Verify checksums of packages downloaded by scripts

This commit is contained in:
Kamil Śliwak 2021-09-24 14:38:52 +02:00
parent 59e8bbb1d7
commit 091e15d6da
4 changed files with 36 additions and 0 deletions

View File

@ -35,6 +35,21 @@
set -eu set -eu
function validate_checksum {
local package="$1"
local expected_checksum="$2"
local actual_checksum
actual_checksum=$(sha256sum "$package")
if [[ $actual_checksum != "${expected_checksum} ${package}" ]]
then
>&2 echo "ERROR: Wrong checksum for package $package."
>&2 echo "Actual: $actual_checksum"
>&2 echo "Expected: $expected_checksum"
exit 1
fi
}
if [ ! -f /usr/local/lib/libz3.a ] # if this file does not exists (cache was not restored), rebuild dependencies if [ ! -f /usr/local/lib/libz3.a ] # if this file does not exists (cache was not restored), rebuild dependencies
then then
git -C /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core fetch --unshallow git -C /usr/local/Homebrew/Library/Taps/homebrew/homebrew-core fetch --unshallow
@ -52,6 +67,7 @@ then
z3_dir="z3-${z3_version}-x64-osx-10.15.7" z3_dir="z3-${z3_version}-x64-osx-10.15.7"
z3_package="${z3_dir}.zip" z3_package="${z3_dir}.zip"
wget "https://github.com/Z3Prover/z3/releases/download/z3-${z3_version}/${z3_package}" wget "https://github.com/Z3Prover/z3/releases/download/z3-${z3_version}/${z3_package}"
validate_checksum "$z3_package" a1f6ef3c99456147c4d3f2652dc6bc90951c4ab3fe7741a255eb794f0ab8938c
unzip "$z3_package" unzip "$z3_package"
rm "$z3_package" rm "$z3_package"
cp "${z3_dir}/bin/libz3.a" /usr/local/lib cp "${z3_dir}/bin/libz3.a" /usr/local/lib
@ -63,6 +79,7 @@ then
evmone_version="0.8.0" evmone_version="0.8.0"
evmone_package="evmone-${evmone_version}-darwin-x86_64.tar.gz" evmone_package="evmone-${evmone_version}-darwin-x86_64.tar.gz"
wget "https://github.com/ethereum/evmone/releases/download/v${evmone_version}/${evmone_package}" wget "https://github.com/ethereum/evmone/releases/download/v${evmone_version}/${evmone_package}"
validate_checksum "$evmone_package" e8efef478822f0ed6d0493e89004181e895893f93963152a2a81589acc3a0828
tar xzpf "$evmone_package" -C /usr/local tar xzpf "$evmone_package" -C /usr/local
rm "$evmone_package" rm "$evmone_package"
@ -70,6 +87,7 @@ then
hera_version="0.5.0" hera_version="0.5.0"
hera_package="hera-${hera_version}-darwin-x86_64.tar.gz" hera_package="hera-${hera_version}-darwin-x86_64.tar.gz"
wget "https://github.com/ewasm/hera/releases/download/v${hera_version}/${hera_package}" wget "https://github.com/ewasm/hera/releases/download/v${hera_version}/${hera_package}"
validate_checksum "$hera_package" 190050d7ace384ecd79ec1b1f607a9ff40e196b4eec75932958d4814d221d059
tar xzpf "$hera_package" -C /usr/local tar xzpf "$hera_package" -C /usr/local
rm "$hera_package" rm "$hera_package"
fi fi

View File

@ -33,7 +33,13 @@ REPO_ROOT="$(dirname "$0")"/..
mkdir -p "$SOLDIR/deps/downloads/" 2>/dev/null || true mkdir -p "$SOLDIR/deps/downloads/" 2>/dev/null || true
jsoncpp_version="1.9.3" jsoncpp_version="1.9.3"
jsoncpp_package_path="$SOLDIR/deps/downloads/jsoncpp-${jsoncpp_version}.tar.gz" jsoncpp_package_path="$SOLDIR/deps/downloads/jsoncpp-${jsoncpp_version}.tar.gz"
jsoncpp_sha256=8593c1d69e703563d94d8c12244e2e18893eeb9a8a9f8aa3d09a327aa45c8f7d
wget -O "$jsoncpp_package_path" "https://github.com/open-source-parsers/jsoncpp/archive/${jsoncpp_version}.tar.gz" wget -O "$jsoncpp_package_path" "https://github.com/open-source-parsers/jsoncpp/archive/${jsoncpp_version}.tar.gz"
if ! [ "$(sha256sum "$jsoncpp_package_path")" = "${jsoncpp_sha256} ${jsoncpp_package_path}" ]
then
>&2 echo "ERROR: Downloaded jsoncpp source package has wrong checksum."
exit 1
fi
mkdir -p "$REPO_ROOT/upload" mkdir -p "$REPO_ROOT/upload"
tar --owner 0 --group 0 -czf "$REPO_ROOT/upload/solidity_$versionstring.tar.gz" -C "$TEMPDIR" "solidity_$versionstring" tar --owner 0 --group 0 -czf "$REPO_ROOT/upload/solidity_$versionstring.tar.gz" -C "$TEMPDIR" "solidity_$versionstring"
rm -r "$TEMPDIR" rm -r "$TEMPDIR"

View File

@ -7,12 +7,18 @@ if ( -not (Test-Path "$PSScriptRoot\..\deps\boost") ) {
New-Item -ItemType Directory -Force -Path "$PSScriptRoot\..\deps" New-Item -ItemType Directory -Force -Path "$PSScriptRoot\..\deps"
Invoke-WebRequest -URI "https://github.com/Kitware/CMake/releases/download/v3.18.2/cmake-3.18.2-win64-x64.zip" -OutFile cmake.zip Invoke-WebRequest -URI "https://github.com/Kitware/CMake/releases/download/v3.18.2/cmake-3.18.2-win64-x64.zip" -OutFile cmake.zip
if ((Get-FileHash cmake.zip).Hash -ne "5f4ec834fbd9b62fbf73bc48ed459fa2ea6a86c403106c90fedc2ac76d51612d") {
throw 'Downloaded CMake source package has wrong checksum.'
}
tar -xf cmake.zip tar -xf cmake.zip
mv cmake-3.18.2-win64-x64 "$PSScriptRoot\..\deps\cmake" mv cmake-3.18.2-win64-x64 "$PSScriptRoot\..\deps\cmake"
# FIXME: The default user agent results in Artifactory treating Invoke-WebRequest as a browser # FIXME: The default user agent results in Artifactory treating Invoke-WebRequest as a browser
# and serving it a page that requires JavaScript. # and serving it a page that requires JavaScript.
Invoke-WebRequest -URI "https://boostorg.jfrog.io/artifactory/main/release/1.74.0/source/boost_1_74_0.zip" -OutFile boost.zip -UserAgent "" Invoke-WebRequest -URI "https://boostorg.jfrog.io/artifactory/main/release/1.74.0/source/boost_1_74_0.zip" -OutFile boost.zip -UserAgent ""
if ((Get-FileHash boost.zip).Hash -ne "a0e7ce67c52d816708fdeccdd8c9725626ba61254c13c18770498cacd514710a") {
throw 'Downloaded Boost source package has wrong checksum.'
}
tar -xf boost.zip tar -xf boost.zip
cd boost_1_74_0 cd boost_1_74_0
.\bootstrap.bat .\bootstrap.bat

View File

@ -6,7 +6,13 @@ TEMPDIR=$(mktemp -d)
cd "$TEMPDIR" cd "$TEMPDIR"
jsoncpp_version="1.7.4" jsoncpp_version="1.7.4"
jsoncpp_package="jsoncpp-${jsoncpp_version}.tar.gz" jsoncpp_package="jsoncpp-${jsoncpp_version}.tar.gz"
jsoncpp_sha256=10dcd0677e80727e572a1e462193e51a5fde3e023b99e144b2ee1a469835f769
wget -O "$jsoncpp_package" https://github.com/open-source-parsers/jsoncpp/archive/${jsoncpp_version}.tar.gz wget -O "$jsoncpp_package" https://github.com/open-source-parsers/jsoncpp/archive/${jsoncpp_version}.tar.gz
if ! [ "$(sha256sum "$jsoncpp_package")" = "${jsoncpp_sha256} ${jsoncpp_package}" ]
then
>&2 echo "ERROR: Downloaded jsoncpp source package has wrong checksum."
exit 1
fi
tar xvzf "$jsoncpp_package" tar xvzf "$jsoncpp_package"
cd "jsoncpp-${jsoncpp_version}" cd "jsoncpp-${jsoncpp_version}"
mkdir -p build mkdir -p build