{"id":28548217,"url":"https://github.com/mralias/attest-sh","last_synced_at":"2026-05-14T23:41:43.629Z","repository":{"id":296266748,"uuid":"992810098","full_name":"MrAlias/attest-sh","owner":"MrAlias","description":"Bash script used to verify the contents of a GitHub release tarball against the original repository.","archived":false,"fork":false,"pushed_at":"2025-06-26T18:09:09.000Z","size":15,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-02T15:43:11.925Z","etag":null,"topics":["bash","tar"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MrAlias.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-29T18:44:29.000Z","updated_at":"2025-06-26T18:09:13.000Z","dependencies_parsed_at":"2025-05-29T20:27:52.969Z","dependency_job_id":"eb8d26ec-f6bc-4559-80fb-d24bb11c7d33","html_url":"https://github.com/MrAlias/attest-sh","commit_stats":null,"previous_names":["mralias/attest-sh"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/MrAlias/attest-sh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fattest-sh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fattest-sh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fattest-sh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fattest-sh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MrAlias","download_url":"https://codeload.github.com/MrAlias/attest-sh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrAlias%2Fattest-sh/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267294180,"owners_count":24065343,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-27T02:00:11.917Z","response_time":82,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","tar"],"created_at":"2025-06-10T01:09:23.745Z","updated_at":"2026-05-14T23:41:43.600Z","avatar_url":"https://github.com/MrAlias.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🔬 attest\n\nThis is a simple tool to verify the contents of a GitHub release tarball or zip file against the original repository.\n\n## 📋 What This Script Does\n\n- Extracts a `.tar.gz` or `.zip` archive.\n- Compares each Git-tracked file against its counterpart in the archive.\n- Verifies:\n  - File content (SHA-256 hash)\n  - File permission modes when applicable (e.g., `0644`, `0755`)\n- Reports:\n  - Missing files in the archive\n  - Extra files in the archive\n  - Mismatches in content or mode\n\n## 🧪 Getting Started\n\n### 🔧 Prerequisites\n\n#### ✅ System Requirements\n\n- **Operating System**: Unix-like system (Linux, macOS, WSL)\n- **Bash**: Bash 4.x or higher (required for associative arrays)\n- **git**: Used to list and verify tracked files (`git ls-files`)\n- **unzip**: Use to extract zip archives\n\n#### ✅ Required Command-Line Tools\n\nThe following standard tools must be available in your system's `PATH`:\n\n| Tool         | Purpose                                   |\n|--------------|-------------------------------------------|\n| `tar`        | Extract `.tar.gz` files                   |\n| `sha256sum`  | Compute and compare file content hashes   |\n| `stat`       | Check file permission modes               |\n| `realpath`   | Resolve absolute paths                    |\n| `find`       | Enumerate files in the archive            |\n| `awk`        | Extract values from CLI output            |\n| `mktemp`     | Safely create temporary directories       |\n\n##### macOS Users\n\nMacOS includes BSD versions of `stat` and does not include `sha256sum`.\nInstall GNU core utilities using Homebrew:\n\n```sh\nbrew install coreutils\n```\n\nThen update the script to use:\n\n- `gsha256sum` instead of `sha256sum`\n- `gstat` instead of `stat`\n\n## 🚀 Installation\n\n1. **Download the Script**\n    Save the [`attest`](./attest) file to your local machine.\n2. **Make It Executable**\n\n    ```sh\n    chmod +x attest\n    ```\n\n## 🏁 Usage\n\n```sh\n./attest [-v] \u003carchive\u003e [repo-dir]\n```\n\n### Options\n\n- `-v`, `--verbose`: Print each file as it's verified (default: silent unless mismatch occurs)\n\n### Arguments\n\n- `archive`: Path to the `.tar.gz` or `.zip` archive\n- `repo-dir` (optional): Path to the Git repository (defaults to `.`)\n\n## ✅ Example\n\n```sh\n./attest -v dist/myproject-v1.2.3.tar.gz .\n```\n\nExpected output:\n\n```sh\n✅ Match: main.go\n✅ Match: go.mod\n❌ Mismatch: README.md\n❌ Extra file in archive not tracked by Git: debug.log\n```\n\n## 🛑 Exit Codes\n\n- `0`: All checks passed\n- `1`: One or more mismatches found\n\n## 🧹 Cleanup\n\nThe script automatically deletes any temporary directories it creates.\n\n## 🙋‍♀️ Need Help?\n\nFeel free to open an issue or reach out with questions!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmralias%2Fattest-sh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmralias%2Fattest-sh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmralias%2Fattest-sh/lists"}