fix(installer): checksum verification for alpine

ekristen · Jan 24, 2025 · ead5a44 · ead5a44
1 parent dee11d4
commit ead5a44
Showing 1 changed file with 35 additions and 27 deletions.
diff --git a/scripts/installer.tpl.sh b/scripts/installer.tpl.sh
@@ -1,14 +1,15 @@
 #!/usr/bin/env sh
 
-set -eu
+set -e
 
 if [ -n "${DEBUG:-}" ]; then
   set -x
 fi
 
+SKIP_CHECKSUM="${SKIP_CHECKSUM:-}"
 RELEASES_URL="https://github.com/ekristen/distillery/releases"
 FILE_BASENAME="distillery"
-LATEST="__VERSION__"
+LATEST="v1.7.0-next.6"
 
 test -z "$VERSION" && VERSION="$LATEST"
 
@@ -29,39 +30,46 @@ case "$ARCH" in
 esac
 TAR_FILE="${FILE_BASENAME}-${VERSION}-${OS}-${ARCH}.tar.gz"
 
-check_sha_version() {
-    local currentver=$1
-    local requiredver=$2
-    if [ "$(printf '%s\n' "$requiredver" $1 | sort -V | head -n1)" = "$requiredver" ]; then
-            return 0
-    else
-            return 1
+validate_sha256() {
+    local tar_file=$1
+    local checksum_file=$2
+
+    if command -v sha256sum >/dev/null 2>&1; then
+        sha256sum --ignore-missing --quiet --check "$checksum_file" > /dev/null 2>&1 && return 0
+        grep "${tar_file}$" "$checksum_file" > shasum.txt
+        sha256sum -c shasum.txt --status > /dev/null 2>&1 && return 0
+        sha256sum -c -s shasum.txt > /dev/null 2>&1 && return 0
+    fi
+
+    if command -v shasum >/dev/null 2>&1; then
+        shasum --ignore-missing -a 256 -c "$checksum_file" > /dev/null 2>&1 && return 0
+        shasum -c shasum.txt --status > /dev/null 2>&1 && return 0
     fi
+
+    echo "Unable to verify checksums." >&2
+    return 1
 }
 
 (
 	cd "$TMP_DIR"
 	echo "Downloading distillery $VERSION..."
-	curl -sfLO "$RELEASES_URL/download/$VERSION/$TAR_FILE"
-	curl -sfLO "$RELEASES_URL/download/$VERSION/checksums.txt"
+	if ! curl -sfLO "$RELEASES_URL/download/$VERSION/$TAR_FILE"; then
+	      echo "Failed to download distillery $VERSION." >&2
+    exit 1
+  fi
+  if ! curl -sfLO "$RELEASES_URL/download/$VERSION/checksums.txt"; then
+      echo "Failed to download checksums for distillery $VERSION." >&2
+      exit 1
+  fi
 	echo "Verifying checksums..."
-	if command -v sha256sum >/dev/null 2>&1; then
-        if check_sha_version "$(sha256sum --version 2>&1| sed '1q' | cut -f 3)" "8.25"; then
-            sha256sum --ignore-missing --quiet --check checksums.txt
-        else
-            grep "${TAR_FILE}$" checksums.txt > shasum.txt
-            sha256sum -c shasum.txt --status
-        fi
-    elif command -v shasum >/dev/null 2>&1; then
-        if check_sha_version "$(shasum --version)" "6.0.1"; then
-            shasum --ignore-missing -a 256 -c checksums.txt
-        else
-            grep "${TAR_FILE}$" checksums.txt > shasum.txt
-            shasum -c shasum.txt --status
-        fi
-    else
-        echo "Neither sha256sum nor shasum is available to verify checksums." >&2
+	if validate_sha256 "$TAR_FILE" checksums.txt; then
+	  echo "Checksum verification succeeded."
+	else
+	  if [ -z "$SKIP_CHECKSUM" ]; then
+      echo "Checksum verification failed."
+      exit 1
     fi
+  fi
 	if command -v cosign >/dev/null 2>&1; then
 		echo "Verifying signatures..."
 		REF="refs/tags/$VERSION"