|
| 1 | +#!/usr/bin/env bash |
| 2 | +set -euo pipefail |
| 3 | + |
| 4 | +# parameters |
| 5 | +CID_VERSION="${1:?Error: CID_VERSION must be provided}" |
| 6 | +CID_SHA256="${2:?Error: CID_SHA256 must be provided for integrity check}" |
| 7 | +GPG_FINGERPRINT="${3:-}" |
| 8 | + |
| 9 | +# variables |
| 10 | +TMP_DIR="$(mktemp -d)" |
| 11 | +BIN_DIR="/usr/local/bin" |
| 12 | +BASE_URL="${CID_MIRROR_URL:-https://github.com/cidverse/cid/releases/download}" |
| 13 | +BINARY_URL="${BASE_URL}/v${CID_VERSION}/linux_amd64" |
| 14 | +SIG_URL="${BINARY_URL}.asc" |
| 15 | + |
| 16 | +# github actions |
| 17 | +if [[ "${GITHUB_ACTIONS:-}" == "true" ]]; then |
| 18 | + echo "Detected GitHub Actions ..." |
| 19 | + |
| 20 | + TOOL_DIR="${RUNNER_TOOL_CACHE}/cid-${CID_SHA256}" |
| 21 | + BIN_DIR="${TOOL_DIR}/bin" |
| 22 | +fi |
| 23 | + |
| 24 | +# download |
| 25 | +echo "Fetching binary and signature [$CID_VERSION]..." |
| 26 | +curl -sSL -o "$TMP_DIR/cid" "$BINARY_URL" |
| 27 | +curl -sSL -o "$TMP_DIR/cid.asc" "$SIG_URL" |
| 28 | + |
| 29 | +# sha256 integrity |
| 30 | +if [[ -n "${CID_SHA256}" ]]; then |
| 31 | + ACTUAL_SHA256=$(sha256sum "$TMP_DIR/cid" | awk '{print $1}') |
| 32 | + |
| 33 | + if [[ "${ACTUAL_SHA256}" == "${CID_SHA256}" ]]; then |
| 34 | + echo "✅ CID Checksum verification passed. checksum=${ACTUAL_SHA256}" |
| 35 | + else |
| 36 | + echo "❌ CHECKSUM VERIFICATION FAILED!" |
| 37 | + echo "Expected: ${CID_SHA256}" |
| 38 | + echo "Actual: ${ACTUAL_SHA256}" |
| 39 | + exit 1 |
| 40 | + fi |
| 41 | +fi |
| 42 | + |
| 43 | +# gpg verification |
| 44 | +if [[ -n "${GPG_FINGERPRINT}" ]]; then |
| 45 | + if [[ ${#GPG_FINGERPRINT} -lt 40 ]]; then |
| 46 | + echo "❌ Error: GPG_FINGERPRINT is too short (${#GPG_FINGERPRINT}/40 chars)." |
| 47 | + echo "Please provide the full 40-character hex fingerprint." |
| 48 | + exit 1 |
| 49 | + fi |
| 50 | + |
| 51 | + echo "Fetching GPG key ${GPG_FINGERPRINT}..." |
| 52 | + if ! gpg --keyserver hkps://keyserver.ubuntu.com --quiet --recv-keys "$GPG_FINGERPRINT" 2>/dev/null; then |
| 53 | + echo "❌ Error: Could not retrieve key ${GPG_FINGERPRINT} from keyserver." |
| 54 | + exit 1 |
| 55 | + fi |
| 56 | + |
| 57 | + GPG_OUTPUT=$(gpg --verify "$TMP_DIR/cid.asc" "$TMP_DIR/cid" 2>&1) |
| 58 | + GPG_STATUS=$? |
| 59 | + if [ $GPG_STATUS -eq 0 ]; then |
| 60 | + echo "✅ GPG verification successful!" |
| 61 | + echo "Key Fingerprint: ${GPG_FINGERPRINT}" |
| 62 | + echo "$(echo "$GPG_OUTPUT" | grep "Good signature from")" |
| 63 | + else |
| 64 | + echo "❌ GPG VERIFICATION FAILED!" |
| 65 | + echo "---------------------------------------------------" |
| 66 | + echo "$GPG_OUTPUT" |
| 67 | + echo "---------------------------------------------------" |
| 68 | + echo "Possible issues: The file was tampered with, or the signature" |
| 69 | + echo "was not created by the key ${GPG_FINGERPRINT}." |
| 70 | + exit 1 |
| 71 | + fi |
| 72 | +fi |
| 73 | + |
| 74 | +# install binary |
| 75 | +mkdir -p "$BIN_DIR" |
| 76 | +install -m 755 "$TMP_DIR/cid" "$BIN_DIR/cid" |
| 77 | + |
| 78 | +# github actions |
| 79 | +if [[ "${GITHUB_ACTIONS:-}" == "true" ]]; then |
| 80 | + echo "${BIN_DIR}" >> "$GITHUB_PATH" |
| 81 | + echo "CID_VERSION=${CID_VERSION}" >> "$GITHUB_ENV" |
| 82 | +fi |
| 83 | + |
| 84 | +# export to path |
| 85 | +export PATH="${BIN_DIR}:${PATH}" |
| 86 | +echo "CID version: ${CID_VERSION}" |
0 commit comments