Checking MD5 and signatures with a shell script


We are currently voting on the upcoming Apache log4php 2.1.0 release. An Apache release usually contains the src package, an asc file a nd an md5 file. The asc contains the signature of the release manager, which is accessible from the projects page. The md5 file contains the checksum for the release.

I wrote a small script which helps to check the md5 and the signature. It has been developed on OS X 10.6.7. I use the preinstalled md5 tool and installed gpg with:

port install gpg

The latter one is pretty similar to pgp, just GPL licensed.

You might tweak this script so it fits to your release. May it give you a good start ;-)


file1=`md5 -q $1`
file2=`cut -d* -f1 $1.md5`

echo "Checking file: $1"
echo "Using MD5 file: $1.md5"
echo $file1
echo $file2

if [ $file1 != $file2 ]
  echo "md5 sums mismatch"
  echo "checksums OK"

echo "GPG verification output"
gpg --verify $1.asc $1

To call it, you need to pass the filename to check as a parameter:

$ ./ Apache_log4php-2.1.0-pear.tgz

That’s it. The output should look like:

Checking file: Apache_log4php-2.1.0-pear.tgz
Using MD5 file: Apache_log4php-2.1.0-pear.tgz.md5
checksums OK
GPG verification output
gpg: Unterschrift vom Di 28 Jun 11:09:39 2011 CEST mittels RSA-Schlüssel ID xxx
gpg: Korrekte Unterschrift von "xxx"
Haupt-Fingerabdruck  = xxxxxx

Tags: #Apache Log4PHP #Open Source #OS X #Shell