Adds per-file integrity attestation on top of the existing signed-tarball release flow. make_release now generates a SHA256SUMS manifest over the shipped tree and (when a key is configured) signs it, riding both inside the release tarball so they land in the install tree with no extra download. lpVerifyInstall (scripts/source/verify.sh) re-hashes the install tree against that manifest and verifies the manifest's minisign signature against the root-owned footprint pubkey, yielding states: verified / modified / tampered / unsigned / unverifiable / development. webuiSystemVerify writes verify_status.json (throttled daily, force on demand, also after each update apply), surfaced as an Integrity line + "Verify now" button on the Admin → Overview Updates card and a row in the update details panel. `libreportal verify` exposes the same check on the CLI. Honest framing: this is a self-check (run by the software it verifies), so red fires only for genuine modified/tampered states; the badge tooltip points to out-of-band `minisign -Vm` for an independent guarantee. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
19 lines
663 B
Bash
19 lines
663 B
Bash
#!/bin/bash
|
|
|
|
# Verify Commands Header
|
|
# Shows available verify commands and help information
|
|
|
|
cliShowVerifyHelp()
|
|
{
|
|
echo ""
|
|
echo "Available Verify Commands:"
|
|
echo ""
|
|
echo " libreportal verify - Check installed files against the signed release manifest"
|
|
echo " libreportal verify json - Refresh the integrity status file only (no console output)"
|
|
echo ""
|
|
echo "Confirms your installed LibrePortal code still matches the release we signed."
|
|
echo "This is a self-check (it runs from the same install), so for an independent"
|
|
echo "guarantee verify the release tarball yourself with 'minisign -Vm'."
|
|
echo ""
|
|
}
|