Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions backend/cli/script/build.ts
Original file line number Diff line number Diff line change
Expand Up @@ -207,15 +207,21 @@ for (const item of targets) {
}

if (Script.release) {
const checksums: string[] = []
for (const key of Object.keys(binaries)) {
const archiveName = key.replace(`${pkg.name}-`, "openscience-")
const archiveName = key.replace(`${pkg.name}-`, "openscience-") + (key.includes("linux") ? ".tar.gz" : ".zip")
if (key.includes("linux")) {
await $`tar -czf ${path.resolve(dir, `dist/${archiveName}.tar.gz`)} *`.cwd(`dist/${key}/bin`)
await $`tar -czf ${path.resolve(dir, `dist/${archiveName}`)} *`.cwd(`dist/${key}/bin`)
} else {
await $`zip -r ${path.resolve(dir, `dist/${archiveName}.zip`)} *`.cwd(`dist/${key}/bin`)
await $`zip -r ${path.resolve(dir, `dist/${archiveName}`)} *`.cwd(`dist/${key}/bin`)
}
const bytes = await Bun.file(path.resolve(dir, `dist/${archiveName}`)).arrayBuffer()
const hash = new Bun.CryptoHasher("sha256").update(bytes).digest("hex")
checksums.push(`${hash} ${archiveName}`)
}
await $`gh release upload v${Script.version} ./dist/*.zip ./dist/*.tar.gz --clobber`
// sha256sum-compatible manifest; the install script verifies against it
await Bun.write(path.resolve(dir, "dist/checksums.txt"), checksums.join("\n") + "\n")
await $`gh release upload v${Script.version} ./dist/*.zip ./dist/*.tar.gz ./dist/checksums.txt --clobber`
}

export { binaries }
26 changes: 26 additions & 0 deletions frontend/landing/public/install
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,32 @@ download_and_install() {
exit 1
fi

# Verify against the release's checksums.txt when a sha256 tool exists.
# Releases published before checksums.txt simply skip verification.
local shatool=""
if command -v sha256sum >/dev/null 2>&1; then
shatool="sha256sum"
elif command -v shasum >/dev/null 2>&1; then
shatool="shasum -a 256"
fi
if [ -n "$shatool" ]; then
local checksums_url="${url%/*}/checksums.txt"
local expected
expected=$(curl -fsSL "$checksums_url" 2>/dev/null | awk -v f="$filename" '$2 == f {print $1}') || expected=""
if [ -n "$expected" ]; then
local actual
actual=$($shatool "$tmp_dir/$filename" | awk '{print $1}')
if [ "$actual" != "$expected" ]; then
echo -e "${RED}Checksum mismatch for ${filename}${NC}"
echo -e "${MUTED}expected: ${expected}${NC}"
echo -e "${MUTED}actual: ${actual}${NC}"
rm -rf "$tmp_dir"
exit 1
fi
print_message info "${MUTED}Checksum verified${NC}"
fi
fi

if [ "$os" = "linux" ]; then
tar -xzf "$tmp_dir/$filename" -C "$tmp_dir"
else
Expand Down
26 changes: 26 additions & 0 deletions install
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,32 @@ download_and_install() {
exit 1
fi

# Verify against the release's checksums.txt when a sha256 tool exists.
# Releases published before checksums.txt simply skip verification.
local shatool=""
if command -v sha256sum >/dev/null 2>&1; then
shatool="sha256sum"
elif command -v shasum >/dev/null 2>&1; then
shatool="shasum -a 256"
fi
if [ -n "$shatool" ]; then
local checksums_url="${url%/*}/checksums.txt"
local expected
expected=$(curl -fsSL "$checksums_url" 2>/dev/null | awk -v f="$filename" '$2 == f {print $1}') || expected=""
if [ -n "$expected" ]; then
local actual
actual=$($shatool "$tmp_dir/$filename" | awk '{print $1}')
if [ "$actual" != "$expected" ]; then
echo -e "${RED}Checksum mismatch for ${filename}${NC}"
echo -e "${MUTED}expected: ${expected}${NC}"
echo -e "${MUTED}actual: ${actual}${NC}"
rm -rf "$tmp_dir"
exit 1
fi
print_message info "${MUTED}Checksum verified${NC}"
fi
fi

if [ "$os" = "linux" ]; then
tar -xzf "$tmp_dir/$filename" -C "$tmp_dir"
else
Expand Down
Loading