feat: verify-signature.sh script

signing/maintainers.asc

@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZS2ffxYJKwYBBAHaRw8BAQdAjNbYjKILHdph86rsp4mFDG4k6s5rbw33n8MW
+LLzSm9G0Jm1haW50YWluZXJzIDxtYWludGFpbmVyc0BjZWxlc3RpYS5vcmc+iJME
+ExYKADsWIQQByQcXyOYO4ebczbEGnCukYvdd0QUCZS2ffwIbAwULCQgHAgIiAgYV
+CgkICwIEFgIDAQIeBwIXgAAKCRAGnCukYvdd0WqvAQDjx1s5amqAZH0lZZnKshHX
+o2UsXBu9PWAkKlcBWVtW7QEApT10/A05QgjKVIV+brZDVgApJe5Qg4xTN3Y2FZ9T
+zgG4OARlLZ9/EgorBgEEAZdVAQUBAQdAWzD/Pj6q4gBtM/0aUA3bsm5jUGTNjvvW
+kebHPHT1fmcDAQgHiHgEGBYKACAWIQQByQcXyOYO4ebczbEGnCukYvdd0QUCZS2f
+fwIbDAAKCRAGnCukYvdd0RI/AQDcVXVjMx0tPAuxhmzy4ACDt2HDaOB9aZI71O59
+dlN05wD/dgE9/HuNWdxwXe93Cvzw2TmXmnpOQHl5XryA5Drv6go=
+=pMLV
+-----END PGP PUBLIC KEY BLOCK-----

signing/verify-signature.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# This script enables consumers to verify signatures on artifacts that were
+# created via GoReleaser and signed via the [email protected] PGP key.
+#
+# The key's UID is: 01C90717C8E60EE1E6DCCDB1069C2BA462F75DD1
+# The key's name and email is: maintainers <[email protected]>
+
+# Check if the number of arguments is not 2
+if [[ $# -ne 2 ]]; then
+    echo "Error: Exactly two arguments are required."
+    echo "Example usage:"
+    echo "  ./verify-signature.sh <signature-file> <file-to-verify>"
+    exit 1
+fi
+
+KEY_FILENAME="maintainers.asc"
+GITHUB_URL="https://raw.githubusercontent.com/celestiaorg/.github/main/signing/${KEY_FILENAME}"
+
+echo "Downloading the [email protected] public key"
+curl --location ${GITHUB_URL} --output ${KEY_FILENAME}
+
+echo "Importing ${KEY_FILENAME}"
+gpg --import ${KEY_FILENAME}
+
+echo "Deleting ${KEY_FILENAME}"
+rm ${KEY_FILENAME}
+
+echo "Verifying the signature of "$1" with "$2""
+gpg --verify $1 $2