Verify drone-ssh binary checksum after download

Download checksums.txt from the drone-ssh release alongside the binary and verify it. Protects against tampered or corrupted release artifacts.
3 weeks ago · 3f19ce98ab
parent 1530429296
commit 3f19ce98ab
1 changed files with 11 additions and 0 deletions
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -62,6 +62,17 @@ else
    log_error "Downloaded file is missing or empty: ${TARGET}" "${ERR_INVALID_BINARY}"
  fi

+  # Download checksum file
+  if ! curl -fsSL --retry 5 --keepalive-time 2 --location ${INSECURE_OPTION} \
+    "${DOWNLOAD_URL_PREFIX}/checksums.txt" -o "${GITHUB_ACTION_PATH}/checksums.txt"; then
+    log_error "Failed to download checksums.txt from ${DOWNLOAD_URL_PREFIX}." "${ERR_DOWNLOAD_FAILED}"
+  fi
+
+  # Verify checksum
+  if ! (cd "${GITHUB_ACTION_PATH}" && shasum -c checksums.txt --ignore-missing); then
+    log_error "Checksum verification failed for ${CLIENT_BINARY}." "${ERR_INVALID_BINARY}"
+  fi
+
  chmod +x "${TARGET}"
 fi