From 709cdfc60475945ca812ff348f11753f68e739f4 Mon Sep 17 00:00:00 2001 From: Andrew Gaul Date: Sat, 30 Aug 2025 23:59:22 +0900 Subject: [PATCH] Check integrity of downloaded binaries (#2723) Usually package managers perform this check but we need to do it ourselves for custom binaries. --- .github/workflows/linux-ci-helper.sh | 14 ++++++++++++-- test/integration-test-common.sh | 10 ++++++++-- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/linux-ci-helper.sh b/.github/workflows/linux-ci-helper.sh index 3e5e8b5..1e1fc7d 100755 --- a/.github/workflows/linux-ci-helper.sh +++ b/.github/workflows/linux-ci-helper.sh @@ -57,7 +57,10 @@ CONTAINER_OSNAME=$(echo "${CONTAINER_FULLNAME}" | cut -d: -f1) # shellcheck disable=SC2034 CONTAINER_OSVERSION=$(echo "${CONTAINER_FULLNAME}" | cut -d: -f2) -CURL_DIRECT_URL="https://github.com/moparisthebest/static-curl/releases/latest/download/curl-$(uname -m | sed -e s/x86_64/amd64/)" +CURL_DIRECT_VERSION="v8.11.0" +CURL_DIRECT_URL="https://github.com/moparisthebest/static-curl/releases/download/${CURL_DIRECT_VERSION}/curl-$(uname -m | sed -e s/x86_64/amd64/)" +CURL_HASH_X86_64="d18aa1f4e03b50b649491ca2c401cd8c5e89e72be91ff758952ad2ab5a83135d" +CURL_HASH_AARCH64="1b050abd1669f9a2ac29b34eb022cdeafb271dce5a4fb57d8ef8fadff6d7be1f" #----------------------------------------------------------- # Parameters for configure(set environments) @@ -368,7 +371,14 @@ java -version if [ "${CURL_DIRECT_INSTALL}" -eq 1 ]; then echo "${PRGNAME} [INFO] Install newer curl package." - curl --fail --location --silent --output "/usr/local/bin/curl" "${CURL_DIRECT_URL}" + curl --fail --location --silent --output "/tmp/curl" "${CURL_DIRECT_URL}" + case "$(uname -m)" in + x86_64) curl_hash="$CURL_HASH_X86_64" ;; + aarch64) curl_hash="$CURL_HASH_AARCH64" ;; + *) exit 1 ;; + esac + echo "$curl_hash" "/tmp/curl" | sha256sum --check + mv "/tmp/curl" "/usr/local/bin/curl" chmod +x "/usr/local/bin/curl" # Rocky Linux 8 and 9 have a different certificate path diff --git a/test/integration-test-common.sh b/test/integration-test-common.sh index cfa6c42..c3eb680 100644 --- a/test/integration-test-common.sh +++ b/test/integration-test-common.sh @@ -90,9 +90,11 @@ export TEST_SCRIPT_DIR export TEST_BUCKET_MOUNT_POINT_1=${TEST_BUCKET_1} S3PROXY_VERSION="2.7.0" +S3PROXY_HASH="1a13c27f78902b57db871a2e638f520f439811b1c98b2208ff71ba64b61c4f3f" S3PROXY_BINARY="${S3PROXY_BINARY-"s3proxy-${S3PROXY_VERSION}"}" CHAOS_HTTP_PROXY_VERSION="1.1.0" +CHAOS_HTTP_PROXY_HASH="9ad1b9ac6569e99b2db3e7edfdd78fae0ea5c83069beccdf6bceebc848add2e7" CHAOS_HTTP_PROXY_BINARY="chaos-http-proxy-${CHAOS_HTTP_PROXY_VERSION}" PJDFSTEST_HASH="c711b5f6b666579846afba399a998f74f60c488b" @@ -159,7 +161,9 @@ function start_s3proxy { then if [ ! -e "${S3PROXY_BINARY}" ]; then curl "https://github.com/gaul/s3proxy/releases/download/s3proxy-${S3PROXY_VERSION}/s3proxy" \ - --fail --location --silent --output "${S3PROXY_BINARY}" + --fail --location --silent --output "/tmp/${S3PROXY_BINARY}" + echo "$S3PROXY_HASH" "/tmp/${S3PROXY_BINARY}" | sha256sum --check + mv "/tmp/${S3PROXY_BINARY}" "${S3PROXY_BINARY}" chmod +x "${S3PROXY_BINARY}" fi @@ -187,7 +191,9 @@ function start_s3proxy { if [ -n "${CHAOS_HTTP_PROXY}" ] || [ -n "${CHAOS_HTTP_PROXY_OPT}" ]; then if [ ! -e "${CHAOS_HTTP_PROXY_BINARY}" ]; then curl "https://github.com/bouncestorage/chaos-http-proxy/releases/download/chaos-http-proxy-${CHAOS_HTTP_PROXY_VERSION}/chaos-http-proxy" \ - --fail --location --silent --output "${CHAOS_HTTP_PROXY_BINARY}" + --fail --location --silent --output "/tmp/${CHAOS_HTTP_PROXY_BINARY}" + echo "$CHAOS_HTTP_PROXY_HASH" "/tmp/${CHAOS_HTTP_PROXY_BINARY}" | sha256sum --check + mv "/tmp/${CHAOS_HTTP_PROXY_BINARY}" "${CHAOS_HTTP_PROXY_BINARY}" chmod +x "${CHAOS_HTTP_PROXY_BINARY}" fi