unexpected operator
Update /home/mt/filebot/FileBot.jar.xz.gpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   370    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0 15534    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0   429    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0   343    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
/home/mt/filebot/FileBot.jar.xz.gpg [970ab82154b44551c2510e4c0ec42e70]
gpg: Problem reading source (2111675 bytes remaining)
gpg: handle plaintext failed: file read error

Can't seem to pull a working copy. Also, some script error. This is on OpenMediaVault 3.0 (Debian Jessie I believe).

Ed1t: Worked fine to decrypt yesterdays r5040 release, I guess this is the new r5041 you talked about?

[Sheldon]

The current xz file can't be decompressed using XZ Utils
Yesterday's file worked fine. Please check!

[rednoah]

File size looks off. I guess the file wasn't uploaded completely.

[Sheldon]

Now it works fine! Thanks!

[viking]

Option B: Use WSL

If you want to use update-filebot.sh then you need the Windows Subsystem for Linux.


I'm sure there's GUI tools that can deal with gpg and xz files. I'd automate the process with the curl, gpg and xz commands though.

The link above takes me to Bash On Windows, However, I need to run Windows 10 but I run Windows 7. Thus not an option for me

(There is no help section on this forum for Windows 7 users)