Skip to content

Commit 2a8e7ee

Browse files
cwayne18cwayne18
authored
Harden (#40)
* Checksum validation Signed-off-by: Chris Wayne <cwayne18@gmail.com>
1 parent 6ca8ff3 commit 2a8e7ee

3 files changed

Lines changed: 20 additions & 6 deletions

File tree

Makefile

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,18 @@ TARGETS := $(shell ls scripts)
22

33
.dapper:
44
@echo Downloading dapper
5-
@curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp
6-
@@chmod +x .dapper.tmp
5+
@DAPPER_BINARY="dapper-$$(uname -s)-$$(uname -m)"; \
6+
case "$$DAPPER_BINARY" in \
7+
dapper-Linux-x86_64) DAPPER_SHA256="ff6105ec0a2a973d972810a2dbdb9a6bae65031d286eae082d6779e04e4c2255" ;; \
8+
dapper-Linux-aarch64) DAPPER_SHA256="cbc133224cca7593482855d8dcdec247288ec83f0fc99fbbe0ad8423260930ff" ;; \
9+
dapper-Linux-arm) DAPPER_SHA256="5455fb8663fddc41f32feb426aa85599d7595a87ffed5144e89e1ecc88a3586b" ;; \
10+
dapper-Darwin-x86_64) DAPPER_SHA256="850e5f867d9d04840b64b159a8a74dcb56f964185c4bd6631941df738cbc98b4" ;; \
11+
dapper-Darwin-arm64) DAPPER_SHA256="ca0a5c32341e6474f9140433110153e0eef304ef74d0a830194428b103e7b52e" ;; \
12+
*) echo "No pinned SHA256 for dapper on platform: $$DAPPER_BINARY" >&2; exit 1 ;; \
13+
esac; \
14+
curl -fsSL "https://releases.rancher.com/dapper/latest/$$DAPPER_BINARY" > .dapper.tmp; \
15+
echo "$$DAPPER_SHA256 .dapper.tmp" | sha256sum -c -
16+
@chmod +x .dapper.tmp
717
@./.dapper.tmp -v
818
@mv .dapper.tmp .dapper
919

scripts/download

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,16 @@ if [[ -z "${LOCAL_ARTIFACTS}" ]]; then
2525
else
2626
SUFFIX="-${ARCH}"
2727
fi
28-
28+
pushd artifacts
2929
if [ -n "${PRIME_RIBS}" ]; then
30-
curl -sfL -R -o artifacts/k3s https://${PRIME_RIBS}/k3s/${URI_VERSION}/k3s${SUFFIX}
30+
curl -sfL -R -o "k3s${SUFFIX}" https://${PRIME_RIBS}/k3s/${URI_VERSION}/k3s${SUFFIX}
31+
curl -sfL -R -o sha256sum-${ARCH}.txt https://${PRIME_RIBS}/k3s/${URI_VERSION}/sha256sum-${ARCH}.txt
3132
else
32-
curl -sfL -R -o artifacts/k3s https://github.com/k3s-io/k3s/releases/download/${URI_VERSION}/k3s${SUFFIX}
33+
curl -sfL -R -o "k3s${SUFFIX}" https://github.com/k3s-io/k3s/releases/download/${URI_VERSION}/k3s${SUFFIX}
34+
curl -sfL -R -o sha256sum-${ARCH}.txt https://github.com/k3s-io/k3s/releases/download/${URI_VERSION}/sha256sum-${ARCH}.txt
3335
fi
36+
grep -E "^[0-9a-f]+ k3s${SUFFIX}$" sha256sum-${ARCH}.txt | sha256sum -c -
37+
popd
3438
else
3539
cp local/* artifacts
3640
chmod +x artifacts/installer.sh

scripts/version

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ if [ -z "$OS" ]; then
99
OS="linux"
1010
fi
1111

12-
FALLBACK_VERSION=v1.21.13+k3s1
12+
FALLBACK_VERSION=v1.35.2+k3s1
1313

1414
# This version script expects either a tag of format: <k3s-version> or no tag at all.
1515

0 commit comments

Comments
 (0)