diff --git a/cli/scripts/build_rsync.sh b/cli/scripts/build_rsync.sh index f5e3c87..0b56a80 100644 --- a/cli/scripts/build_rsync.sh +++ b/cli/scripts/build_rsync.sh @@ -54,20 +54,33 @@ if command -v gpg >/dev/null 2>&1; then fi if [[ "${verified}" -ne 1 ]]; then - if [[ -n "${RSYNC_TARBALL_SHA256}" ]]; then - echo "verifying sha256 for ${url}" + # Try to fetch official SHA256 first + sha256_url="${url}.sha256" + if curl -fsSL "${sha256_url}" -o "${tmp}/rsync.tar.gz.sha256" 2>/dev/null; then + expected_sha256="$(cat "${tmp}/rsync.tar.gz.sha256" | tr -d ' \n' | cut -d' ' -f1)" + echo "verifying sha256 (from official source) for ${url}" actual_sha256="$(sha256sum "${tmp}/rsync.tar.gz" | cut -d' ' -f1)" - if [[ "${actual_sha256}" == "${RSYNC_TARBALL_SHA256}" ]]; then - echo "${tmp}/rsync.tar.gz: OK" - else + if [[ "${actual_sha256}" != "${expected_sha256}" ]]; then + echo "build-rsync: sha256 mismatch!" >&2 + echo " expected: ${expected_sha256}" >&2 + echo " actual: ${actual_sha256}" >&2 + exit 2 + fi + echo "${tmp}/rsync.tar.gz: OK" + elif [[ -n "${RSYNC_TARBALL_SHA256}" ]]; then + # Fallback to embedded SHA256 + echo "verifying sha256 (embedded fallback) for ${url}" + actual_sha256="$(sha256sum "${tmp}/rsync.tar.gz" | cut -d' ' -f1)" + if [[ "${actual_sha256}" != "${RSYNC_TARBALL_SHA256}" ]]; then echo "build-rsync: sha256 mismatch!" >&2 echo " expected: ${RSYNC_TARBALL_SHA256}" >&2 echo " actual: ${actual_sha256}" >&2 exit 2 fi + echo "${tmp}/rsync.tar.gz: OK" else - echo "build-rsync: could not verify ${url} (no usable gpg signature, and RSYNC_TARBALL_SHA256 is empty)." >&2 - echo "Set RSYNC_TARBALL_SHA256= or install gpg with a trusted key for the rsync signing identity." >&2 + echo "build-rsync: could not verify ${url} (no gpg signature and no SHA256 available)." >&2 + echo "Set RSYNC_TARBALL_SHA256= or install gpg with trusted key." >&2 exit 2 fi fi diff --git a/cli/scripts/build_sqlite.sh b/cli/scripts/build_sqlite.sh index 294e560..94d36cd 100644 --- a/cli/scripts/build_sqlite.sh +++ b/cli/scripts/build_sqlite.sh @@ -30,13 +30,26 @@ if [[ ! -f "${out_dir}/sqlite3.c" ]]; then trap cleanup EXIT url="${SQLITE_SRC_BASE}/sqlite-amalgamation-${SQLITE_VERSION}.zip" + checksum_url="${url}.sha256" echo "Fetching ${url}" curl -fsSL "${url}" -o "${tmp}/sqlite.zip" - # Verify SHA256 if provided - if [[ -n "${SQLITE_SHA256}" ]]; then + # Fetch and verify SHA256 from official source + if curl -fsSL "${checksum_url}" -o "${tmp}/sqlite.zip.sha256" 2>/dev/null; then + expected_sha256="$(cat "${tmp}/sqlite.zip.sha256" | tr -d ' \n' | cut -d' ' -f1)" echo "verifying sha256 for ${url}" actual_sha256="$(sha256sum "${tmp}/sqlite.zip" | cut -d' ' -f1)" + if [[ "${actual_sha256}" != "${expected_sha256}" ]]; then + echo "build-sqlite: sha256 mismatch!" >&2 + echo " expected: ${expected_sha256}" >&2 + echo " actual: ${actual_sha256}" >&2 + exit 2 + fi + echo "${tmp}/sqlite.zip: OK" + elif [[ -n "${SQLITE_SHA256}" ]]; then + # Fallback to embedded SHA256 if official checksum unavailable + echo "verifying sha256 (embedded fallback) for ${url}" + actual_sha256="$(sha256sum "${tmp}/sqlite.zip" | cut -d' ' -f1)" if [[ "${actual_sha256}" != "${SQLITE_SHA256}" ]]; then echo "build-sqlite: sha256 mismatch!" >&2 echo " expected: ${SQLITE_SHA256}" >&2 @@ -44,6 +57,8 @@ if [[ ! -f "${out_dir}/sqlite3.c" ]]; then exit 2 fi echo "${tmp}/sqlite.zip: OK" + else + echo "build-sqlite: warning - no SHA256 verification available" >&2 fi unzip -q "${tmp}/sqlite.zip" -d "${tmp}"