safeget

   1 #!/bin/bash
   2 if [ ! -n "$2" ]; then
   3   echo "invocation: safeget <URL> <targetfile>"
   4   exit 2
   5 fi
   6
   7 echo "downloading locally..."
   8 realdest="$(mktemp)"
   9 checksum="$(curl -- "$1" | tee -- "$realdest" | sha256sum - | cut -d' ' -f1 | tr -d '\n')"
  10 echo "got checksum:"
  11 echo "$checksum"
  12 echo ""
  13
  14 mismatch_detected=0
  15
  16 echo "downloading on remote machines..."
  17 for machine in $(cat ~/.multiget_machines); do
  18   echo -ne "  downloading from $machine...                                                     \r"
  19
  20   # yuck! uhm... nothing to see here.
  21   # things this tries to defend against:
  22   #  - special chars in the URL that cause local and remote curl to see different URLs (but of course, defending
  23   #    against that only makes limited sense)
  24   #  - remote system sends us special chars and wipes previous warnings from the screen
  25   remote_sha256_unsanitized="$(echo -n "$1" | base64 -w0 | ssh -- "$machine" curl -- '"$(base64 -d)"' '|' sha256sum - 2>/dev/null)"
  26   remote_sha256="$(echo -n "$remote_sha256_unsanitized" | cut -d' ' -f1 | tr -cd '0123456789abcdef')"
  27
  28   if echo -n "$remote_sha256" | grep -vFq -- "$checksum"; then
  29     echo -e '\E[1;33;44m'"DIFFERENT CHECKSUM FROM $machine:\n$remote_sha256"'\E[0m'
  30     mismatch_detected=1
  31   fi
  32 done
  33 echo -e "done                                                                          "
  34
  35 if [ "$mismatch_detected" -eq 0 ]; then
  36   echo "moving file to $2..."
  37   mv -- "$realdest" "$2"
  38   echo "done"
  39 else
  40   echo "NOT moving temporary download from $realdest to $2 because verification failed"
  41   exit 1
  42 fi