Require checksums for prebuilt installers
ci / test (push) Waiting to run
ci / fuzz-smoke (push) Waiting to run
ci / windows-client (push) Waiting to run
ci / package-release (linux-x86_64, ubuntu-latest) (push) Waiting to run
ci / package-release (macos-aarch64, macos-14) (push) Waiting to run
ci / package-release (macos-x86_64, macos-13) (push) Waiting to run
ci / package-release (windows-x86_64, windows-latest) (push) Waiting to run
ci / publish-gitea-release (push) Blocked by required conditions
ci / remote-bench (push) Waiting to run
ci / test (push) Waiting to run
ci / fuzz-smoke (push) Waiting to run
ci / windows-client (push) Waiting to run
ci / package-release (linux-x86_64, ubuntu-latest) (push) Waiting to run
ci / package-release (macos-aarch64, macos-14) (push) Waiting to run
ci / package-release (macos-x86_64, macos-13) (push) Waiting to run
ci / package-release (windows-x86_64, windows-latest) (push) Waiting to run
ci / publish-gitea-release (push) Blocked by required conditions
ci / remote-bench (push) Waiting to run
This commit is contained in:
+1
-2
@@ -185,8 +185,7 @@ function Verify-ArchiveChecksum($Url, $Archive) {
|
|||||||
Invoke-WebRequest -UseBasicParsing -Uri "$Url.sha256" -OutFile $checksumPath
|
Invoke-WebRequest -UseBasicParsing -Uri "$Url.sha256" -OutFile $checksumPath
|
||||||
}
|
}
|
||||||
catch {
|
catch {
|
||||||
Write-Warning "prebuilt checksum unavailable; continuing without sidecar verification"
|
throw "prebuilt checksum unavailable; refusing unverified binary for $Url"
|
||||||
return
|
|
||||||
}
|
}
|
||||||
$expected = ((Get-Content $checksumPath -Raw).Trim() -split "\s+")[0].ToLowerInvariant()
|
$expected = ((Get-Content $checksumPath -Raw).Trim() -split "\s+")[0].ToLowerInvariant()
|
||||||
$actual = (Get-FileHash -Algorithm SHA256 $Archive).Hash.ToLowerInvariant()
|
$actual = (Get-FileHash -Algorithm SHA256 $Archive).Hash.ToLowerInvariant()
|
||||||
|
|||||||
+2
-2
@@ -330,8 +330,8 @@ verify_archive_checksum() {
|
|||||||
archive="$2"
|
archive="$2"
|
||||||
checksum_file="$3"
|
checksum_file="$3"
|
||||||
if ! curl -fsL "$url.sha256" -o "$checksum_file"; then
|
if ! curl -fsL "$url.sha256" -o "$checksum_file"; then
|
||||||
echo "prebuilt checksum unavailable; continuing without sidecar verification" >&2
|
echo "prebuilt checksum unavailable; refusing unverified binary for $url" >&2
|
||||||
return 0
|
return 1
|
||||||
fi
|
fi
|
||||||
expected="$(awk '{print $1}' "$checksum_file" | sed -n '1p')"
|
expected="$(awk '{print $1}' "$checksum_file" | sed -n '1p')"
|
||||||
actual="$(sha256_file "$archive")" || {
|
actual="$(sha256_file "$archive")" || {
|
||||||
|
|||||||
@@ -59,6 +59,25 @@ fn installers_skip_stale_latest_release_prebuilts() {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn installers_refuse_prebuilts_without_checksums() {
|
||||||
|
let install = include_str!("../install.sh");
|
||||||
|
assert!(install.contains("verify_archive_checksum"));
|
||||||
|
assert!(install.contains("refusing unverified binary for $url"));
|
||||||
|
assert!(
|
||||||
|
!install.contains("continuing without sidecar verification"),
|
||||||
|
"unix installer must not silently install an unverifiable prebuilt"
|
||||||
|
);
|
||||||
|
|
||||||
|
let ps1 = include_str!("../install.ps1");
|
||||||
|
assert!(ps1.contains("Verify-ArchiveChecksum"));
|
||||||
|
assert!(ps1.contains("refusing unverified binary for $Url"));
|
||||||
|
assert!(
|
||||||
|
!ps1.contains("continuing without sidecar verification"),
|
||||||
|
"windows installer must not silently install an unverifiable prebuilt"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn package_check_verifies_only_artifacts_it_builds() {
|
fn package_check_verifies_only_artifacts_it_builds() {
|
||||||
let makefile = include_str!("../Makefile");
|
let makefile = include_str!("../Makefile");
|
||||||
|
|||||||
Reference in New Issue
Block a user