refactor(build): fetch SHA256 from official sources
Some checks failed
Build CLI with Embedded SQLite / build (arm64, aarch64-linux) (push) Waiting to run
Build CLI with Embedded SQLite / build (x86_64, x86_64-linux) (push) Waiting to run
Build CLI with Embedded SQLite / build-macos (arm64) (push) Waiting to run
Build CLI with Embedded SQLite / build-macos (x86_64) (push) Waiting to run
Documentation / build-and-publish (push) Waiting to run
Security Scan / Security Analysis (push) Waiting to run
Security Scan / Native Library Security (push) Waiting to run
Checkout test / test (push) Successful in 5s
CI/CD Pipeline / Test (push) Has been cancelled
CI/CD Pipeline / Dev Compose Smoke Test (push) Has been cancelled
CI/CD Pipeline / Build (push) Has been cancelled
CI/CD Pipeline / Test Scripts (push) Has been cancelled
CI/CD Pipeline / Test Native Libraries (push) Has been cancelled
CI/CD Pipeline / Docker Build (push) Has been cancelled
Some checks failed
Build CLI with Embedded SQLite / build (arm64, aarch64-linux) (push) Waiting to run
Build CLI with Embedded SQLite / build (x86_64, x86_64-linux) (push) Waiting to run
Build CLI with Embedded SQLite / build-macos (arm64) (push) Waiting to run
Build CLI with Embedded SQLite / build-macos (x86_64) (push) Waiting to run
Documentation / build-and-publish (push) Waiting to run
Security Scan / Security Analysis (push) Waiting to run
Security Scan / Native Library Security (push) Waiting to run
Checkout test / test (push) Successful in 5s
CI/CD Pipeline / Test (push) Has been cancelled
CI/CD Pipeline / Dev Compose Smoke Test (push) Has been cancelled
CI/CD Pipeline / Build (push) Has been cancelled
CI/CD Pipeline / Test Scripts (push) Has been cancelled
CI/CD Pipeline / Test Native Libraries (push) Has been cancelled
CI/CD Pipeline / Docker Build (push) Has been cancelled
- SQLite: fetch from sqlite.org/<YEAR>/<file>.zip.sha256 with embedded fallback - Rsync: fetch from download.samba.org/.../<file>.tar.gz.sha256 with embedded fallback - Remove hardcoded SHA256 requirement when official checksums available
This commit is contained in:
Jeremie Fraeys
parent
2d66a85abc
commit
39bf466737
2 changed files with 37 additions and 9 deletions
|
|
@ -54,20 +54,33 @@ if command -v gpg >/dev/null 2>&1; then
|
|||
fi
|
||||
|
||||
if [[ "${verified}" -ne 1 ]]; then
|
||||
if [[ -n "${RSYNC_TARBALL_SHA256}" ]]; then
|
||||
echo "verifying sha256 for ${url}"
|
||||
# Try to fetch official SHA256 first
|
||||
sha256_url="${url}.sha256"
|
||||
if curl -fsSL "${sha256_url}" -o "${tmp}/rsync.tar.gz.sha256" 2>/dev/null; then
|
||||
expected_sha256="$(cat "${tmp}/rsync.tar.gz.sha256" | tr -d ' \n' | cut -d' ' -f1)"
|
||||
echo "verifying sha256 (from official source) for ${url}"
|
||||
actual_sha256="$(sha256sum "${tmp}/rsync.tar.gz" | cut -d' ' -f1)"
|
||||
if [[ "${actual_sha256}" == "${RSYNC_TARBALL_SHA256}" ]]; then
|
||||
echo "${tmp}/rsync.tar.gz: OK"
|
||||
else
|
||||
if [[ "${actual_sha256}" != "${expected_sha256}" ]]; then
|
||||
echo "build-rsync: sha256 mismatch!" >&2
|
||||
echo " expected: ${expected_sha256}" >&2
|
||||
echo " actual: ${actual_sha256}" >&2
|
||||
exit 2
|
||||
fi
|
||||
echo "${tmp}/rsync.tar.gz: OK"
|
||||
elif [[ -n "${RSYNC_TARBALL_SHA256}" ]]; then
|
||||
# Fallback to embedded SHA256
|
||||
echo "verifying sha256 (embedded fallback) for ${url}"
|
||||
actual_sha256="$(sha256sum "${tmp}/rsync.tar.gz" | cut -d' ' -f1)"
|
||||
if [[ "${actual_sha256}" != "${RSYNC_TARBALL_SHA256}" ]]; then
|
||||
echo "build-rsync: sha256 mismatch!" >&2
|
||||
echo " expected: ${RSYNC_TARBALL_SHA256}" >&2
|
||||
echo " actual: ${actual_sha256}" >&2
|
||||
exit 2
|
||||
fi
|
||||
echo "${tmp}/rsync.tar.gz: OK"
|
||||
else
|
||||
echo "build-rsync: could not verify ${url} (no usable gpg signature, and RSYNC_TARBALL_SHA256 is empty)." >&2
|
||||
echo "Set RSYNC_TARBALL_SHA256=<expected sha256> or install gpg with a trusted key for the rsync signing identity." >&2
|
||||
echo "build-rsync: could not verify ${url} (no gpg signature and no SHA256 available)." >&2
|
||||
echo "Set RSYNC_TARBALL_SHA256=<expected sha256> or install gpg with trusted key." >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -30,13 +30,26 @@ if [[ ! -f "${out_dir}/sqlite3.c" ]]; then
|
|||
trap cleanup EXIT
|
||||
|
||||
url="${SQLITE_SRC_BASE}/sqlite-amalgamation-${SQLITE_VERSION}.zip"
|
||||
checksum_url="${url}.sha256"
|
||||
echo "Fetching ${url}"
|
||||
curl -fsSL "${url}" -o "${tmp}/sqlite.zip"
|
||||
|
||||
# Verify SHA256 if provided
|
||||
if [[ -n "${SQLITE_SHA256}" ]]; then
|
||||
# Fetch and verify SHA256 from official source
|
||||
if curl -fsSL "${checksum_url}" -o "${tmp}/sqlite.zip.sha256" 2>/dev/null; then
|
||||
expected_sha256="$(cat "${tmp}/sqlite.zip.sha256" | tr -d ' \n' | cut -d' ' -f1)"
|
||||
echo "verifying sha256 for ${url}"
|
||||
actual_sha256="$(sha256sum "${tmp}/sqlite.zip" | cut -d' ' -f1)"
|
||||
if [[ "${actual_sha256}" != "${expected_sha256}" ]]; then
|
||||
echo "build-sqlite: sha256 mismatch!" >&2
|
||||
echo " expected: ${expected_sha256}" >&2
|
||||
echo " actual: ${actual_sha256}" >&2
|
||||
exit 2
|
||||
fi
|
||||
echo "${tmp}/sqlite.zip: OK"
|
||||
elif [[ -n "${SQLITE_SHA256}" ]]; then
|
||||
# Fallback to embedded SHA256 if official checksum unavailable
|
||||
echo "verifying sha256 (embedded fallback) for ${url}"
|
||||
actual_sha256="$(sha256sum "${tmp}/sqlite.zip" | cut -d' ' -f1)"
|
||||
if [[ "${actual_sha256}" != "${SQLITE_SHA256}" ]]; then
|
||||
echo "build-sqlite: sha256 mismatch!" >&2
|
||||
echo " expected: ${SQLITE_SHA256}" >&2
|
||||
|
|
@ -44,6 +57,8 @@ if [[ ! -f "${out_dir}/sqlite3.c" ]]; then
|
|||
exit 2
|
||||
fi
|
||||
echo "${tmp}/sqlite.zip: OK"
|
||||
else
|
||||
echo "build-sqlite: warning - no SHA256 verification available" >&2
|
||||
fi
|
||||
|
||||
unzip -q "${tmp}/sqlite.zip" -d "${tmp}"
|
||||
|
|
|
|||
Loading…
Reference in a new issue