|
|
|
@ -66,7 +66,7 @@ runAsRoot() {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# verifySupported checks that the os/arch combination is supported for
|
|
|
|
# verifySupported checks that the os/arch combination is supported for
|
|
|
|
# binary builds.
|
|
|
|
# binary builds, as well whether or not necessary tools are present.
|
|
|
|
verifySupported() {
|
|
|
|
verifySupported() {
|
|
|
|
local supported="darwin-386\ndarwin-amd64\nlinux-386\nlinux-amd64\nlinux-arm\nlinux-arm64\nlinux-ppc64le\nwindows-386\nwindows-amd64"
|
|
|
|
local supported="darwin-386\ndarwin-amd64\nlinux-386\nlinux-amd64\nlinux-arm\nlinux-arm64\nlinux-ppc64le\nwindows-386\nwindows-amd64"
|
|
|
|
if ! echo "${supported}" | grep -q "${OS}-${ARCH}"; then
|
|
|
|
if ! echo "${supported}" | grep -q "${OS}-${ARCH}"; then
|
|
|
|
@ -79,6 +79,25 @@ verifySupported() {
|
|
|
|
echo "Either curl or wget is required"
|
|
|
|
echo "Either curl or wget is required"
|
|
|
|
exit 1
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if [ "${VERIFY_CHECKSUM}" == "true" ] && [ "${HAS_OPENSSL}" != "true" ]; then
|
|
|
|
|
|
|
|
echo "In order to verify checksum, openssl must first be installed."
|
|
|
|
|
|
|
|
echo "Please install openssl or set VERIFY_CHECKSUM=false in your environment."
|
|
|
|
|
|
|
|
exit 1
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if [ "${VERIFY_SIGNATURES}" == "true" ]; then
|
|
|
|
|
|
|
|
if [ "${HAS_GPG}" != "true" ]; then
|
|
|
|
|
|
|
|
echo "In order to verify signatures, gpg must first be installed."
|
|
|
|
|
|
|
|
echo "Please install gpg or set VERIFY_SIGNATURES=false in your environment."
|
|
|
|
|
|
|
|
exit 1
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "${OS}" != "linux" ]; then
|
|
|
|
|
|
|
|
echo "Signature verification is currently only supported on Linux."
|
|
|
|
|
|
|
|
echo "Please set VERIFY_SIGNATURES=false or verify the signatures manually."
|
|
|
|
|
|
|
|
exit 1
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# checkDesiredVersion checks if the desired version is available.
|
|
|
|
# checkDesiredVersion checks if the desired version is available.
|
|
|
|
@ -157,11 +176,6 @@ installFile() {
|
|
|
|
|
|
|
|
|
|
|
|
# verifyChecksum verifies the SHA256 checksum of the binary package.
|
|
|
|
# verifyChecksum verifies the SHA256 checksum of the binary package.
|
|
|
|
verifyChecksum() {
|
|
|
|
verifyChecksum() {
|
|
|
|
if [ "${HAS_OPENSSL}" != "true" ]; then
|
|
|
|
|
|
|
|
echo "In order to verify checksum, openssl must first be installed."
|
|
|
|
|
|
|
|
echo "Please install openssl or set VERIFY_CHECKSUM=false in your environment."
|
|
|
|
|
|
|
|
exit 1
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
printf "Verifying checksum... "
|
|
|
|
printf "Verifying checksum... "
|
|
|
|
local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}')
|
|
|
|
local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}')
|
|
|
|
local expected_sum=$(cat ${HELM_SUM_FILE})
|
|
|
|
local expected_sum=$(cat ${HELM_SUM_FILE})
|
|
|
|
@ -172,19 +186,27 @@ verifyChecksum() {
|
|
|
|
echo "Done."
|
|
|
|
echo "Done."
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# verifySignatures obtains the signature .asc files from the GitHub release,
|
|
|
|
# verifySignatures obtains the latest KEYS file from GitHub master branch
|
|
|
|
# then verifies that the release artifacts were signed by a trusted key.
|
|
|
|
# as well as the signature .asc files from the specific GitHub release,
|
|
|
|
|
|
|
|
# then verifies that the release artifacts were signed by a maintainer's key.
|
|
|
|
verifySignatures() {
|
|
|
|
verifySignatures() {
|
|
|
|
if [ "${HAS_GPG}" != "true" ]; then
|
|
|
|
|
|
|
|
echo "In order to verify signatures, gpg must first be installed."
|
|
|
|
|
|
|
|
echo "Please install gpg or set VERIFY_SIGNATURES=false in your environment."
|
|
|
|
|
|
|
|
exit 1
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
printf "Verifying signatures... "
|
|
|
|
printf "Verifying signatures... "
|
|
|
|
|
|
|
|
local keys_filename="KEYS"
|
|
|
|
|
|
|
|
local github_keys_url="https://raw.githubusercontent.com/helm/helm/master/${keys_filename}"
|
|
|
|
|
|
|
|
if [ "${HAS_CURL}" == "true" ]; then
|
|
|
|
|
|
|
|
curl -SsL "${github_keys_url}" -o "${HELM_TMP_ROOT}/${keys_filename}"
|
|
|
|
|
|
|
|
elif [ "${HAS_WGET}" == "true" ]; then
|
|
|
|
|
|
|
|
wget -q -O "${github_keys_url}" "${HELM_TMP_ROOT}/${keys_filename}"
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
local gpg_keyring="${HELM_TMP_ROOT}/keyring.gpg"
|
|
|
|
|
|
|
|
local gpg_homedir="${HELM_TMP_ROOT}/gnupg"
|
|
|
|
|
|
|
|
mkdir -p -m 0700 "${gpg_homedir}"
|
|
|
|
local gpg_stderr_device="/dev/null"
|
|
|
|
local gpg_stderr_device="/dev/null"
|
|
|
|
if [ "${DEBUG}" == "true" ]; then
|
|
|
|
if [ "${DEBUG}" == "true" ]; then
|
|
|
|
gpg_stderr_device="/dev/stderr"
|
|
|
|
gpg_stderr_device="/dev/stderr"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
gpg --batch --quiet --homedir="${gpg_homedir}" --import "${HELM_TMP_ROOT}/${keys_filename}" 2> "${gpg_stderr_device}"
|
|
|
|
|
|
|
|
gpg --batch --no-default-keyring --keyring "${gpg_homedir}/pubring.kbx" --export > "${gpg_keyring}"
|
|
|
|
local github_release_url="https://github.com/helm/helm/releases/download/${TAG}"
|
|
|
|
local github_release_url="https://github.com/helm/helm/releases/download/${TAG}"
|
|
|
|
if [ "${HAS_CURL}" == "true" ]; then
|
|
|
|
if [ "${HAS_CURL}" == "true" ]; then
|
|
|
|
curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
|
|
|
|
curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
|
|
|
|
@ -193,14 +215,16 @@ verifySignatures() {
|
|
|
|
wget -q -O "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
|
|
|
|
wget -q -O "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
|
|
|
|
wget -q -O "${github_release_url}/${TAG}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc"
|
|
|
|
wget -q -O "${github_release_url}/${TAG}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
local error_text="Double-check the PGP key provided. If you think this is a security issue,"
|
|
|
|
local error_text="If you think this might be a potential security issue,"
|
|
|
|
error_text="${error_text}\nplease see here: https://github.com/helm/community/blob/master/SECURITY.md"
|
|
|
|
error_text="${error_text}\nplease see here: https://github.com/helm/community/blob/master/SECURITY.md"
|
|
|
|
if ! gpg --verify "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}"; then
|
|
|
|
local num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
|
|
|
|
|
|
|
|
if [[ ${num_goodlines_sha} -lt 2 ]]; then
|
|
|
|
echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!"
|
|
|
|
echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!"
|
|
|
|
echo -e "${error_text}"
|
|
|
|
echo -e "${error_text}"
|
|
|
|
exit 1
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
if ! gpg --verify "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}"; then
|
|
|
|
local num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
|
|
|
|
|
|
|
|
if [[ ${num_goodlines_tar} -lt 2 ]]; then
|
|
|
|
echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!"
|
|
|
|
echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!"
|
|
|
|
echo -e "${error_text}"
|
|
|
|
echo -e "${error_text}"
|
|
|
|
exit 1
|
|
|
|
exit 1
|
|
|
|
|
Josh Dolitsky
5 years ago