Add checksum verifications while shimming

heroku · Jan 14, 2021 · 7de9358 · 7de9358
1 parent 6eebc4a
commit 7de9358
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 15 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -35,22 +35,40 @@ jobs:
           set -euo pipefail
 
           while IFS="" read -r -d "" buildpack_toml_path; do
-            buildpack_id="$(yj -t < "${buildpack_toml_path}" | jq -r .buildpack.id)"
-            buildpack_version="$(yj -t < "${buildpack_toml_path}" | jq -r .buildpack.version)"
-            buildpack_docker_repository="$(yj -t < "${buildpack_toml_path}" | jq -r .metadata.release.docker.repository)"
+            buildpack_id="$(yj -t <"${buildpack_toml_path}" | jq -r .buildpack.id)"
+            buildpack_version="$(yj -t <"${buildpack_toml_path}" | jq -r .buildpack.version)"
+            buildpack_docker_repository="$(yj -t <"${buildpack_toml_path}" | jq -r .metadata.release.docker.repository)"
             buildpack_path=$(dirname "${buildpack_toml_path}")
-            buildpack_shim_v2_tarball="$(yj -t < "${buildpack_toml_path}" | jq -r .metadata.shim_v2_tarball)"
 
             if [[ $buildpack_id == "${REQUESTED_BUILDPACK_ID}" ]]; then
+              cnb_shim_tarball_url="https://github.com/heroku/cnb-shim/releases/download/v0.3/cnb-shim-v0.3.tgz"
+              cnb_shim_tarball_sha256="109cfc01953cb04e69c82eec1c45c7c800bd57d2fd0eef030c37d8fc37a1cb4d"
+              local_cnb_shim_tarball=$(mktemp)
+
+              v2_buildpack_tarball_url="$(yj -t <"${buildpack_toml_path}" | jq -r .metadata.shim.tarball)"
+              v2_buildpack_tarball_sha256="$(yj -t <"${buildpack_toml_path}" | jq -r .metadata.shim.sha256)"
+              local_v2_buildpack_tarball=$(mktemp)
+
               # If the buildpack has a V2 buildpack tarball in its metadata it's supposed to be a shimmed buildpack.
               # We download the shim and the V2 buildpack to the buildpack directory, turning it into a CNB. This transformation
               # is transparent for the code that follows after it.
-              if [[ -n "${buildpack_shim_v2_tarball:-}" ]]; then
-                cnb_shim_tarball_curl="https://github.com/heroku/cnb-shim/releases/download/v0.3/cnb-shim-v0.3.tgz"
-                mkdir -p "${buildpack_path}/target"
+              if [[ -n "${v2_buildpack_tarball_url:-}" ]]; then
+                curl --retry 3 --location "${cnb_shim_tarball_url}" --output "${local_cnb_shim_tarball}"
+                curl --retry 3 --location "${v2_buildpack_tarball_url}" --output "${local_v2_buildpack_tarball}"
 
-                curl --retry 3 --location "${cnb_shim_tarball_curl}" | tar -xzm -C "${buildpack_path}"
-                curl --retry 3 --location "${buildpack_shim_v2_tarball}" | tar -xzm -C "${buildpack_path}/target"
+                if ! echo "${cnb_shim_tarball_sha256} ${local_cnb_shim_tarball}" | sha256sum --check --status; then
+                  echo "Checksum verification of cnb_shim failed!"
+                  exit 1
+                fi
+
+                if ! echo "${v2_buildpack_tarball_sha256} ${local_v2_buildpack_tarball}" | sha256sum --check --status; then
+                  echo "Checksum verification of V2 buildpack tarball failed!"
+                  exit 1
+                fi
+
+                mkdir -p "${buildpack_path}/target"
+                tar -xzmf "${local_cnb_shim_tarball}" -C "${buildpack_path}"
+                tar -xzmf "${local_v2_buildpack_tarball}" -C "${buildpack_path}/target"
               fi
 
               image_name="${buildpack_docker_repository}:${buildpack_version}"

diff --git a/shimmed-buildpacks/clojure/buildpack.toml b/shimmed-buildpacks/clojure/buildpack.toml
@@ -14,8 +14,9 @@ id = "heroku-20"
 [[stacks]]
 id = "io.buildpacks.stacks.bionic"
 
-[metadata]
-shim_v2_tarball="https://buildpack-registry.s3.amazonaws.com/buildpacks/heroku/clojure-v86.tgz"
+[metadata.shim]
+tarball="https://buildpack-registry.s3.amazonaws.com/buildpacks/heroku/clojure-v86.tgz"
+sha256="c85cb7f4e10a2bc76fc9804d14842ea1021609a23d953359eed30cfd019560d1"
 
 [metadata.release.docker]
 repository="public.ecr.aws/r2f9u0w4/heroku-clojure-buildpack"
diff --git a/shimmed-buildpacks/gradle/buildpack.toml b/shimmed-buildpacks/gradle/buildpack.toml
@@ -14,8 +14,9 @@ id = "heroku-20"
 [[stacks]]
 id = "io.buildpacks.stacks.bionic"
 
-[metadata]
-shim_v2_tarball="https://buildpack-registry.s3.amazonaws.com/buildpacks/heroku/gradle-v34.tgz"
+[metadata.shim]
+tarball="https://buildpack-registry.s3.amazonaws.com/buildpacks/heroku/gradle-v34.tgz"
+sha256="56d9af33cc9ed33c2dd78991278b49063879d61954ed24cb7974aa7e0d43be8d"
 
 [metadata.release.docker]
 repository="public.ecr.aws/r2f9u0w4/heroku-gradle-buildpack"
diff --git a/shimmed-buildpacks/scala/buildpack.toml b/shimmed-buildpacks/scala/buildpack.toml
@@ -14,8 +14,9 @@ id = "heroku-20"
 [[stacks]]
 id = "io.buildpacks.stacks.bionic"
 
-[metadata]
-shim_v2_tarball="https://buildpack-registry.s3.amazonaws.com/buildpacks/heroku/scala-v88.tgz"
+[metadata.shim]
+tarball="https://buildpack-registry.s3.amazonaws.com/buildpacks/heroku/scala-v88.tgz"
+sha256="d11afa35769cb336aded3f985eb8efb10cb689c786fc7b3a75253ba6f4fe846e"
 
 [metadata.release.docker]
 repository="public.ecr.aws/r2f9u0w4/heroku-scala-buildpack"