Check integrity of downloaded binaries (#2723)

Usually package managers perform this check but we need to do it ourselves for custom binaries.
2025-08-30 23:59:22 +09:00
parent eaa2a90a56
commit 709cdfc604
2 changed files with 20 additions and 4 deletions
--- a/.github/workflows/linux-ci-helper.sh
+++ b/.github/workflows/linux-ci-helper.sh
@ -57,7 +57,10 @@ CONTAINER_OSNAME=$(echo "${CONTAINER_FULLNAME}" | cut -d: -f1)
 # shellcheck disable=SC2034
 CONTAINER_OSVERSION=$(echo "${CONTAINER_FULLNAME}" | cut -d: -f2)

-CURL_DIRECT_URL="https://github.com/moparisthebest/static-curl/releases/latest/download/curl-$(uname -m | sed -e s/x86_64/amd64/)"
+CURL_DIRECT_VERSION="v8.11.0"
+CURL_DIRECT_URL="https://github.com/moparisthebest/static-curl/releases/download/${CURL_DIRECT_VERSION}/curl-$(uname -m | sed -e s/x86_64/amd64/)"
+CURL_HASH_X86_64="d18aa1f4e03b50b649491ca2c401cd8c5e89e72be91ff758952ad2ab5a83135d"
+CURL_HASH_AARCH64="1b050abd1669f9a2ac29b34eb022cdeafb271dce5a4fb57d8ef8fadff6d7be1f"

 #-----------------------------------------------------------
 # Parameters for configure(set environments)
@ -368,7 +371,14 @@ java -version
 if [ "${CURL_DIRECT_INSTALL}" -eq 1 ]; then
    echo "${PRGNAME} [INFO] Install newer curl package."

-    curl --fail --location --silent --output "/usr/local/bin/curl" "${CURL_DIRECT_URL}"
+    curl --fail --location --silent --output "/tmp/curl" "${CURL_DIRECT_URL}"
+    case "$(uname -m)" in
+        x86_64)  curl_hash="$CURL_HASH_X86_64" ;;
+        aarch64) curl_hash="$CURL_HASH_AARCH64" ;;
+        *)       exit 1 ;;
+    esac
+    echo "$curl_hash" "/tmp/curl" | sha256sum --check
+    mv "/tmp/curl" "/usr/local/bin/curl"
    chmod +x "/usr/local/bin/curl"

    # Rocky Linux 8 and 9 have a different certificate path
--- a/test/integration-test-common.sh
+++ b/test/integration-test-common.sh
@ -90,9 +90,11 @@ export TEST_SCRIPT_DIR
 export TEST_BUCKET_MOUNT_POINT_1=${TEST_BUCKET_1}

 S3PROXY_VERSION="2.7.0"
+S3PROXY_HASH="1a13c27f78902b57db871a2e638f520f439811b1c98b2208ff71ba64b61c4f3f"
 S3PROXY_BINARY="${S3PROXY_BINARY-"s3proxy-${S3PROXY_VERSION}"}"

 CHAOS_HTTP_PROXY_VERSION="1.1.0"
+CHAOS_HTTP_PROXY_HASH="9ad1b9ac6569e99b2db3e7edfdd78fae0ea5c83069beccdf6bceebc848add2e7"
 CHAOS_HTTP_PROXY_BINARY="chaos-http-proxy-${CHAOS_HTTP_PROXY_VERSION}"

 PJDFSTEST_HASH="c711b5f6b666579846afba399a998f74f60c488b"
@ -159,7 +161,9 @@ function start_s3proxy {
    then
        if [ ! -e "${S3PROXY_BINARY}" ]; then
            curl "https://github.com/gaul/s3proxy/releases/download/s3proxy-${S3PROXY_VERSION}/s3proxy" \
-                --fail --location --silent --output "${S3PROXY_BINARY}"
+                --fail --location --silent --output "/tmp/${S3PROXY_BINARY}"
+            echo "$S3PROXY_HASH" "/tmp/${S3PROXY_BINARY}" | sha256sum --check
+            mv "/tmp/${S3PROXY_BINARY}" "${S3PROXY_BINARY}"
            chmod +x "${S3PROXY_BINARY}"
        fi

@ -187,7 +191,9 @@ function start_s3proxy {
    if [ -n "${CHAOS_HTTP_PROXY}" ] || [ -n "${CHAOS_HTTP_PROXY_OPT}" ]; then
        if [ ! -e "${CHAOS_HTTP_PROXY_BINARY}" ]; then
            curl "https://github.com/bouncestorage/chaos-http-proxy/releases/download/chaos-http-proxy-${CHAOS_HTTP_PROXY_VERSION}/chaos-http-proxy" \
-                --fail --location --silent --output "${CHAOS_HTTP_PROXY_BINARY}"
+                --fail --location --silent --output "/tmp/${CHAOS_HTTP_PROXY_BINARY}"
+            echo "$CHAOS_HTTP_PROXY_HASH" "/tmp/${CHAOS_HTTP_PROXY_BINARY}" | sha256sum --check
+            mv "/tmp/${CHAOS_HTTP_PROXY_BINARY}" "${CHAOS_HTTP_PROXY_BINARY}"
            chmod +x "${CHAOS_HTTP_PROXY_BINARY}"
        fi