From 4698db44da37b72777fe3ba9a589e49ed82caefc Mon Sep 17 00:00:00 2001
From: Antoine du Hamel <duhamelantoine1995@gmail.com>
Date: Fri, 3 Oct 2025 16:51:48 +0200
Subject: [PATCH] tools: verify signatures when updating nghttp*

---
 tools/dep_updaters/nghttp.kbx        | Bin 0 -> 3171 bytes
 tools/dep_updaters/update-nghttp2.sh |  11 ++++++-----
 tools/dep_updaters/update-nghttp3.sh |   8 ++++++--
 3 files changed, 12 insertions(+), 7 deletions(-)
 create mode 100644 tools/dep_updaters/nghttp.kbx

diff --git a/tools/dep_updaters/nghttp.kbx b/tools/dep_updaters/nghttp.kbx
new file mode 100644
index 0000000000000000000000000000000000000000..60ad5134ecc66aaf9a7830cf17a594dd6d940a3d
GIT binary patch
literal 3171
zcmZuzc{tSD8~@H?Hw=S}EMwndEMu6FtXbpQl4Ybx_MPE|t|VEfD55N3B(h6nWKTkB
zBrcMyDRiylVhTUHPru*qkNZB)Ip;m^d*1h)=Q*F}^S%H8pg<r1Y+>N&2^@;|)Y$mZ
zIMV+SPD3#0r}h8<IBo+FK$yNs<s-dYmQTtZT#bo`jQkn);wTn%bjrr>qP*Zcf=No<
z65b9+X^Wfw<J+P6<dKgT4el>s&o44%$Kc8(1I~YJ3jc6uc0BSO3JBl?0Py8QP4VX*
z0ziMR|1urE@F)_v528TL3Z+myP~dvK6hUTE_|!wHWaQT()D91>@-Zo)5N54wNZ^hn
zbCTUU7BxMYQ^9<QQhDDusZCTa57_JZl3dI6j#DP9`aM-=LvEQ>RV!_WsJ)!pnoTW;
z<5m%Dyi(z-L^ZpJo_9EDQ4Os(6L@BF`C0E7{vYdkiL}>&L*@=peto63P<Np4<6<JZ
z!1<IbLLx2!)xLg_hDkjJISA|6K6S@m&QOFmcKOy&P7B^(o+Z0MIgl%rNDdPqpVthz
z8rNuo$;*7}BvM5YcJh=M#?!fj5D(`0{27uf+KqF)X~ui^dE4HWxVal!s7l594k)*-
zU*T@9N-plbh6Q1t1v<Nru(%y7D(9-tkO~hNJ3XKg9&C_s+p6&l+bZNBfTgV`ncL*O
zuUY`(Ue!lGM+N0iM$Ri_k^Mnmqds-98v&aorfy8GwS8N)UN>g0WmYh23rg+Z+PT3t
z(PJs}fc2ixiF83kuPq<h2c~JSDUkMx<JRw?zVp0sc8y=p-}wxBMVzZ8XQb4iux?DP
z6bGz<CgFzU@YOTo-=(DXFtw@x;1%oz0v-LDv^R+qj7Otg)UawQc(qG-jEag1UR6a!
z6OY$aad*Y5s;X<MK2@|QlET8heL{m!_F>_^K7PdCiKvsLUq)q;o>u_T$6wh!DBx7>
zA#4uwgMa1+k}g0IJYWFD1U>==_&9`_gN>C10*3N~Ss_pXFa!h^1%Z#n0_<$?U*MIq
z0t$20GKXf{V_Hic9?9iTs6NW%-Mj)6UjOV`Nw9I<<66_+J5E_%>cl!O)G`B*!}|a#
z7zXtic6|zh16>O6>TIg*v^ymYXPzj4K}Mjp<E8iNFo_P!gR6JSR`t|qYb=tD0(lG}
z8IAM~#X`X^MmIy#RZp`wc_=z^7#Dh==p8Rz2ag%IfD(A?*Ka2exDOK}h4L~Ji-Q4v
zF1V9~r_ip`xMM)PXwd%U;jFxuEfbY~+0RG#EY!1iO(J=4X7264F`NDqCyXeY)qot~
z>z`%mER-tW;nz}Eg+xG1RRs0wb14z}k$Ccy3(Tib6tx`>N+*xT5rI$hi-gdRPm`xh
z#AH05!W)xJC)7$FMYU#1B3E<{dK8_O`5NWrO_(glXEes;b8qNAIU%lL7h#9`F|*?5
zLrRS}-}yw~R3uFbEn<L94^M37_kPitu_6pV9>g=kCnHPC-Z4F}z?Nni`6h~9nOMj;
zKOtb!Z%ErrMhooTrbLmUsV^&c&Sr4mp9|G*M`*b-%MW_QH>pTuP#y)&;mrMkWYOme
zaw?tX%J=TI5{IR&lVNfzH1pj=4s7;Zdn~EN(CYdz_AaimaSK5!V@-OnVIQWLsZ8<i
zeWHQJ(mmwV_<@(@h6H!k0V7kk{Q*%6-6B725~*r)`LUTbhS8_$yzOZe={(<4+5G)C
zYS1XHX5a4jp&9Bu%L_OwZ@0?Vxp#3NnJz<HuUgO~_S1LVHtk|lMc!$c8Gg-){N5H0
z@PGhNGB^t=cmzEGap=EMBop`uE#Tu|u-^Zm*GWP_ksx+J<S^*pxbvT&Be4ErQ>Gd?
z&=S2QGa)#+N}G!HD?l|`dUM8!!QF<x?UI|;{$S;fp6Wv-M=urd#@<2M)6ImEQ@O9W
z9fCWg^cJ|1aFBy18%Rn!emm2^f9_T{yzt_q+oO~j)%j0%jb>MJT_d*F8f4vM_|Ltk
z6Y9_I%Llh2y^7U$u;p`N^~!QjQf=dI3U@H9tJ-Zm6ht5sg$@YucI@(e%PH~ngRr-&
z3#SqdLMwc6VQn|Zz7NEW!@KD3UzGi(+aC^3oYExll{|1gK3y060XAk6rCg)qDAAx!
z-G*7Qd6xBy_ti-i({eD9;b-|0r3Ysto^+v$rc5ej*K(_1a=p0aA?&ObOe>7S|Jlkl
z(t4w#-~zzPKLm@woRk|!<$BEaG`s0G++92`H6}egI5^pDlf~`7JhoO!+|E_1c=wlF
zUfICGMify$M(Qs`gDSoFbdfz~OlAys4c5Z++9%TE8jZ#4tdial9QqL=w#kJncFfhI
z+pd|?HbrA6qM}^R5VcwE9QY{C2jWLDPh?4Z;y5bZ^Ko<d6ji(&;*;EVU_i*Zxz5&X
zrvX_9F3AdJa!@$!*+J%fY1|*;hEzfbM*W!JrU3@idzQCnllo<YTpBiu^JnSeLvKv>
z^PFC**LACIA=_FnDEey>K$tHQ?hWyYMK9;MOAlC$7$Kr6jA>t(S<8m!8KA(7p@7J~
zBkL2d6cN4E?h-v@Or-*ajTRK?=u{4awhu5Vr1D1Cmn2p9{}L7y_On{T;lQkH?x<4x
zlLgpAJ$A>8owRb>v+uoMxiy&O`%ARaVHNt3i&_*=-XAOvc~+fm6D)q9uU&}nyQwqa
zoFmEsmiAAw{OpqLmGvpFG;6_m)9MV?l!9G1qc?f-$vg{{oZX0wiM(L5kjkyG6g5YU
zR!6qw$}x2ew5*l3cSo$<rPFMC$z0f4G)`gr3eR-(bMfQ~^Lo2_vM$B7dornO+c>49
z0|>>+XJpbDmlbxj%5~8n4MwYxejbDeU)N*;zw{wTQL7<PpC)hT<*;XtF^m$aL`?c=
zbA-gBMwoy6-cy<o!B+va(A?&oj@(UUQDl~zL6lwrulZ)Bg!G2=^7dT5IDl3X;}2fG
zy7zDk+$d557wgw9Zj&!_aVzA~26lee=yD!&sYs2z!X$}d!Yd0tJ1BY)n4d)<YJc!j
ze7*MYJLiL4F%iy4NS&yskmYp;RxU)h_PlMz8{>LojaO>!%8OoM$goEZj2{2{ifa+!
z%%L+O9`jXL!$#-&)jC=$TRS9fLvLmD{9F)8De5_!=%kLRe=R#z$gcPYL!wS+G7Z6;
z=2%`m8`Jx+F>tI5hYV{-d?Qwl7&5w@o0io~beXb`;?XJLm`c#<yS}bNaDT+ivy?<k
zAZHqJsW2XkH?thSK)c!ro#+ze2)m!K?76h-ap}faXF<ET7XX9_4rJiPPXFCZnsDOi
zlb?CI@SCg+n@|T>1I<2ciJqHdq4-#JDL(&!4;P_KVj=m4*RU2NN`}U}^7xqU2)0hq
zn4TsOCr?o4vyaw@x^GPW$#*Idc3Yyvny)rf;eYnrWCy)mruKaZOv=}rHqTU{o9Z=R
zK2~=&qG?~uw>c1=qocePtY6k2ua%{%T8=X<fI8icvF1>Z&Gr=5UaFsJm<zOguAQ*G
zkxmoa?ereZ8DvS(*DbWyIGsP^!sip6AoJu&I@P&W<XA6Rp;L7*AnM%Nn(LPDJ}bmT
zjb6i>=94OIUmMoA(P#fkpIVmJH|@jq#7MZLDKWOj^jNG*bq+3MEOsq0*+_qQla``F
z<t3X;>R}bm5W0n_%I8vA&Y$)QV+n{T9_Jl6fpqZp_TY0(+`J9VsoqA2dIi_NpXP6@
zjGFHp;lc&q+-S=5Y{Mc#+mI&<j!U`N4JxW27!!&?zWyNX_icy@Ha6!E6d^4?A`eb5
zQirpfGHI79yYsvde$_46zVGioEkcUDxucHt50-AQ%!vOQ>~{E^TaHtDJYm?Pv?8m3
zxJP*<)w;-699D$fUC!|-GT5#mle9hhdI~Px7{jvOywkj};ZI|0rEHAf*ed>ljJ@=r
z@1^oN=gGVspLIh;i8o5|L1i4pl+b-)M5@b0+56MGr4N(Le%33tU#$}7|Mx`YPC$YA
zi`HHeZ05x`IM3qVw!_QJfmeS3g-?Te)HFILZlymPp*hgMT8f+LF@8~u!e|lw;EV2G
R&(j=7bl;;aF~W_T{{e$Li(dc$

literal 0
HcmV?d00001

diff --git a/tools/dep_updaters/update-nghttp2.sh b/tools/dep_updaters/update-nghttp2.sh
index ccb36caae13d4d..c19dedf1ca203f 100755
--- a/tools/dep_updaters/update-nghttp2.sh
+++ b/tools/dep_updaters/update-nghttp2.sh
@@ -42,18 +42,19 @@ cleanup () {
 trap cleanup INT TERM EXIT
 
 NGHTTP2_REF="v$NEW_VERSION"
-NGHTTP2_TARBALL="nghttp2-$NEW_VERSION.tar.gz"
+NGHTTP2_TARBALL="nghttp2-$NEW_VERSION.tar.xz"
 
 cd "$WORKSPACE"
 
 echo "Fetching nghttp2 source archive"
 curl -sL -o "$NGHTTP2_TARBALL" "https://github.com/nghttp2/nghttp2/releases/download/$NGHTTP2_REF/$NGHTTP2_TARBALL"
 
-DEPOSITED_CHECKSUM=$(curl -sL "https://github.com/nghttp2/nghttp2/releases/download/$NGHTTP2_REF/checksums.txt" | grep "$NGHTTP2_TARBALL")
+echo "Verifying PGP signature"
+curl -sL "https://github.com/nghttp2/nghttp2/releases/download/${NGHTTP2_REF}/${NGHTTP2_TARBALL}.asc" \
+| gpgv --keyring "$BASE_DIR/tools/dep_updaters/nghttp.kbx" "$NGHTTP2_TARBALL"
 
-log_and_verify_sha256sum "nghttp2" "$NGHTTP2_TARBALL" "$DEPOSITED_CHECKSUM"
-
-gzip -dc "$NGHTTP2_TARBALL" | tar xf -
+echo "Unpacking archive"
+tar xJf "$NGHTTP2_TARBALL"
 rm "$NGHTTP2_TARBALL"
 mv "nghttp2-$NEW_VERSION" nghttp2
 
diff --git a/tools/dep_updaters/update-nghttp3.sh b/tools/dep_updaters/update-nghttp3.sh
index 1a4df351b8abba..dc71735300de35 100755
--- a/tools/dep_updaters/update-nghttp3.sh
+++ b/tools/dep_updaters/update-nghttp3.sh
@@ -48,8 +48,12 @@ cd "$WORKSPACE"
 
 echo "Fetching nghttp3 source archive..."
 curl -sL -o "$ARCHIVE_BASENAME.tar.xz" "https://github.com/ngtcp2/nghttp3/releases/download/${NGHTTP3_REF}/${ARCHIVE_BASENAME}.tar.xz"
-SHA256="$(curl -sL "https://github.com/ngtcp2/nghttp3/releases/download/${NGHTTP3_REF}/checksums.txt" | grep 'tar.xz$')"
-log_and_verify_sha256sum "nghttp3" "$ARCHIVE_BASENAME.tar.xz" "$SHA256"
+
+echo "Verifying PGP signature..."
+curl -sL "https://github.com/ngtcp2/nghttp3/releases/download/${NGHTTP3_REF}/${ARCHIVE_BASENAME}.tar.xz.asc" \
+| gpgv --keyring "$BASE_DIR/tools/dep_updaters/nghttp.kbx" - "$ARCHIVE_BASENAME.tar.xz"
+
+echo "Unpacking archive..."
 tar -xJf "$ARCHIVE_BASENAME.tar.xz"
 rm "$ARCHIVE_BASENAME.tar.xz"
 mv "$ARCHIVE_BASENAME" nghttp3