Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check hash of downloaded setup #17

Merged
merged 4 commits into from
Jan 5, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ Parameters
| check-sig | true | Whether to check the setup.ini signature
| add-to-path | true | Whether to add Cygwin's `/bin` directory to the system `PATH`
| allow-test-packages | false | Consider package versions marked test for installation
| check-hash | true | Whether to check the hash of the downloaded Cygwin installer.

Line endings
------------
Expand Down
38 changes: 34 additions & 4 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ inputs:
check-sig:
description: Should the setup.ini file signature be checked?
required: false
default: true
default: 'true'
pubkeys:
description: Absolute paths of extra public key files (RFC4880 format), separated by whitespace
required: false
Expand All @@ -28,16 +28,21 @@ inputs:
add-to-path:
description: Should Cygwin's bin directory be added to the system PATH?
required: false
default: true
default: 'true'
allow-test-packages:
description: Consider package versions marked test
required: false
default: false
default: 'false'
check-hash:
description: Check the hash of the installer
required: false
default: 'true'
mlocati marked this conversation as resolved.
Show resolved Hide resolved

runs:
using: "composite"
steps:
- run: |
$ErrorActionPreference = 'Stop'
mlocati marked this conversation as resolved.
Show resolved Hide resolved
$platform = '${{ inputs.platform }}'
$platform = $platform -replace '^(x64|amd64)$', 'x86_64'
$platform = $platform -replace '^i686$', 'x86'
Expand All @@ -46,7 +51,32 @@ runs:
echo "unknown platform $platform"
exit 1
}
Invoke-WebRequest https://cygwin.com/setup-$platform.exe -OutFile C:\setup.exe
$setupFileName = "setup-$platform.exe"
Invoke-WebRequest "https://cygwin.com/$setupFileName" -OutFile C:\setup.exe
if ((Get-Item -LiteralPath 'C:\setup.exe').Length -eq 0) {
throw "The downloaded setup has a zero length!"
}

if ('${{ inputs.check-hash }}' -eq 'true') {
$expectedHashLines = $(Invoke-WebRequest -Uri https://cygwin.com/sha512.sum).ToString() -split "`n"
$expectedHash = ''
foreach ($expectedHashLine in $expectedHashLines) {
if ($expectedHashLine.EndsWith(" $setupFileName")) {
$expectedHash = $($expectedHashLine -split '\s+')[0]
break
}
}
if ($expectedHash -eq '') {
Write-Output -InputObject "::warning::Unable to find the hash for the file $setupFileName in https://cygwin.com/sha512.sum"
} else {
$actualHash = $(Get-FileHash -LiteralPath C:\setup.exe -Algorithm SHA512).Hash
if ($actualHash -ine $expectedHash) {
throw "Invalid hash of the downloaded setup!`nExpected: $expectedHash`nActual : $actualHash"
} else {
Write-Output -InputObject "The downloaded file has the expected hash ($expectedHash)"
}
}
}

$packages = '${{ inputs.packages }}'
$pkg_list = $packages.Split('', [System.StringSplitOptions]::RemoveEmptyEntries)
Expand Down
Loading