blob: 635034a1de1df80aa18833c3ed33785203a1d571 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
#!/usr/bin/env bash
# fetch-arch-iso.sh
# Downloads the latest Arch ISO + signature, checks GPG key, verifies the download.
set -u
set -o pipefail
# CONFIGURATION
BASE_DIR="${HOME}/downloads/isos"
ISO_NAME="archlinux-x86_64.iso"
SIG_NAME="${ISO_NAME}.sig"
ISO_URL="https://geo.mirror.pkgbuild.com/iso/latest/${ISO_NAME}"
SIG_URL="https://geo.mirror.pkgbuild.com/iso/latest/${SIG_NAME}"
# The “Arch Linux Master Key” is what signs the ISO. We look for its name in your keyring.
ARCH_KEY_SEARCH="Arch Linux Master Key"
# 1) Build target directory, e.g. ~/downloads/isos/archlinux.2025.08.22
today=$(date +%Y.%m.%d)
TARGET_DIR="${BASE_DIR}/archlinux.${today}"
mkdir -p "${TARGET_DIR}" || {
echo "Error: could not create ${TARGET_DIR}" >&2
exit 1
}
# 2) A small helper to download with one retry
download_with_retry() {
local url=$1 out=$2
echo " -> Downloading ${url} to ${out}"
if ! wget -q --show-progress -O "${out}" "${url}"; then
echo " First attempt failed; retrying once..."
if ! wget -q --show-progress -O "${out}" "${url}"; then
echo "Error: failed to download ${url} after 2 tries."
echo " Please check your network connectivity."
exit 1
fi
fi
}
# 3) Make sure GPG is installed (we assume gpg binary exists)
if ! command -v gpg >/dev/null; then
echo "Error: gpg is not installed. Please install it and re-run."
exit 1
fi
# 4) Check for the Arch Linux signing key
if ! gpg --list-keys "${ARCH_KEY_SEARCH}" >/dev/null 2>&1; then
echo "Warning: Arch Linux signing key not found in your keyring."
read -p "Install archlinux-keyring package now? [y/N] " ans
ans=${ans,,} # tolower
if [[ "${ans}" == "y" || "${ans}" == "yes" ]]; then
sudo pacman -Sy --needed archlinux-keyring || {
echo "Error: could not install archlinux-keyring." >&2
exit 1
}
else
echo "Cannot verify ISO without the Arch key. Aborting."
exit 1
fi
fi
# 5) Download the ISO and its .sig
download_with_retry "${ISO_URL}" "${TARGET_DIR}/${ISO_NAME}"
download_with_retry "${SIG_URL}" "${TARGET_DIR}/${SIG_NAME}"
# 6) Verify the ISO against the signature
echo " -> Verifying the ISO with GPG..."
if gpg --verify "${TARGET_DIR}/${SIG_NAME}" "${TARGET_DIR}/${ISO_NAME}"; then
echo
echo "SUCCESS: The ISO signature is valid."
echo "You can now burn or mount ${TARGET_DIR}/${ISO_NAME} with confidence."
exit 0
else
echo
echo "ERROR: GPG signature verification failed!"
echo " The downloaded ISO may be corrupted or tampered with."
exit 1
fi
|
