Update prysm.sh to include slasher and sig verify (#5543)

* Add gpg detached signature checks * Add slasher * Pull key * move recv after log * use shasum, download pgp keys * only download key if not present * revert bazelversion change * Actually fail and allow bypass Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com>
prysmaticlabs · Apr 23, 2020 · a6a2ad4 · a6a2ad4
1 parent 49ca075
commit a6a2ad4
Showing 1 changed file with 77 additions and 21 deletions.
diff --git a/prysm.sh b/prysm.sh
@@ -10,6 +10,8 @@ set -eu
 # Use USE_PRYSM_VERSION to specify a specific release version. 
 #   Example: USE_PRYSM_VERSION=v0.3.3 ./prysm.sh beacon-chain
 
+readonly PRYLABS_SIGNING_KEY=0AE0051D647BA3C1A917AF4072E33E4DF1A5036E 
+
 function color() {
       # Usage: color "31;5" "string"
       # Some valid values for color:
@@ -62,7 +64,7 @@ function get_realpath() {
 # Complain if no arguments were provided.
 if [ "$#" -lt 1 ]; then
     color "31" "Usage: ./prysm.sh PROCESS FLAGS."
-    color "31" "PROCESS can be beacon-chain or validator."
+    color "31" "PROCESS can be beacon-chain, validator, or slasher."
     exit 1
 fi
 
@@ -81,7 +83,7 @@ case "$OSTYPE" in
   cygwin*)  system="windows" ;;
   *)        exit 1 ;;
 esac
-
+readonly system
 
 if [ "$system" == "windows" ]; then
 	arch="amd64.exe"
@@ -103,34 +105,82 @@ function get_prysm_version() {
   fi
 }
 
+function verify() {
+  file=$1
+
+  hash shasum 2>/dev/null || { echo >&2 "shasum is not available. Not verifying integrity of downloaded binary."; return failed_verification; }
+  hash gpg 2>/dev/null || { echo >&2 "gpg is not available. Not verifying integrity of downloaded binary."; return failed_verification; }
+
+  color "37" "Verifying binary integrity."
+
+  gpg --list-keys $PRYLABS_SIGNING_KEY >/dev/null 2>&1 || curl --silent https://prysmaticlabs.com/releases/pgp_keys.asc | gpg --import
+  (cd $wrapper_dir; shasum -a 256 -c "${file}.sha256" || failed_verification)
+  (cd $wrapper_dir; gpg -u $PRYLABS_SIGNING_KEY --verify "${file}.sig" $file || failed_verification)
+
+  color "32;1" "Verified ${file} has been signed by Prysmatic Labs."
+}
+
+function failed_verification() {
+  skip=${PRYSM_ALLOW_UNVERIFIED_BINARIES-0}
+  if [[ $skip == 1 ]]; then
+    return 0
+  fi
+  color "31" "Failed to verify Prysm binary. Please erase downloads in the \
+dist directory and run this script again. Alternatively, you can use a \
+A prior version by specifying environment variable USE_PRYSM_VERSION \
+with the specific version, as desired. Example: USE_PRYSM_VERSION=v1.0.0-alpha.5 \
+If you must wish to continue running an unverified binary, specific the \
+environment variable PRYSM_ALLOW_UNVERIFIED_BINARIES=1"
+  exit 1
+}
+
 get_prysm_version
 
 color "37" "Latest Prysm version is $prysm_version."
 
 BEACON_CHAIN_REAL="${wrapper_dir}/beacon-chain-${prysm_version}-${system}-${arch}"
 VALIDATOR_REAL="${wrapper_dir}/validator-${prysm_version}-${system}-${arch}"
+SLASHER_REAL="${wrapper_dir}/slasher-${prysm_version}-${system}-${arch}"
+
+if [[ $1 == beacon-chain ]]; then 
+  if [[ ! -x $BEACON_CHAIN_REAL ]]; then 
+      color "34" "Downloading beacon chain@${prysm_version} to ${BEACON_CHAIN_REAL} (${reason})"
+      file=beacon-chain-${prysm_version}-${system}-${arch}
+      curl -L "https://prysmaticlabs.com/releases/${file}" -o $BEACON_CHAIN_REAL
+      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
+      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
+      chmod +x $BEACON_CHAIN_REAL
+  else
+      color "37" "Beacon chain is up to date."
+  fi
+fi
 
-if [[ ! -x $BEACON_CHAIN_REAL ]]; then 
-    color "34" "Downloading beacon chain@${prysm_version} to ${BEACON_CHAIN_REAL} (${reason})"
-    file=beacon-chain-${prysm_version}-${system}-${arch}
-    curl -L "https://prysmaticlabs.com/releases/${file}" -o $BEACON_CHAIN_REAL
-    curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
-    curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
-    chmod +x $BEACON_CHAIN_REAL
-else
-    color "37" "Beacon chain is up to date."
+if  [[ $1 == validator ]]; then 
+  if [[ ! -x $VALIDATOR_REAL ]]; then 
+      color "34" "Downloading validator@${prysm_version} to ${VALIDATOR_REAL} (${reason})"
+
+      file=validator-${prysm_version}-${system}-${arch}
+      curl -L "https://prysmaticlabs.com/releases/${file}" -o $VALIDATOR_REAL
+      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
+      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
+      chmod +x $VALIDATOR_REAL
+  else
+      color "37" "Validator is up to date."
+  fi
 fi
 
-if [[ ! -x $VALIDATOR_REAL ]]; then 
-    color "34" "Downloading validator@${prysm_version} to ${VALIDATOR_REAL} (${reason})"
+if [[ $1 == slasher ]]; then
+  if [[ ! -x $SLASHER_REAL ]]; then 
+      color "34" "Downloading slasher@${prysm_version} to ${SLASHER_REAL} (${reason})"
 
-    file=validator-${prysm_version}-${system}-${arch}
-    curl -L "https://prysmaticlabs.com/releases/${file}" -o $VALIDATOR_REAL
-    curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
-    curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
-    chmod +x $VALIDATOR_REAL
-else
-    color "37" "Validator is up to date."
+      file=slasher-${prysm_version}-${system}-${arch}
+      curl -L "https://prysmaticlabs.com/releases/${file}" -o $SLASHER_REAL
+      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
+      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
+      chmod +x $SLASHER_REAL
+  else
+      color "37" "Slasher is up to date."
+  fi
 fi
 
 case $1 in
@@ -142,11 +192,17 @@ case $1 in
     readonly process=$VALIDATOR_REAL
     ;;
 
+  slasher)
+    readonly process=$SLASHER_REAL
+    ;;
+
   *)
     color "31" "Usage: ./prysm.sh PROCESS FLAGS."
-    color "31" "PROCESS can be beacon-chain or validator."
+    color "31" "PROCESS can be beacon-chain, validator, or slasher."
     ;;
 esac
 
+verify $process
+
 color "36" "Starting Prysm $1 ${@:2}"
 exec -a "$0" "${process}" "${@:2}"