Skip to content

Commit

Permalink
Merge pull request bottlerocket-os#4192 from cbgbt/tl-checksum
Browse files Browse the repository at this point in the history
install-twoliter: validate binary checksum on install
  • Loading branch information
cbgbt authored and Sparksssj committed Sep 17, 2024
2 parents 26ec2cc + 6875fd3 commit f1325f6
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 4 deletions.
8 changes: 7 additions & 1 deletion Makefile.toml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ BUILDSYS_ROOT_DIR = "${CARGO_MAKE_WORKING_DIRECTORY}"
# for example v0.1.0). For the git sourcecode installation method, this can be
# any git rev, e.g. a tag, sha, or branch name.
TWOLITER_VERSION = "v0.4.5"
TWOLITER_SHA256_AARCH64 = "799103bcc00e1daf931e11eb58630ca7c4d93c14752c3f4dcf25594759e3c3e7"
TWOLITER_SHA256_X86_64 = "b0cd35c0a1257fc98992821eb5ea7a96c021dba166ee2b9d04449b9206b3d941"

# For binary installation, this is the GitHub repository that has binary release artifacts attached
# to it, for example https://github.com/bottlerocket-os/twoliter. For git sourcecode installation,
Expand Down Expand Up @@ -271,7 +273,11 @@ if [ "${TWOLITER_REUSE_EXISTING_INSTALL}" = "true" ]; then
fi
if [ "${TWOLITER_ALLOW_BINARY_INSTALL}" = "true" ]; then
flags+=("--allow-binary-install")
if [ "${BUILDSYS_ARCH}" = "aarch64" ]; then
flags+=("--allow-binary-install" "${TWOLITER_SHA256_AARCH64}")
else
flags+=("--allow-binary-install" "${TWOLITER_SHA256_X86_64}")
fi
fi
if [ "${TWOLITER_ALLOW_SOURCE_INSTALL}" = "true" ]; then
Expand Down
9 changes: 6 additions & 3 deletions tools/install-twoliter.sh
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,8 @@ Usage: $0 -r GIT_REPO -v TWOLITER_VERSION -d INSTALL_DIR [-e REUSE_EXISTING] [-b
-d, --directory the directory to install twoliter into
-e, --reuse-existing-install we will skip installation if we find the correct version installed
-b, --allow-binary-install we will try to install a GitHub release-attached binary if the
host we are on is Linux.
host we are on is Linux. Takes an expected sha256 sum for the
binary as input.
-s, --allow-from-source we will install from source using cargo install pointed to a git
repo and rev when binary install is either not allowed or not
possible
Expand Down Expand Up @@ -96,7 +97,7 @@ while [[ $# -gt 0 ]]; do
-e|--reuse-existing-install)
reuse_existing="true" ;;
-b|--allow-binary-install)
allow_bin="true" ;;
allow_bin="true"; shift; bin_checksum=$1 ;;
-s|--allow-from-source)
from_source="true" ;;
-k|--skip-version-check)
Expand Down Expand Up @@ -143,6 +144,8 @@ if [ "${allow_bin}" = "true" ] ; then
twoliter_target="${host_arch}-unknown-${host_kernel}-musl"
cd "${workdir}"
curl -sSL "${twoliter_release}/twoliter-${twoliter_target}.tar.xz" -o "twoliter.tar.xz"
echo "Checking binary checksum..."
sha256sum -c <<< "${bin_checksum} twoliter.tar.xz"
tar xf twoliter.tar.xz
mv "./twoliter-${twoliter_target}/twoliter" "${dir}"
exit 0
Expand Down Expand Up @@ -177,4 +180,4 @@ fi
if [ ! -x "${dir}/twoliter" ] ; then
echo "Could not install twoliter ${version}" >&2
exit 1
fi
fi

0 comments on commit f1325f6

Please sign in to comment.