mirror of
https://github.com/goreleaser/goreleaser-action.git
synced 2026-05-20 01:11:53 +00:00
feat: verify release checksum and cosign signature (#550)
* feat: verify release checksum and cosign signature Download checksums.txt for the release and verify the SHA-256 of the downloaded archive against it. When cosign is available in PATH, also download checksums.txt.sigstore.json and verify the signature against the goreleaser/goreleaser-pro release workflow identity. Both steps degrade gracefully (with a warning) when the corresponding artifacts or tooling are missing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: use install() for checksum e2e tests Drop the http-client download helper from verifyChecksum integration tests; call goreleaser.install() instead so the test exercises the public API path and avoids duplicating download logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Carlos Alexandro Becker
GitHub
parent
01cbe076be
commit
4b462d3d1d
5 changed files with 199 additions and 13 deletions
|
|
@ -1,26 +1,26 @@
|
|||
import * as crypto from 'crypto';
|
||||
import * as fs from 'fs';
|
||||
import * as path from 'path';
|
||||
import * as util from 'util';
|
||||
import yaml from 'js-yaml';
|
||||
import * as context from './context';
|
||||
import * as github from './github';
|
||||
import * as core from '@actions/core';
|
||||
import * as exec from '@actions/exec';
|
||||
import * as io from '@actions/io';
|
||||
import * as tc from '@actions/tool-cache';
|
||||
|
||||
export async function install(distribution: string, version: string): Promise<string> {
|
||||
const release: github.GitHubRelease = await github.getRelease(distribution, version);
|
||||
const filename = getFilename(distribution);
|
||||
const downloadUrl = util.format(
|
||||
'https://github.com/goreleaser/%s/releases/download/%s/%s',
|
||||
distribution,
|
||||
release.tag_name,
|
||||
filename
|
||||
);
|
||||
const baseUrl = `https://github.com/goreleaser/${distribution}/releases/download/${release.tag_name}`;
|
||||
const downloadUrl = `${baseUrl}/${filename}`;
|
||||
|
||||
core.info(`Downloading ${downloadUrl}`);
|
||||
const downloadPath: string = await tc.downloadTool(downloadUrl);
|
||||
core.debug(`Downloaded to ${downloadPath}`);
|
||||
|
||||
await verifyChecksum(distribution, release.tag_name, downloadPath, filename);
|
||||
|
||||
core.info('Extracting GoReleaser');
|
||||
let extPath: string;
|
||||
if (context.osPlat == 'win32') {
|
||||
|
|
@ -45,6 +45,92 @@ export async function install(distribution: string, version: string): Promise<st
|
|||
return exePath;
|
||||
}
|
||||
|
||||
export async function verifyChecksum(
|
||||
distribution: string,
|
||||
tag: string,
|
||||
archivePath: string,
|
||||
filename: string
|
||||
): Promise<void> {
|
||||
const baseUrl = `https://github.com/goreleaser/${distribution}/releases/download/${tag}`;
|
||||
let checksumsPath: string;
|
||||
try {
|
||||
core.info(`Downloading ${baseUrl}/checksums.txt`);
|
||||
checksumsPath = await tc.downloadTool(`${baseUrl}/checksums.txt`);
|
||||
} catch (e) {
|
||||
core.warning(`Skipping checksum verification: unable to download checksums.txt: ${e.message}`);
|
||||
return;
|
||||
}
|
||||
|
||||
const sha256 = crypto.createHash('sha256').update(fs.readFileSync(archivePath)).digest('hex');
|
||||
const expected = findChecksum(fs.readFileSync(checksumsPath, 'utf8'), filename);
|
||||
if (!expected) {
|
||||
throw new Error(`Could not find ${filename} in checksums.txt`);
|
||||
}
|
||||
if (expected.toLowerCase() !== sha256.toLowerCase()) {
|
||||
throw new Error(`Checksum mismatch for ${filename}: expected ${expected}, got ${sha256}`);
|
||||
}
|
||||
core.info(`Checksum verified for ${filename}`);
|
||||
|
||||
await verifyCosignSignature(distribution, tag, baseUrl, checksumsPath);
|
||||
}
|
||||
|
||||
export const findChecksum = (checksumsContent: string, filename: string): string | undefined => {
|
||||
const match = checksumsContent
|
||||
.split('\n')
|
||||
.map(line => line.trim().split(/\s+/))
|
||||
.find(parts => parts.length >= 2 && parts[1].replace(/^[*]/, '') === filename);
|
||||
return match ? match[0] : undefined;
|
||||
};
|
||||
|
||||
async function verifyCosignSignature(
|
||||
distribution: string,
|
||||
tag: string,
|
||||
baseUrl: string,
|
||||
checksumsPath: string
|
||||
): Promise<void> {
|
||||
const cosign = await io.which('cosign', false);
|
||||
if (!cosign) {
|
||||
core.info('cosign not found in PATH, skipping signature verification');
|
||||
return;
|
||||
}
|
||||
|
||||
let bundlePath: string;
|
||||
try {
|
||||
core.info(`Downloading ${baseUrl}/checksums.txt.sigstore.json`);
|
||||
bundlePath = await tc.downloadTool(`${baseUrl}/checksums.txt.sigstore.json`);
|
||||
} catch (e) {
|
||||
core.warning(`Skipping cosign signature verification: unable to download sigstore bundle: ${e.message}`);
|
||||
return;
|
||||
}
|
||||
|
||||
const certificateIdentity = getCertificateIdentity(distribution, tag);
|
||||
core.info(`Verifying checksums.txt signature with cosign (identity: ${certificateIdentity})`);
|
||||
await exec.exec(cosign, [
|
||||
'verify-blob',
|
||||
'--certificate-identity',
|
||||
certificateIdentity,
|
||||
'--certificate-oidc-issuer',
|
||||
'https://token.actions.githubusercontent.com',
|
||||
'--bundle',
|
||||
bundlePath,
|
||||
checksumsPath
|
||||
]);
|
||||
core.info('cosign signature verified');
|
||||
}
|
||||
|
||||
export const getCertificateIdentity = (distribution: string, tag: string): string => {
|
||||
const pro = isPro(distribution);
|
||||
if (tag === 'nightly') {
|
||||
const workflow = pro ? 'nightly-pro.yml' : 'nightly-oss.yml';
|
||||
const repo = pro ? 'goreleaser-pro-internal' : 'goreleaser';
|
||||
return `https://github.com/goreleaser/${repo}/.github/workflows/${workflow}@refs/heads/main`;
|
||||
}
|
||||
if (pro) {
|
||||
return `https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/${tag}`;
|
||||
}
|
||||
return `https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/${tag}`;
|
||||
};
|
||||
|
||||
export const distribSuffix = (distribution: string): string => {
|
||||
return isPro(distribution) ? '-pro' : '';
|
||||
};
|
||||
|
|
@ -81,7 +167,7 @@ const getFilename = (distribution: string): string => {
|
|||
const platform: string = context.osPlat == 'win32' ? 'Windows' : context.osPlat == 'darwin' ? 'Darwin' : 'Linux';
|
||||
const ext: string = context.osPlat == 'win32' ? 'zip' : 'tar.gz';
|
||||
const suffix: string = distribSuffix(distribution);
|
||||
return util.format('goreleaser%s_%s_%s.%s', suffix, platform, arch, ext);
|
||||
return `goreleaser${suffix}_${platform}_${arch}.${ext}`;
|
||||
};
|
||||
|
||||
export async function getDistPath(yamlfile: string): Promise<string> {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue