build: Download and validate tarball checksum before signing

Signed-off-by: David Goulet <dgoulet@torproject.org>

build.sh

@@ -11,6 +11,9 @@ T_RESET=$(tput sgr0 || true)
 KEYID=${KEYID:-}
 KEYID_OPT=${KEYID_OPT:-}
 
+# Common values
+GITLAB_CI_RELEASE_URL="https://gitlab.torproject.org/tpo/core/tor-ci-release"
+
 function die()
 {
     echo "${T_BOLD}${T_RED}FATAL ERROR:${T_RESET} $*" 1>&2
@@ -35,6 +38,24 @@ function usage()
     echo
 }
 
+function download()
+{
+    local URL="$1"
+
+    OPTS="-O"
+    if [ -n "$2" ]; then
+        OPTS="-o $2"
+    fi
+
+    # If "OPTS" are quoted, the filename ends up with an extra whitespace.
+    # shellcheck disable=SC2086
+    http_code=$(curl -L -w "%{http_code}" $OPTS "$URL")
+    # shellcheck disable=SC2181
+    if [ "$?" -ne 0 ] || [ "$http_code" -ne 200 ]; then
+        die "Failed to download $URL. HTTP code: $http_code. Stopping"
+    fi
+}
+
 while getopts "hk:" opt; do
     case "$opt" in
         h) usage
@@ -56,15 +77,15 @@ BUILD="$(pwd)/build"
 SIGS_DIRPATH="$(pwd)/sigs"
 
 # Create the directory hierarchy we need.
-runcmd mkdir -p $BUILD
-runcmd mkdir -p $SIGS_DIRPATH
+runcmd mkdir -p "$BUILD"
+runcmd mkdir -p "$SIGS_DIRPATH"
 
 # Get in the build directory and start the process.
 runcmd cd "$BUILD"
 
 # Get the Tor CI release repository to use to build tarball(s).
 if [ ! -d "tor-ci-release" ]; then
-    runcmd git clone https://gitlab.torproject.org/tpo/core/tor-ci-release.git
+    runcmd git clone "$GITLAB_CI_RELEASE_URL"
 else
     runcmd git pull
 fi
@@ -72,11 +93,8 @@ runcmd cd tor-ci-release/
 
 # Fetch the version artifacts so we can learn which version and which branch
 # to use to build the tarballs.
-URL="https://gitlab.torproject.org/tpo/core/tor-ci-release/-/jobs/artifacts/main/download?job=validation"
-http_code=$(curl -L -w "%{http_code}" -o artifacts.zip $URL)
-if [ "$?" -ne 0 ] || [ "$http_code" -ne 200 ]; then
-    die "Failed to download latest artifacts. Was the latest build successful? See $URL"
-fi
+URL="$GITLAB_CI_RELEASE_URL/-/jobs/artifacts/main/download?job=validation"
+download "$URL" "artifacts.zip"
 runcmd unzip -o artifacts.zip
 
 # Export these variables for the Tor CI release build script. We hijack those
@@ -87,7 +105,7 @@ export TARBALLS_DIR="$BUILD/tarballs"
 export BUILDDIR="/"
 
 # Create the tarball directory.
-runcmd mkdir -p $TARBALLS_DIR
+runcmd mkdir -p "$TARBALLS_DIR"
 
 # That is another thing that the build script needs. The CI passes it so w
 # Build all versions
@@ -101,6 +119,18 @@ for file in "$VERSIONS_DIR"/*
 do
     # Get version from file
     VERSION=$(basename "$file")
+    TARBALL_FNAME="tor-$VERSION.tar.gz"
+    CHECKSUM_FNAME="$TARBALL_FNAME.sha256sum"
+
+    # Get checksum for that verion from the release pipeline
+    URL="$GITLAB_CI_RELEASE_URL/-/jobs/artifacts/main/raw/artifacts/tarballs/$CHECKSUM_FNAME?job=maintained"
+    download "$URL" "$BUILD/$CHECKSUM_FNAME"
+
+    # Validate the checksum we created versus the one from the pipeline.
+    if ! diff "$BUILD/$CHECKSUM_FNAME" "$TARBALLS_DIR/$CHECKSUM_FNAME"; then
+        die "Checksum don't validate. We have $(cat "$BUILD/$CHECKSUM_FNAME") but CI has $(cat "$TARBALLS_DIR/$CHECKSUM_FNAME")"
+    fi
+    echo "${T_BOLD}${T_GREEN}Checksums match for $TARBALL_FNAME.${T_RESET}"
 
     # Tarballs signature directory
     SIG_DIR="$SIGS_DIRPATH/$VERSION"
@@ -112,7 +142,8 @@ do
     fi
 
     # Sign the tarball.
-    runcmd gpg -o "$SIG_DIR/tmp.asc" -ba $KEYID_OPT "$TARBALLS_DIR/tor-$VERSION.tar.gz"
+    # shellcheck disable=SC2086
+    runcmd gpg -o "$SIG_DIR/tmp.asc" -ba $KEYID_OPT "$TARBALLS_DIR/$CHECKSUM_FNAME"
     # Get KeyID of the signed file to identify the file.
     keyid=$(gpg --list-packets "$SIG_DIR/tmp.asc" | grep "keyid" | awk '{print $NF}')
     if [ -z "$keyid" ]; then