ci: pull and verify artifact shasum on update

Signed-off-by: Austin Vazquez <[email protected]>
runfinch · Jul 15, 2024 · d709fb2 · d709fb2
1 parent 598856d
commit d709fb2
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 5 deletions.
diff --git a/bin/update-deps.sh b/bin/update-deps.sh
@@ -32,28 +32,34 @@ done
 
 aarch64_deps=$(find_latest_object_match_from_s3 "${AARCH64_FILENAME_PATTERN}" "${dependency_bucket}/${AARCH64}")
 [[ -z "$aarch64_deps" ]] && { echo "Error: aarch64 dependency not found"; exit 1; }
+aarch64_artifact=$(basename "${aarch64_deps}")
 
 # Need to pull the shasum of the artifact to store for later verification.
 aarch64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}.sha512sum"
 aarch64_deps_shasum=$(curl -L --fail "${aarch64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}" "${aarch64_deps_shasum}"
+
 amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dependency_bucket}/${X86_64}")
 [[ -z "$amd64_deps" ]] && { echo "Error: x86_64 dependency not found"; exit 1; }
+amd64_artifact=$(basename "${amd64_deps}")
 
 amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
 amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}" "${amd64_deps_shasum}"
+
 # Update bundles file with latest artifacts and digests.
 BUNDLES_FILE="${PROJECT_ROOT}/deps/lima-bundles.conf"
 truncate -s 0 "${BUNDLES_FILE}"
 {
     echo "ARTIFACT_BASE_URL=${DEPENDENCY_CLOUDFRONT_URL}"
     echo ""
     echo "AARCH64_ARTIFACT_PATHING=${AARCH64}"
-    echo "AARCH64_ARTIFACT=${aarch64_deps}"
+    echo "AARCH64_ARTIFACT=${aarch64_artifact}"
     echo "AARCH64_512_DIGEST=${aarch64_deps_shasum}"
     echo ""
     echo "X86_64_ARTIFACT_PATHING=${X86_64}"
-    echo "X86_64_ARTIFACT=${amd64_deps}"
+    echo "X86_64_ARTIFACT=${amd64_artifact}"
     echo "X86_64_512_DIGEST=${amd64_deps_shasum}"
 } >> "${BUNDLES_FILE}"
diff --git a/bin/update-os-image.sh b/bin/update-os-image.sh
@@ -31,28 +31,34 @@ done
 
 aarch64_deps=$(find_latest_object_match_from_s3 "${AARCH64_FILENAME_PATTERN}" "${dependency_bucket}")
 [[ -z "$aarch64_deps" ]] && { echo "Error: aarch64 dependency not found"; exit 1; }
+aarch64_artifact=$(basename "${aarch64_deps}")
 
 # Need to pull the shasum of the artifact to store for later verification.
 aarch64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}.sha512sum"
 aarch64_deps_shasum=$(curl -L --fail "${aarch64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}" "${aarch64_deps_shasum}"
+
 amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dependency_bucket}")
 [[ -z "$amd64_deps" ]] && { echo "Error: x86_64 dependency not found"; exit 1; }
+amd64_artifact=$(basename "${amd64_deps}")
 
 amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
 amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}" "${amd64_deps_shasum}"
+
 # Update base os file with latest artifacts and digests
 OS_FILE="${PROJECT_ROOT}/deps/full-os.conf"
 truncate -s 0 "${OS_FILE}"
 {
     echo "ARTIFACT_BASE_URL=${DEPENDENCY_CLOUDFRONT_URL}"
     echo ""
     echo "# From https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/aarch64/images/"
-    echo "AARCH64_ARTIFACT=${aarch64_deps}"
+    echo "AARCH64_ARTIFACT=${aarch64_artifact}"
     echo "AARCH64_512_DIGEST=${aarch64_deps_shasum}"
     echo ""
     echo "# From https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/"
-    echo "X86_64_ARTIFACT=${amd64_deps}"
+    echo "X86_64_ARTIFACT=${amd64_artifact}"
     echo "X86_64_512_DIGEST=${amd64_deps_shasum}"
 } >> "${OS_FILE}"
diff --git a/bin/update-rootfs.sh b/bin/update-rootfs.sh
@@ -34,17 +34,20 @@ done
 
 amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dependency_bucket}/${PLATFORM}/${X86_64}")
 [[ -z "$amd64_deps" ]] && { echo "Error: x86_64 dependency not found"; exit 1; }
+amd64_artifact=$(basename "${amd64_deps}")
 
 amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
 amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}" "${amd64_deps_shasum}"
+
 # Update rootfs file with latest artifacts and digests
 ROOTFS_FILE="${PROJECT_ROOT}/deps/rootfs.conf"
 truncate -s 0 "${ROOTFS_FILE}"
 {
     echo "ARTIFACT_BASE_URL=${DEPENDENCY_CLOUDFRONT_URL}"
     echo ""
     echo "X86_64_ARTIFACT_PATHING=${PLATFORM}/${X86_64}"
-    echo "X86_64_ARTIFACT=${amd64_deps}"
+    echo "X86_64_ARTIFACT=${amd64_artifact}"
     echo "X86_64_512_DIGEST=${amd64_deps_shasum}"
 } >> "${ROOTFS_FILE}"
diff --git a/bin/utility.sh b/bin/utility.sh
@@ -22,3 +22,20 @@ find_latest_object_match_from_s3() {
 
     echo "$object"
 }
+
+# pull_artifact_and_verify_shasum is a function for pulling a Finch core
+# artifact and verifying its shasum.
+#
+# @param artifact_url - URL to artifact
+# @param expected_shasum - the expected SHA512SUM for the artifact
+pull_artifact_and_verify_shasum() {
+    local artifact_url="$1"
+    local expected_shasum="$2"
+
+    local artifact
+    artifact=$(basename "$artifact_url")
+
+    curl -L --fail "${artifact_url}" > "${artifact}"
+    shasum --algorithm 512 "${artifact}" | cut -d ' ' -f 1 | grep -xq "^${expected_shasum}$" || \
+      (echo "error: shasum verification failed for \"${artifact}\" dependency" && rm -f "${artifact}" && exit 1)
+}