From 0a60f455a9de08fae9611b5c982e7491c0005a6a Mon Sep 17 00:00:00 2001 From: Samuel Attard Date: Sun, 1 Dec 2019 15:23:54 -0800 Subject: [PATCH] build: add hashes to the external binary downloader (#21328) --- script/external-binaries.json | 24 ++++++++++++++++-------- script/update-external-binaries.py | 27 ++++++++++++++++++++++----- 2 files changed, 38 insertions(+), 13 deletions(-) diff --git a/script/external-binaries.json b/script/external-binaries.json index 1ff47895074c..43682cfd30e3 100644 --- a/script/external-binaries.json +++ b/script/external-binaries.json @@ -4,37 +4,45 @@ "binaries": [ { "url": "Mantle.zip", - "platform": "darwin" + "platform": "darwin", + "sha": "f9865e115c03871b45d3a2d8734220cb147a02dace46c92f766ca5d3059281dd" }, { "url": "ReactiveCocoa.zip", - "platform": "darwin" + "platform": "darwin", + "sha": "8ae85cd226fa4076472bfdfcda4745b5c7edf31fbe695868068eeaf62e7fa962" }, { "url": "Squirrel.zip", - "platform": "darwin" + "platform": "darwin", + "sha": "e516fd5c24c0ad267fd854848b04be0552be977aa846fa7f3c65ef4618699511" }, { "url": "directxsdk-ia32.zip", "platform": "win32", - "targetArch": "ia32" + "targetArch": "ia32", + "sha": "f777bd5ab524bf39c3bfc68ac2b3f95ff2136c92328cf63e857f399e849db037" }, { "url": "directxsdk-x64.zip", "platform": "win32", - "targetArch": "x64" + "targetArch": "x64", + "sha": "46c1f8afb9180516013c39e8d73182a7f15f0ea89c61dc94f92605b4734d447b" }, { "url": "sccache-darwin-x64.zip", - "platform": "darwin" + "platform": "darwin", + "sha": "3bfe114b49a15e4f15e2e3a9ee6699f1acdb89446badbaa4144869c72a7690ca" }, { "url": "sccache-linux-x64.zip", - "platform": "linux" + "platform": "linux", + "sha": "dd379b494122f9e85bdae3597b02c67b0a46192f20f4f16cae3f1258a57b39dd" }, { "url": "sccache-win32-x64.zip", - "platform": "win32" + "platform": "win32", + "sha": "b6a20fd1c2026f3792e7286bc768a7ebc261847b76449b49f55455e1f841fecd" } ] } diff --git a/script/update-external-binaries.py b/script/update-external-binaries.py index 5332548c006c..0fff796bc4fe 100755 --- a/script/update-external-binaries.py +++ b/script/update-external-binaries.py @@ -2,6 +2,7 @@ import argparse import errno +import hashlib import json import os @@ -17,6 +18,7 @@ def parse_args(): parser.add_argument('--base-url', required=False, help="Base URL for all downloads") + parser.add_argument('--force', action='store_true', default=False, required=False) return parser.parse_args() @@ -37,7 +39,7 @@ def main(): output_dir = os.path.join(SOURCE_ROOT, 'external_binaries') version_file = os.path.join(output_dir, '.version') - if (is_updated(version_file, version)): + if (is_updated(version_file, version) and not args.force): return rm_rf(output_dir) @@ -47,7 +49,7 @@ def main(): if not binary_should_be_downloaded(binary): continue - temp_path = download_binary(base_url, version, binary['url']) + temp_path = download_binary(base_url, version, binary['url'], binary['sha']) # We assume that all binaries are in zip archives. extract_zip(temp_path, output_dir) @@ -82,16 +84,31 @@ def binary_should_be_downloaded(binary): return True -def download_binary(base_url, version, binary_url): +def sha256(file_path): + hash_256 = hashlib.sha256() + with open(file_path, "rb") as f: + for chunk in iter(lambda: f.read(4096), b""): + hash_256.update(chunk) + return hash_256.hexdigest() + + +def download_binary(base_url, version, binary_url, sha): full_url = '{0}/{1}/{2}'.format(base_url, version, binary_url) - temp_path = download_to_temp_dir(full_url, filename=binary_url) + temp_path = download_to_temp_dir(full_url, filename=binary_url, sha=sha) return temp_path -def download_to_temp_dir(url, filename): +def validate_sha(file_path, sha): + downloaded_sha = sha256(file_path) + if downloaded_sha != sha: + raise Exception("SHA for external binary file {} does not match expected '{}' != '{}'".format(file_path, downloaded_sha, sha)) + + +def download_to_temp_dir(url, filename, sha): download_dir = tempdir(prefix='electron-') file_path = os.path.join(download_dir, filename) download(text='Download ' + filename, url=url, path=file_path) + validate_sha(file_path, sha) return file_path