LibrePortal/scripts/cli/commands/verify/cli_verify_header.sh
librelad b28268a61f feat(system): "Verified" integrity check against the signed release manifest
Adds per-file integrity attestation on top of the existing signed-tarball
release flow. make_release now generates a SHA256SUMS manifest over the shipped
tree and (when a key is configured) signs it, riding both inside the release
tarball so they land in the install tree with no extra download.

lpVerifyInstall (scripts/source/verify.sh) re-hashes the install tree against
that manifest and verifies the manifest's minisign signature against the
root-owned footprint pubkey, yielding states: verified / modified / tampered /
unsigned / unverifiable / development. webuiSystemVerify writes verify_status.json
(throttled daily, force on demand, also after each update apply), surfaced as an
Integrity line + "Verify now" button on the Admin → Overview Updates card and a
row in the update details panel. `libreportal verify` exposes the same check on
the CLI.

Honest framing: this is a self-check (run by the software it verifies), so red
fires only for genuine modified/tampered states; the badge tooltip points to
out-of-band `minisign -Vm` for an independent guarantee.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-28 19:41:22 +01:00

19 lines
663 B
Bash

#!/bin/bash
# Verify Commands Header
# Shows available verify commands and help information
cliShowVerifyHelp()
{
echo ""
echo "Available Verify Commands:"
echo ""
echo " libreportal verify - Check installed files against the signed release manifest"
echo " libreportal verify json - Refresh the integrity status file only (no console output)"
echo ""
echo "Confirms your installed LibrePortal code still matches the release we signed."
echo "This is a self-check (it runs from the same install), so for an independent"
echo "guarantee verify the release tarball yourself with 'minisign -Vm'."
echo ""
}