Commit ebaab321 authored by David Goulet's avatar David Goulet 🔆
Browse files

build: Download and validate tarball checksum before signing


Signed-off-by: David Goulet's avatarDavid Goulet <dgoulet@torproject.org>
parent 736840b6
......@@ -11,6 +11,9 @@ T_RESET=$(tput sgr0 || true)
KEYID=${KEYID:-}
KEYID_OPT=${KEYID_OPT:-}
# Common values
GITLAB_CI_RELEASE_URL="https://gitlab.torproject.org/tpo/core/tor-ci-release"
function die()
{
echo "${T_BOLD}${T_RED}FATAL ERROR:${T_RESET} $*" 1>&2
......@@ -35,6 +38,24 @@ function usage()
echo
}
function download()
{
local URL="$1"
OPTS="-O"
if [ -n "$2" ]; then
OPTS="-o $2"
fi
# If "OPTS" are quoted, the filename ends up with an extra whitespace.
# shellcheck disable=SC2086
http_code=$(curl -L -w "%{http_code}" $OPTS "$URL")
# shellcheck disable=SC2181
if [ "$?" -ne 0 ] || [ "$http_code" -ne 200 ]; then
die "Failed to download $URL. HTTP code: $http_code. Stopping"
fi
}
while getopts "hk:" opt; do
case "$opt" in
h) usage
......@@ -56,15 +77,15 @@ BUILD="$(pwd)/build"
SIGS_DIRPATH="$(pwd)/sigs"
# Create the directory hierarchy we need.
runcmd mkdir -p $BUILD
runcmd mkdir -p $SIGS_DIRPATH
runcmd mkdir -p "$BUILD"
runcmd mkdir -p "$SIGS_DIRPATH"
# Get in the build directory and start the process.
runcmd cd "$BUILD"
# Get the Tor CI release repository to use to build tarball(s).
if [ ! -d "tor-ci-release" ]; then
runcmd git clone https://gitlab.torproject.org/tpo/core/tor-ci-release.git
runcmd git clone "$GITLAB_CI_RELEASE_URL"
else
runcmd git pull
fi
......@@ -72,11 +93,8 @@ runcmd cd tor-ci-release/
# Fetch the version artifacts so we can learn which version and which branch
# to use to build the tarballs.
URL="https://gitlab.torproject.org/tpo/core/tor-ci-release/-/jobs/artifacts/main/download?job=validation"
http_code=$(curl -L -w "%{http_code}" -o artifacts.zip $URL)
if [ "$?" -ne 0 ] || [ "$http_code" -ne 200 ]; then
die "Failed to download latest artifacts. Was the latest build successful? See $URL"
fi
URL="$GITLAB_CI_RELEASE_URL/-/jobs/artifacts/main/download?job=validation"
download "$URL" "artifacts.zip"
runcmd unzip -o artifacts.zip
# Export these variables for the Tor CI release build script. We hijack those
......@@ -87,7 +105,7 @@ export TARBALLS_DIR="$BUILD/tarballs"
export BUILDDIR="/"
# Create the tarball directory.
runcmd mkdir -p $TARBALLS_DIR
runcmd mkdir -p "$TARBALLS_DIR"
# That is another thing that the build script needs. The CI passes it so w
# Build all versions
......@@ -101,6 +119,18 @@ for file in "$VERSIONS_DIR"/*
do
# Get version from file
VERSION=$(basename "$file")
TARBALL_FNAME="tor-$VERSION.tar.gz"
CHECKSUM_FNAME="$TARBALL_FNAME.sha256sum"
# Get checksum for that verion from the release pipeline
URL="$GITLAB_CI_RELEASE_URL/-/jobs/artifacts/main/raw/artifacts/tarballs/$CHECKSUM_FNAME?job=maintained"
download "$URL" "$BUILD/$CHECKSUM_FNAME"
# Validate the checksum we created versus the one from the pipeline.
if ! diff "$BUILD/$CHECKSUM_FNAME" "$TARBALLS_DIR/$CHECKSUM_FNAME"; then
die "Checksum don't validate. We have $(cat "$BUILD/$CHECKSUM_FNAME") but CI has $(cat "$TARBALLS_DIR/$CHECKSUM_FNAME")"
fi
echo "${T_BOLD}${T_GREEN}Checksums match for $TARBALL_FNAME.${T_RESET}"
# Tarballs signature directory
SIG_DIR="$SIGS_DIRPATH/$VERSION"
......@@ -112,7 +142,8 @@ do
fi
# Sign the tarball.
runcmd gpg -o "$SIG_DIR/tmp.asc" -ba $KEYID_OPT "$TARBALLS_DIR/tor-$VERSION.tar.gz"
# shellcheck disable=SC2086
runcmd gpg -o "$SIG_DIR/tmp.asc" -ba $KEYID_OPT "$TARBALLS_DIR/$CHECKSUM_FNAME"
# Get KeyID of the signed file to identify the file.
keyid=$(gpg --list-packets "$SIG_DIR/tmp.asc" | grep "keyid" | awk '{print $NF}')
if [ -z "$keyid" ]; then
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment