Install scripts should always fetch and verify checksums.

ActiveState · Oct 17, 2023 · 697cfa9 · 697cfa9
1 parent 923f5b4
commit 697cfa9
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 40 deletions.
diff --git a/installers/install.ps1 b/installers/install.ps1
@@ -113,40 +113,50 @@ function error([string] $msg)
     Write-Host $msg -ForegroundColor Red
 }
 
-if (!$script:VERSION) {
+$version = $script:VERSION
+if (!$version) {
     # If the user did not specify a version, formulate a query to fetch the JSON info of the latest
     # version, including where it is.
     $jsonURL = "$script:BASEINFOURL/?channel=$script:CHANNEL&platform=windows&source=install"
-} elseif (!($script:VERSION | Select-String -Pattern "-SHA" -SimpleMatch)) {
+} elseif (!($version | Select-String -Pattern "-SHA" -SimpleMatch)) {
     # If the user specified a partial version (i.e. no SHA), formulate a query to fetch the JSON
     # info of that version's latest SHA, including where it is.
-    $jsonURL = "$script:BASEINFOURL/?channel=$script:CHANNEL&platform=windows&source=install&target-version=$script:VERSION"
+    $versionNoSHA = $version
+    $version = ""
+    $jsonURL = "$script:BASEINFOURL/?channel=$script:CHANNEL&platform=windows&source=install&target-version=$versionNoSHA"
+} else {
+    # If the user specified a full version with SHA, formulate a query to fetch the JSON info of
+    # that version.
+    $versionNoSHA = $version -replace "-SHA.*", ""
+    $jsonURL = "$script:BASEINFOURL/?channel=$script:CHANNEL&platform=windows&source=install&target-version=$versionNoSHA"
 }
 
-if ($jsonURL) {
-    # If the user specified no version or a partial version we need to use the json URL to get the
-    # actual installer URL.
-    try {
-        $infoJson = ConvertFrom-Json -InputObject (download $jsonURL)
-    } catch [System.Exception] {
-    }
-    if (!$infoJson) {
-      if (!$script:VERSION) {
+# Fetch version info.
+try {
+    $infoJson = ConvertFrom-Json -InputObject (download $jsonURL)
+} catch [System.Exception] {
+}
+if (!$infoJson) {
+    if (!$version) {
         Write-Error "Unable to retrieve the latest version number"
-      } else {
+    } else {
         Write-Error "Could not download a State Tool Installer for the given command line arguments"
-      }
-      Write-Error $_.Exception.Message
-      exit 1
     }
+    Write-Error $_.Exception.Message
+    exit 1
+}
+
+# Extract checksum.
+$checksum = $infoJson.Sha256
+
+if (!$version) {
+    # If the user specified no version or a partial version we need to use the json URL to get the
+    # actual installer URL.
     $version = $infoJson.Version
-    $checksum = $infoJson.Sha256
     $relUrl = $infoJson.Path
 } else {
-    # If the user specified a full version, strip the SHA to get the folder name of the installer
-    # URL. Then we can construct the installer URL.
-    $versionNoSHA = $script:VERSION -replace "-SHA.*", ""
-    $relUrl = "$script:CHANNEL/$versionNoSHA/windows-amd64/state-windows-amd64-$script:VERSION.zip"
+    # If the user specified a full version, construct the installer URL.
+    $relUrl = "$script:CHANNEL/$versionNoSHA/windows-amd64/state-windows-amd64-$version.zip"
 }
 
 # Fetch the requested or latest version.
@@ -167,9 +177,9 @@ catch [System.Exception]
     exit 1
 }
 
-# Verify checksum if possible.
+# Verify checksum.
 $hash = (Get-FileHash -Path $zipPath -Algorithm SHA256).Hash
-if ($checksum -and $hash -ne $checksum)
+if ($hash -ne $checksum)
 {
     Write-Warning "SHA256 sum did not match:"
     Write-Warning "Expected: $checksum"

diff --git a/installers/install.sh b/installers/install.sh
@@ -117,35 +117,42 @@ if [ -z "$VERSION" ]; then
 elif [ -z "`echo $VERSION | grep -o '\-SHA'`" ]; then
   # If the user specified a partial version (i.e. no SHA), formulate a query to fetch the JSON info
   # of that version's latest SHA, including where it is.
-  JSONURL="$BASE_INFO_URL?channel=$CHANNEL&source=install&platform=$OS&target-version=$VERSION"
+  VERSIONNOSHA="$VERSION"
+  VERSION=""
+  JSONURL="$BASE_INFO_URL?channel=$CHANNEL&source=install&platform=$OS&target-version=$VERSIONNOSHA"
+else
+  # If the user specified a full version with SHA, formulate a query to fetch the JSON info of that
+  # version.
+  VERSIONNOSHA="`echo $VERSION | sed 's/-SHA.*$//'`"
+  JSONURL="$BASE_INFO_URL?channel=$CHANNEL&source=install&platform=$OS&target-version=$VERSIONNOSHA"
+fi
+
+# Fetch version info.
+$FETCH $INSTALLERTMPDIR/info.json $JSONURL || exit 1
+if [ ! -z "`grep -o Invalid $INSTALLERTMPDIR/info.json`" ]; then
+	error "Could not download a State Tool installer for the given command line arguments"
+	exit 1
 fi
 
-if [ ! -z "$JSONURL" ]; then
+# Extract checksum.
+SUM=`cat $INSTALLERTMPDIR/info.json | sed -ne 's/.*"sha256":[ \t]*"\([^"]*\)".*/\1/p'`
+
+if [ -z "$VERSION" ]; then
   # If the user specified no version or a partial version we need to use the json URL to get the
   # actual installer URL.
-  $FETCH $INSTALLERTMPDIR/info.json $JSONURL || exit 1
-  if [ ! -z "`grep -o Invalid $INSTALLERTMPDIR/info.json`" ]; then
-    error "Could not download a State Tool installer for the given command line arguments"
-    exit 1
-  fi
-
-  # Parse info.
   VERSION=`cat $INSTALLERTMPDIR/info.json | sed -ne 's/.*"version":[ \t]*"\([^"]*\)".*/\1/p'`
   if [ -z "$VERSION" ]; then
     error "Unable to retrieve the latest version number"
     exit 1
   fi
-  SUM=`cat $INSTALLERTMPDIR/info.json | sed -ne 's/.*"sha256":[ \t]*"\([^"]*\)".*/\1/p'`
   RELURL=`cat $INSTALLERTMPDIR/info.json | sed -ne 's/.*"path":[ \t]*"\([^"]*\)".*/\1/p'`
-  rm $INSTALLERTMPDIR/info.json
-
 else
-  # If the user specified a full version, strip the SHA to get the folder name of the installer URL.
-  # Then we can construct the installer URL.
-  VERSIONNOSHA="`echo $VERSION | sed 's/-SHA.*$//'`"
+  # If the user specified a full version, construct the installer URL.
   RELURL="$CHANNEL/$VERSIONNOSHA/$OS-amd64/state-$OS-amd64-$VERSION$DOWNLOADEXT"
 fi
 
+rm $INSTALLERTMPDIR/info.json
+
 # Fetch the requested or latest version.
 progress "Preparing Installer for State Tool Package Manager version $VERSION"
 STATEURL="$BASE_FILE_URL/$RELURL"
@@ -162,8 +169,8 @@ if [ $? -ne 0 -o \( "`echo $FETCH | grep -o 'curl'`" = "curl" -a ! -z "`grep -o
   exit 1
 fi
 
-# Verify checksum if possible.
-if [ ! -z "$SUM" -a  "`$SHA256SUM -b $INSTALLERTMPDIR/$ARCHIVE | cut -d ' ' -f1`" != "$SUM" ]; then
+# Verify checksum.
+if [ "`$SHA256SUM -b $INSTALLERTMPDIR/$ARCHIVE | cut -d ' ' -f1`" != "$SUM" ]; then
   error "SHA256 sum did not match:"
   error "Expected: $SUM"
   error "Received: `$SHA256SUM -b $INSTALLERTMPDIR/$ARCHIVE | cut -d ' ' -f1`"