[openwrt/openwrt] ci: build: verify downloaded toolchain tarball

LEDE Commits lede-commits at lists.infradead.org
Tue Oct 24 08:14:47 PDT 2023 

ansuel pushed a commit to openwrt/openwrt.git, branch openwrt-23.05:
https://git.openwrt.org/6cdd9a6de493cc9b8152a73d8449673b1190d1ff

commit 6cdd9a6de493cc9b8152a73d8449673b1190d1ff
Author: Petr Štetiar <ynezz at true.cz>
AuthorDate: Fri May 26 11:41:18 2023 +0200

    ci: build: verify downloaded toolchain tarball
    
    CDNs are known to ship outdated or corrupted files, if it unpacks
    correctly, it necessarily doesn't mean, that we're using the desired
    content. So lets fix it by checking the tarball as well.
    
    I'm adding GPG checking explicitly, its not needed, but just double
    checking, that everything is working as expected on build
    infrastructure.
    
    Signed-off-by: Petr Štetiar <ynezz at true.cz>
    (cherry picked from commit 95dde523297c652072ee96ac32d22912a43ef761)
---
 .github/workflows/build.yml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index efaf759403..367a43383b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -280,13 +280,23 @@ jobs:
           restore-keys: |
             ccache-${{ inputs.ccache_type }}-${{ inputs.target }}/${{ inputs.subtarget }}-
 
+      - name: Import GPG keys
+        shell: su buildbot -c "sh -e {0}"
+        if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
+        run: gpg --receive-keys 0xCD84BCED626471F1 0x1D53D1877742E911 0xCD54E82DADB3684D
+
       - name: Download external toolchain/sdk
         if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
         shell: su buildbot -c "sh -e {0}"
         working-directory: openwrt
         run: |
-          wget -O - https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz \
-            | tar --xz -xf -
+          wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz
+          wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums.asc
+          wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums
+          gpg --with-fingerprint --verify sha256sums.asc
+          sha256sum --check --ignore-missing sha256sums
+          tar --xz -xf ${{ env.TOOLCHAIN_FILE }}.tar.xz
+          rm ${{ env.TOOLCHAIN_FILE }}.tar.xz sha256sums
 
       - name: Configure testing kernel
         if: inputs.testing == true

More information about the lede-commits mailing list