Skip to content

Commit ade2052

Browse files
Add checksum validation to hawkeye installation (#785)
Related to apple/container#1869 Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
1 parent 44bec8b commit ade2052

1 file changed

Lines changed: 32 additions & 4 deletions

File tree

scripts/install-hawkeye.sh

Lines changed: 32 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,38 @@
1313
# See the License for the specific language governing permissions and
1414
# limitations under the License.
1515

16+
set -euo pipefail
17+
1618
if command -v .local/bin/hawkeye >/dev/null 2>&1; then
1719
echo "hawkeye already installed"
18-
else
19-
echo "Installing hawkeye"
20-
export VERSION=v6.5.1
21-
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/korandoru/hawkeye/releases/download/${VERSION}/hawkeye-installer.sh | CARGO_HOME=.local sh -s -- --no-modify-path
20+
exit 0
21+
fi
22+
23+
# This installer supports Apple silicon (arm64 macOS) only.
24+
if [ "$(uname -s)" != "Darwin" ] || [ "$(uname -m)" != "arm64" ]; then
25+
echo "error: install-hawkeye.sh supports Apple silicon (arm64 macOS) only" >&2
26+
exit 1
2227
fi
28+
29+
VERSION=v6.5.1
30+
ARTIFACT="hawkeye-aarch64-apple-darwin.tar.xz"
31+
ARTIFACT_URL="https://github.com/korandoru/hawkeye/releases/download/${VERSION}/${ARTIFACT}"
32+
# Pinned SHA-256 of ${ARTIFACT} for ${VERSION}; update when bumping VERSION.
33+
EXPECTED_SHA256="99777f21e4e56c9946ed93621885532c6a0476377f497565c583f5911f2cbb1f"
34+
35+
echo "Installing hawkeye ${VERSION}"
36+
workdir="$(mktemp -d)"
37+
trap 'rm -rf "${workdir}"' EXIT
38+
tarball="${workdir}/${ARTIFACT}"
39+
40+
# Download the tarball, verify it against the pinned checksum (aborts on
41+
# mismatch), then extract just the hawkeye binary into .local/bin.
42+
curl --proto '=https' --tlsv1.2 -LsSf "${ARTIFACT_URL}" -o "${tarball}"
43+
echo "${EXPECTED_SHA256} ${tarball}" | shasum -a 256 -c -
44+
45+
tar -xf "${tarball}" --strip-components 1 -C "${workdir}"
46+
mkdir -p .local/bin
47+
mv "${workdir}/hawkeye" .local/bin/hawkeye
48+
chmod +x .local/bin/hawkeye
49+
50+
echo "hawkeye ${VERSION} installed to .local/bin/hawkeye"

0 commit comments

Comments
 (0)