Skip to content

Commit

Permalink
Improve security by adding checksum validation to downloads. (#3781)
Browse files Browse the repository at this point in the history
* Improve security by adding checksum validation to downloads.
* Fix sha check on windows.
  • Loading branch information
steelhead31 authored Apr 30, 2024
1 parent 2663a0a commit bc0709a
Show file tree
Hide file tree
Showing 5 changed files with 114 additions and 20 deletions.
14 changes: 11 additions & 3 deletions .azure-devops/build/steps/windows/before.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,17 @@ steps:
# install cygwin and build dependencies
- powershell: |
$ProgressPreference = 'SilentlyContinue';
Invoke-WebRequest -UseBasicParsing 'https://cygwin.com/setup-x86_64.exe' -OutFile '${{ parameters.dependenciesDir }}\cygwin.exe';
Start-Process -Wait -FilePath '${{ parameters.dependenciesDir }}\cygwin.exe' -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site https://mirrors.kernel.org/sourceware/cygwin/ --local-package-dir $(Agent.BuildDirectory)\cygwin_packages --root $(Agent.BuildDirectory)\cygwin64';
displayName: "[Windows Before] download and install Cygwin"
$DownloadedFile = "${{ parameters.dependenciesDir }}\cygwin.exe";
$DownloadUrl = 'https://cygwin.com/setup-x86_64.exe';
$ExpectedChecksum = 'e7815d360ab098fdd1f03f10f43f363c73a632e8866e304c72573cf1e6a0dec8';
Invoke-WebRequest -UseBasicParsing -Uri $DownloadUrl -OutFile $DownloadedFile;
# Calculate SHA256 checksum of the downloaded file
$DownloadedChecksum = (Get-FileHash -Path $DownloadedFile -Algorithm SHA256).Hash;
# Compare calculated checksum with the expected checksum
if ($DownloadedChecksum -eq $ExpectedChecksum) {
Start-Process -Wait -FilePath $DownloadedFile -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site
# add cygwin bin to PATH
- script: |
Expand Down
32 changes: 29 additions & 3 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ jobs:
rm /usr/local/bin/python3-config || true
rm /usr/local/bin/python3.11-config || true
rm /usr/local/bin/python3.12-config || true
- name: Install Dependencies
run: |
brew install automake bash binutils freetype gnu-sed nasm
Expand All @@ -173,7 +173,7 @@ jobs:
java-version: 7
distribution: 'zulu'
if: matrix.version.name == 'jdk8u'

- name: Select correct Xcode (JDK8)
if: matrix.version.name == 'jdk8u'
run: |
Expand Down Expand Up @@ -206,7 +206,7 @@ jobs:
TARGET_OS: mac
FILENAME: OpenJDK.tar.gz
JDK7_BOOT_DIR: ${{ steps.setup-java.outputs.path }}

- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
name: Collect and Archive Artifacts
with:
Expand Down Expand Up @@ -328,6 +328,19 @@ jobs:
curl -L "$env:VS2017_URL" -o "$HOME/vs2017.exe"
if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u'

- name: Verify Download Of Visual Studio 2017
shell: powershell
run: |
$expected_checksum="7ED8FA27575648163E07548FF5667B55B95663A2323E2B2A5F87B16284E481E6"
$actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2017.exe | Select-Object -ExpandProperty Hash)
echo "Expect : $expected_checksum"
echo "Actual : $actual_checksum"
if ($expected_checksum -ne $actual_checksum) {
Write-Output "Error - Checksum Verification Failed - Exiting"
exit 1
}
if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u'

- name: Install Visual Studio 2017
if: matrix.version == 'jdk8u'
run: >
Expand All @@ -343,6 +356,19 @@ jobs:
curl -L "$env:VS2019_URL" -o "$HOME/vs2019.exe"
if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u')

- name: Verify Download Of Visual Studio 2019
shell: powershell
run: |
$expected_checksum="F29399A618BD3A8D1DCC96D349453F686B6176590D904308402A6402543E310B"
$actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2019.exe | Select-Object -ExpandProperty Hash)
echo "Expect : $expected_checksum"
echo "Actual : $actual_checksum"
if ($expected_checksum -ne $actual_checksum) {
Write-Output "Error - Checksum Verification Failed - Exiting"
exit 1
}
if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u')

- name: Install Visual Studio 2019
if: matrix.version == 'jdk11u' || matrix.version == 'jdk17u'
run: >
Expand Down
36 changes: 33 additions & 3 deletions build-farm/platform-specific-configurations/linux.sh
Original file line number Diff line number Diff line change
Expand Up @@ -51,14 +51,44 @@ function locateDragonwell8BootJDK()
else
echo Dragonwell 8 requires a Dragonwell boot JDK - downloading one ...
mkdir -p "$PWD/jdk-8"
# if [ "$(uname -m)" = "x86_64" ]; then
# curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8"
# elif [ "$(uname -m)" = "aarch64" ]; then
# curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8"
# else
# echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK"
# exit 1
# fi
## Secure Dragonwell Downloads By Validating Checksums
if [ "$(uname -m)" = "x86_64" ]; then
curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8"
DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz"
EXPECTED_SHA256="E03923f200dffddf9eee2aadc0c495674fe0b87cc2eece94a9a8dec84812d12bd"
elif [ "$(uname -m)" = "aarch64" ]; then
curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8"
DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz"
EXPECTED_SHA256="ff0594f36d13883972ca0b302d35cca5099f10b8be54c70c091f626e4e308774"
else
echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK"
exit 1
fi
# Download the file and calculate its SHA256 checksum
TMP_FILE=$(mktemp)
curl -L "$DOWNLOAD_URL" -o "$TMP_FILE"

# Calculate the SHA256 checksum of the downloaded file
ACTUAL_SHA256=$(sha256sum "$TMP_FILE" | awk '{print $1}')

# Compare the actual and expected SHA256 checksums
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
echo "Checksum verification failed for downloaded file!"
rm "$TMP_FILE"
exit 1
fi

# Extract the downloaded file
tar xpzf "$TMP_FILE" --strip-components=1 -C "$PWD/jdk-8"

# Clean up the temporary file
rm "$TMP_FILE"
export "${BOOT_JDK_VARIABLE}"="$PWD/jdk-8"
fi
}
Expand Down Expand Up @@ -333,7 +363,7 @@ if [[ "${CONFIGURE_ARGS}" =~ .*"--with-devkit=".* ]]; then
echo "Using gcc from DevKit toolchain specified in configure args"
elif [[ "${BUILD_ARGS}" =~ .*"--use-adoptium-devkit".* ]]; then
echo "Using gcc from Adoptium DevKit toolchain specified in --use-adoptium-devkit build args"
else
else
if [ "${VARIANT}" == "${BUILD_VARIANT_DRAGONWELL}" ] && [ "$JAVA_FEATURE_VERSION" -eq 11 ] && [ -r /usr/local/gcc9/ ] && [ "${ARCHITECTURE}" == "aarch64" ]; then
# GCC9 rather than 10 requested by Alibaba for now
# Ref https://github.com/adoptium/temurin-build/issues/2250#issuecomment-732958466
Expand Down
7 changes: 7 additions & 0 deletions docker/buildDocker.sh
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,13 @@ useEclipseOpenJ9DockerFiles()
mkdir -p "$dockerfileDir"
cd "$dockerfileDir" || { echo "Dockerfile directory ($dockerfileDir) was not found"; exit 3; }
getFile https://raw.githubusercontent.com/eclipse-openj9/openj9/master/buildenv/docker/mkdocker.sh mkdocker.sh
MKDOCK_SHA="a09a00c2beb9c53985b4c3ed6fb62825d90808775941ab56417bef75a575be55"
mkd_downloaded_sha=$(sha256sum mkdocker.sh | awk '{print $1}')
if [ "$mkd_downloaded_sha" != "$MKDOCK_SHA" ]; then
echo "ERROR: SHA256 checksum mismatch for mkdocker.sh"
exit 1
fi

chmod +x mkdocker.sh
# Generate an Ubuntu1804 Dockerfile using mkdocker.sh
"$dockerfileDir/mkdocker.sh" --dist=ubuntu --version=18 --print >> "$dockerfileDir/Dockerfile"
Expand Down
45 changes: 34 additions & 11 deletions tooling/reproducible/linux_repro_build_compare.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ set -e
SBOM_PARAM=$1
JDK_PARAM=$2
ANT_VERSION=1.10.5
ANT_SHA=9028e2fc64491cca0f991acc09b06ee7fe644afe41d1d6caf72702ca25c4613c
ANT_CONTRIB_VERSION=1.0b3
ANT_CONTRIB_SHA=4d93e07ae6479049bb28071b069b7107322adaee5b70016674a0bffd4aac47f9
isJdkDir=false

installPrereqs() {
Expand All @@ -31,24 +33,45 @@ installPrereqs() {
yum install -y git bzip2 xz openssl pigz which jq # pigz/which not strictly needed but help in final compression
if grep -i release.6 /etc/redhat-release; then
if [ ! -r /usr/local/bin/autoconf ]; then
curl https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz | tar xpfz - || exit 1
(cd autoconf-2.69 && ./configure --prefix=/usr/local && make install)
curl --output ./autoconf-2.69.tar.gz https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz
ACSHA256=954bd69b391edc12d6a4a51a2dd1476543da5c6bbf05a95b59dc0dd6fd4c2969
ACCHKSHA=$(sha256sum ./autoconf-2.69.tar.gz|cut -d" " -f1)
if [ "$ACSHA256" = "$ACCHKSHA" ]; then
echo "Hi"
tar xpfz ./autoconf-2.69.tar.gz || exit 1
(cd autoconf-2.69 && ./configure --prefix=/usr/local && make install)
else
echo "ERROR - Checksum For AutoConf Download Is Incorrect"
exit 1;
fi
fi
fi
fi
}

# ant required for --create-sbom
downloadAnt() {
if [ ! -r /usr/local/apache-ant-${ANT_VERSION}/bin/ant ]; then
echo Downloading ant for SBOM creation:
curl https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip > /tmp/apache-ant-${ANT_VERSION}-bin.zip
(cd /usr/local && unzip -qn /tmp/apache-ant-${ANT_VERSION}-bin.zip)
rm /tmp/apache-ant-${ANT_VERSION}-bin.zip
echo Downloading ant-contrib-${ANT_CONTRIB_VERSION}:
curl -L https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip > /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip
(unzip -qnj /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar -d /usr/local/apache-ant-${ANT_VERSION}/lib)
rm /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip
if [ ! -r "/usr/local/apache-ant-${ANT_VERSION}/bin/ant" ]; then
echo "Downloading ant for SBOM creation..."
curl -o "/tmp/apache-ant-${ANT_VERSION}-bin.zip" "https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip"
ANTCHKSHA=$(sha256sum "/tmp/apache-ant-${ANT_VERSION}-bin.zip" | cut -d" " -f1)
if [ "$ANT_SHA" = "$ANTCHKSHA" ]; then
(cd /usr/local && unzip -qn "/tmp/apache-ant-${ANT_VERSION}-bin.zip")
rm "/tmp/apache-ant-${ANT_VERSION}-bin.zip"
else
echo "ERROR - Checksum for Ant download is incorrect"
exit 1
fi
echo "Downloading ant-contrib-${ANT_CONTRIB_VERSION}..."
curl -Lo "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip"
ANTCTRCHKSHA=$(sha256sum "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" | cut -d" " -f1)
if [ "$ANT_CONTRIB_SHA" = "$ANTCTRCHKSHA" ]; then
(unzip -qnj "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar" -d "/usr/local/apache-ant-${ANT_VERSION}/lib")
rm "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip"
else
echo "ERROR - Checksum for Ant Contrib download is incorrect"
exit 1
fi
fi
}

Expand Down

0 comments on commit bc0709a

Please sign in to comment.