tezos-k8s icon indicating copy to clipboard operation
tezos-k8s copied to clipboard
verified publisher icon oxheadalpha

Optionally use PGP to validate tarballs

Open elric1 opened this issue 3 years ago • 3 comments

elric1 avatar Feb 23 '22 18:02 elric1

This must work whilst still streaming the download, decompression, and tar xf -.

elric1 avatar Feb 23 '22 18:02 elric1

The way to do this properly is approximately:

    curl -o expected-sum $SHA256_URL
    use_pgp_to_validate expected-sum
    curl $iTB_URL | ( tee /dev/stderr | openssl sha256 > the-sum ) 2>&1 | lz4 -d | tar xvpf -
    if ! cmp the-sum expected-sum; then
        echo sigs don\'t match 1>&2
        exit 1
    fi

This still decompresses and unpacks the tarball during the download, thus maximising perfomance, but it also computes the sha256 at the same time so even that step won't slow things down. And it preserves the nice quality of the pipeline that it doesn't require additional disk for the intermediate object.

elric1 avatar Feb 23 '22 19:02 elric1

It might be better to use fd 3 rather than stderr, too, as we might lose error messages. Something more like:

    curl ... | ( tee /dev/fd/3 | openssl sha256 > the-sum ) 3>&1 | lz4 -d | tar xvpf -

elric1 avatar Feb 23 '22 20:02 elric1