From bea2bf1dacb3e4df4418e51125a9358dc46a771b Mon Sep 17 00:00:00 2001
From: Anthony Metzidis <anthony.metzidis@gmail.com>
Date: Wed, 11 Dec 2024 11:52:28 -0800
Subject: [PATCH] add signature verification

---
 README.md       | 15 +++++++++++++++
 lite-release.sh |  2 +-
 public-key.pub  |  4 ++++
 3 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100755 public-key.pub

diff --git a/README.md b/README.md
index 0508168..93b12b8 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,21 @@ $ curl -LO https://github.com/tonymet/gcloud-lite/releases/download/472.0.0/goog
 $ tar -zxf *gz
 ```
 
+## Verifying .tgz Release Signature
+`public-key.pub` is found in this repo
+`ARCHIVE` & `ARCHIVE.sig` are included in each release
+*Verified OK* is expected for a good signature.
+```
+PUBLIC_KEY=public-key.pub
+ARCHIVE=google-cloud-cli-487.0.0-linux-x86_64-lite.tar.gz
+openssl dgst -verify "${PUBLIC_KEY}" \
+    -signature "${ARCHIVE}.sig" 
+    "${ARCHIVE}"
+Verified OK
+```
+
+
+
 ## Benchmarks
 Tested on GCP Compute Instance e2-medium
 | Image        | Time      | Improvement |
diff --git a/lite-release.sh b/lite-release.sh
index 7d2fa18..4e14b38 100755
--- a/lite-release.sh
+++ b/lite-release.sh
@@ -7,7 +7,7 @@ die () {
 [[ -v PROJECT ]] || die "\$PROJECT is unset"
 [[ -v OBJECT ]] ||  die "\$OBJECT is unset"
 [[ -v BUCKET ]] ||  die "\$BUCKET is unset"
-[[ -v KMS_KEYPATH ]] ||  die "\$KMS_KEY_PATH is unset"
+[[ -v KMS_KEYPATH ]] ||  die "\$KMS_KEYPATH is unset"
 build_tarball(){
     [[ -v 1 ]] || die "\$1 is unset"
     [[ -v CLOUD_SDK_VERSION ]] || die "CLOUD_SDK_VERSION is unset"
diff --git a/public-key.pub b/public-key.pub
new file mode 100755
index 0000000..059f832
--- /dev/null
+++ b/public-key.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHRBC+jfmUKS1uwF7a46kx6/nthdJ
+Sah1TVY2i2TuEMGyVW/4+diMSxVB4BILwtKhv5ZUiGwSlvioKGsShh3yTA==
+-----END PUBLIC KEY-----