Skip to content

Commit

Permalink
ci: pull and verify artifact shasum on update
Browse files Browse the repository at this point in the history
Signed-off-by: Austin Vazquez <[email protected]>
  • Loading branch information
austinvazquez committed Jul 15, 2024
1 parent c339a84 commit c4ff37a
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 2 deletions.
4 changes: 4 additions & 0 deletions bin/update-deps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,16 @@ aarch64_deps=$(find_latest_object_match_from_s3 "${AARCH64_FILENAME_PATTERN}" "$
aarch64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}.sha512sum"
aarch64_deps_shasum=$(curl -L --fail "${aarch64_deps_shasum_url}")

pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}" "${aarch64_deps_shasum}"

amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dependency_bucket}/${X86_64}")
[[ -z "$amd64_deps" ]] && { echo "Error: x86_64 dependency not found"; exit 1; }

amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")

pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}" "${amd64_deps_shasum}"

# Update bundles file with latest artifacts and digests.
BUNDLES_FILE="${PROJECT_ROOT}/deps/lima-bundles.conf"
truncate -s 0 "${BUNDLES_FILE}"
Expand Down
8 changes: 6 additions & 2 deletions bin/update-os-image.sh
Original file line number Diff line number Diff line change
Expand Up @@ -36,23 +36,27 @@ aarch64_deps=$(find_latest_object_match_from_s3 "${AARCH64_FILENAME_PATTERN}" "$
aarch64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}.sha512sum"
aarch64_deps_shasum=$(curl -L --fail "${aarch64_deps_shasum_url}")

pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}" "${aarch64_deps_shasum}"

amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dependency_bucket}")
[[ -z "$amd64_deps" ]] && { echo "Error: x86_64 dependency not found"; exit 1; }

amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")

pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}" "${amd64_deps_shasum}"

# Update base os file with latest artifacts and digests
OS_FILE="${PROJECT_ROOT}/deps/full-os.conf"
truncate -s 0 "${OS_FILE}"
{
echo "ARTIFACT_BASE_URL=${DEPENDENCY_CLOUDFRONT_URL}"
echo ""
echo "# From https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/aarch64/images/"
echo "AARCH64_ARTIFACT=${aarch64_deps}"
echo "AARCH64_ARTIFACT=$(basename "${aarch64_deps}")"
echo "AARCH64_512_DIGEST=${aarch64_deps_shasum}"
echo ""
echo "# From https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/"
echo "X86_64_ARTIFACT=${amd64_deps}"
echo "X86_64_ARTIFACT=$(basename "${amd64_deps}")"
echo "X86_64_512_DIGEST=${amd64_deps_shasum}"
} >> "${OS_FILE}"
2 changes: 2 additions & 0 deletions bin/update-rootfs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dep
amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")

pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}" "${amd64_deps_shasum}"

# Update rootfs file with latest artifacts and digests
ROOTFS_FILE="${PROJECT_ROOT}/deps/rootfs.conf"
truncate -s 0 "${ROOTFS_FILE}"
Expand Down
17 changes: 17 additions & 0 deletions bin/utility.sh
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,20 @@ find_latest_object_match_from_s3() {

echo "$object"
}

# pull_artifact_and_verify_shasum is a function for pulling a Finch core
# artifact and verifying its shasum.
#
# @param artifact_url - URL to artifact
# @param expected_shasum - the expected SHA512SUM for the artifact
pull_artifact_and_verify_shasum() {
local artifact_url="$1"
local expected_shasum="$2"

local artifact
artifact=$(basename "$artifact_url")

curl -L --fail "${artifact_url}" > "${artifact}"
shasum --algorithm 512 "${artifact}" | cut -d ' ' -f 1 | grep -xq "^${expected_shasum}$" || \
(echo "error: shasum verification failed for \"${artifact}\" dependency" && rm -f "${artifact}" && exit 1)
}

0 comments on commit c4ff37a

Please sign in to comment.