Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify sha256 of downloaded zip #111

Merged
merged 5 commits into from
Aug 15, 2023
Merged

Verify sha256 of downloaded zip #111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d1ef435
wip
borkdude Aug 14, 2023
b8eec0f
fini
borkdude Aug 14, 2023
3b8f647
fixez Windows
borkdude Aug 14, 2023
9fa0900
v1.11.1.1403
borkdude Aug 14, 2023
49de81d
clean sha file
borkdude Aug 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,13 @@ DEPS_CLJ_TOOLS_VERSION=1.11.1.1165 bb clojure

[deps.clj](https://github.com/borkdude/deps.clj): a faithful port of the clojure CLI bash script to Clojure

## 1.11.1.1386
## 1.11.1.1403

- [#104](https://github.com/borkdude/deps.clj/issues/104): print repl-aliases in -Sdescribe
- Make installation of tools jar more robust using transaction file
- [#106](https://github.com/borkdude/deps.clj/issues/106): System deps.edn should be extracted on tools install
- Download tools jar from new Github releases link
- Verify downloaded zip file with .sha256 file

## 1.11.1.1347

Expand Down
68 changes: 50 additions & 18 deletions deps.bat
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
;; see https://github.com/clojure/brew-install/blob/1.11.1/CHANGELOG.md
(def ^:private version
(delay (or (System/getenv "DEPS_CLJ_TOOLS_VERSION")
"1.11.1.1386")))
"1.11.1.1403")))

(def ^:private cache-version "4")

Expand Down Expand Up @@ -386,15 +386,19 @@ For more info, see:
commit (-> (str/split version #"\.")
last
(Long/parseLong))
github-release? (>= commit 1386)]
github-release? (>= commit 1386)
verify-sha256 (>= commit 1403)
url (if github-release?
(format "https://github.com/clojure/brew-install/releases/download/%s/clojure-tools.zip" version)
(format "https://download.clojure.org/install/clojure-tools-%s.zip" version))]
{:ct-base-dir "ClojureTools"
:ct-error-exit-code 99
:ct-aux-files-names ["exec.jar" "example-deps.edn" "tools.edn"]
:ct-jar-name (format "clojure-tools-%s.jar" version)
:ct-url-str (if github-release?
(format "https://github.com/clojure/brew-install/releases/download/%s/clojure-tools.zip" version)
(format "https://download.clojure.org/install/clojure-tools-%s.zip" version))
:ct-zip-name "clojure-tools.zip"})))
:ct-url-str url
:ct-zip-name "clojure-tools.zip"
:sha256-url-str (when verify-sha256
(str url ".sha256"))})))

(def zip-invalid-msg
(str/join \n
Expand Down Expand Up @@ -500,7 +504,7 @@ public class ClojureToolsDownloader {
"Downloads `:url` zip file to `:dest` by invoking `java` with
`:proxy` options on a `.java` program file, and returns true on
success. Requires Java 11+ (JEP 330)."
[{:keys [url dest proxy-opts clj-jvm-opts]}]
[{:keys [url dest proxy-opts clj-jvm-opts sha256-url]}]
(let [dest-dir (.getCanonicalPath (io/file dest ".."))
dlr-path (clojure-tools-java-downloader-spit dest-dir)
java-cmd [(get-java-cmd) "-XX:-OmitStackTraceInFastThrow"]
Expand All @@ -513,6 +517,11 @@ public class ClojureToolsDownloader {
clj-jvm-opts
(proxy-jvm-opts proxy-opts)
[dlr-path url (str dest)]))})
(when sha256-url
(*aux-process-fn* {:cmd (vec (concat java-cmd
clj-jvm-opts
(proxy-jvm-opts proxy-opts)
[dlr-path sha256-url (str dest ".sha256")]))}))
(io/delete-file dlr-path true)
@success?*)))

Expand Down Expand Up @@ -544,27 +553,50 @@ public class ClojureToolsDownloader {
It calls `*exit-fn*` if it cannot download the archive, with
instructions how to manually download it."
[{:keys [out-dir debug proxy-opts clj-jvm-opts config-dir]}]
(let [{:keys [ct-error-exit-code ct-url-str ct-zip-name]} @clojure-tools-info*
(let [{:keys [ct-error-exit-code ct-url-str ct-zip-name sha256-url-str]} @clojure-tools-info*
dir (io/file out-dir)
zip-file (io/file out-dir ct-zip-name)
sha256-file (io/file (str zip-file ".sha256"))
transaction-start (io/file out-dir "TRANSACTION_START")]
(io/make-parents transaction-start)
(spit transaction-start "")
(when-not (.exists zip-file)
(warn "Downloading" ct-url-str "to" (str zip-file))
(or (when *clojure-tools-download-fn*
(when debug (warn "Attempting download using custom download function..."))
(*clojure-tools-download-fn* {:url ct-url-str :dest (str zip-file) :proxy-opts proxy-opts :clj-jvm-opts clj-jvm-opts}))
(when (seq clj-jvm-opts)
(when debug (warn "Attempting download using java subprocess... (requires Java11+)"))
(clojure-tools-download-java! {:url ct-url-str :dest (str zip-file) :proxy-opts proxy-opts :clj-jvm-opts clj-jvm-opts}))
(do (when debug (warn "Attempting direct download..."))
(clojure-tools-download-direct! {:url ct-url-str :dest zip-file}))
(let [res (or (when *clojure-tools-download-fn*
(when debug (warn "Attempting download using custom download function..."))
(*clojure-tools-download-fn* {:url ct-url-str :dest (str zip-file) :proxy-opts proxy-opts :clj-jvm-opts clj-jvm-opts :sha256-url sha256-url-str}))
(when (seq clj-jvm-opts)
(prn :via-java)
(when debug (warn "Attempting download using java subprocess... (requires Java11+)"))
(clojure-tools-download-java! {:url ct-url-str :dest (str zip-file) :proxy-opts proxy-opts :clj-jvm-opts clj-jvm-opts :sha256-url sha256-url-str}))
(do (when debug (warn "Attempting direct download..."))
(prn :via-tools-download-direct)
(let [res (clojure-tools-download-direct! {:url ct-url-str :dest zip-file})]
(when sha256-url-str
(clojure-tools-download-direct! {:url sha256-url-str :dest (str zip-file ".sha256")}))
res))
(*exit-fn* {:exit ct-error-exit-code
:message (str "Error: Cannot download Clojure tools."
" Please download manually from " ct-url-str
" to " (str (io/file dir ct-zip-name)))})
::passthrough)]
(when (and sha256-url-str (not *clojure-tools-download-fn*) (not (.exists sha256-file)) (not= ::passthrough res))
(*exit-fn* {:exit ct-error-exit-code
:message (str "Error: Cannot download Clojure tools."
:message (str "Expected sha256 file to be downloaded to: " sha256-file)}))))
(when (.exists sha256-file)
(let [sha (str/trim (slurp sha256-file))
bytes (Files/readAllBytes (.toPath zip-file))
hash (-> (java.security.MessageDigest/getInstance "SHA-256")
(.digest bytes))
hash (-> (new BigInteger 1 hash)
(.toString 16))]
(if-not (= sha hash)
(*exit-fn* {:exit ct-error-exit-code
:message (str "Error: sha256 of zip and expected sha256 do not match: "
hash " vs. " sha "\n"
" Please download manually from " ct-url-str
" to " (str (io/file dir ct-zip-name)))})
{:url ct-url-str :out-dir (str dir)}))
(.delete sha256-file))))
(warn "Unzipping" (str zip-file) "...")
(unzip zip-file (.getPath dir))
(.delete zip-file)
Expand Down
68 changes: 50 additions & 18 deletions deps.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
;; see https://github.com/clojure/brew-install/blob/1.11.1/CHANGELOG.md
(def ^:private version
(delay (or (System/getenv "DEPS_CLJ_TOOLS_VERSION")
"1.11.1.1386")))
"1.11.1.1403")))

(def ^:private cache-version "4")

Expand Down Expand Up @@ -381,15 +381,19 @@ For more info, see:
commit (-> (str/split version #"\.")
last
(Long/parseLong))
github-release? (>= commit 1386)]
github-release? (>= commit 1386)
verify-sha256 (>= commit 1403)
url (if github-release?
(format "https://github.com/clojure/brew-install/releases/download/%s/clojure-tools.zip" version)
(format "https://download.clojure.org/install/clojure-tools-%s.zip" version))]
{:ct-base-dir "ClojureTools"
:ct-error-exit-code 99
:ct-aux-files-names ["exec.jar" "example-deps.edn" "tools.edn"]
:ct-jar-name (format "clojure-tools-%s.jar" version)
:ct-url-str (if github-release?
(format "https://github.com/clojure/brew-install/releases/download/%s/clojure-tools.zip" version)
(format "https://download.clojure.org/install/clojure-tools-%s.zip" version))
:ct-zip-name "clojure-tools.zip"})))
:ct-url-str url
:ct-zip-name "clojure-tools.zip"
:sha256-url-str (when verify-sha256
(str url ".sha256"))})))

(def zip-invalid-msg
(str/join \n
Expand Down Expand Up @@ -495,7 +499,7 @@ public class ClojureToolsDownloader {
"Downloads `:url` zip file to `:dest` by invoking `java` with
`:proxy` options on a `.java` program file, and returns true on
success. Requires Java 11+ (JEP 330)."
[{:keys [url dest proxy-opts clj-jvm-opts]}]
[{:keys [url dest proxy-opts clj-jvm-opts sha256-url]}]
(let [dest-dir (.getCanonicalPath (io/file dest ".."))
dlr-path (clojure-tools-java-downloader-spit dest-dir)
java-cmd [(get-java-cmd) "-XX:-OmitStackTraceInFastThrow"]
Expand All @@ -508,6 +512,11 @@ public class ClojureToolsDownloader {
clj-jvm-opts
(proxy-jvm-opts proxy-opts)
[dlr-path url (str dest)]))})
(when sha256-url
(*aux-process-fn* {:cmd (vec (concat java-cmd
clj-jvm-opts
(proxy-jvm-opts proxy-opts)
[dlr-path sha256-url (str dest ".sha256")]))}))
(io/delete-file dlr-path true)
@success?*)))

Expand Down Expand Up @@ -539,27 +548,50 @@ public class ClojureToolsDownloader {
It calls `*exit-fn*` if it cannot download the archive, with
instructions how to manually download it."
[{:keys [out-dir debug proxy-opts clj-jvm-opts config-dir]}]
(let [{:keys [ct-error-exit-code ct-url-str ct-zip-name]} @clojure-tools-info*
(let [{:keys [ct-error-exit-code ct-url-str ct-zip-name sha256-url-str]} @clojure-tools-info*
dir (io/file out-dir)
zip-file (io/file out-dir ct-zip-name)
sha256-file (io/file (str zip-file ".sha256"))
transaction-start (io/file out-dir "TRANSACTION_START")]
(io/make-parents transaction-start)
(spit transaction-start "")
(when-not (.exists zip-file)
(warn "Downloading" ct-url-str "to" (str zip-file))
(or (when *clojure-tools-download-fn*
(when debug (warn "Attempting download using custom download function..."))
(*clojure-tools-download-fn* {:url ct-url-str :dest (str zip-file) :proxy-opts proxy-opts :clj-jvm-opts clj-jvm-opts}))
(when (seq clj-jvm-opts)
(when debug (warn "Attempting download using java subprocess... (requires Java11+)"))
(clojure-tools-download-java! {:url ct-url-str :dest (str zip-file) :proxy-opts proxy-opts :clj-jvm-opts clj-jvm-opts}))
(do (when debug (warn "Attempting direct download..."))
(clojure-tools-download-direct! {:url ct-url-str :dest zip-file}))
(let [res (or (when *clojure-tools-download-fn*
(when debug (warn "Attempting download using custom download function..."))
(*clojure-tools-download-fn* {:url ct-url-str :dest (str zip-file) :proxy-opts proxy-opts :clj-jvm-opts clj-jvm-opts :sha256-url sha256-url-str}))
(when (seq clj-jvm-opts)
(prn :via-java)
(when debug (warn "Attempting download using java subprocess... (requires Java11+)"))
(clojure-tools-download-java! {:url ct-url-str :dest (str zip-file) :proxy-opts proxy-opts :clj-jvm-opts clj-jvm-opts :sha256-url sha256-url-str}))
(do (when debug (warn "Attempting direct download..."))
(prn :via-tools-download-direct)
(let [res (clojure-tools-download-direct! {:url ct-url-str :dest zip-file})]
(when sha256-url-str
(clojure-tools-download-direct! {:url sha256-url-str :dest (str zip-file ".sha256")}))
res))
(*exit-fn* {:exit ct-error-exit-code
:message (str "Error: Cannot download Clojure tools."
" Please download manually from " ct-url-str
" to " (str (io/file dir ct-zip-name)))})
::passthrough)]
(when (and sha256-url-str (not *clojure-tools-download-fn*) (not (.exists sha256-file)) (not= ::passthrough res))
(*exit-fn* {:exit ct-error-exit-code
:message (str "Error: Cannot download Clojure tools."
:message (str "Expected sha256 file to be downloaded to: " sha256-file)}))))
(when (.exists sha256-file)
(let [sha (str/trim (slurp sha256-file))
bytes (Files/readAllBytes (.toPath zip-file))
hash (-> (java.security.MessageDigest/getInstance "SHA-256")
(.digest bytes))
hash (-> (new BigInteger 1 hash)
(.toString 16))]
(if-not (= sha hash)
(*exit-fn* {:exit ct-error-exit-code
:message (str "Error: sha256 of zip and expected sha256 do not match: "
hash " vs. " sha "\n"
" Please download manually from " ct-url-str
" to " (str (io/file dir ct-zip-name)))})
{:url ct-url-str :out-dir (str dir)}))
(.delete sha256-file))))
(warn "Unzipping" (str zip-file) "...")
(unzip zip-file (.getPath dir))
(.delete zip-file)
Expand Down
2 changes: 1 addition & 1 deletion resources/DEPS_CLJ_VERSION
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.11.1.1386
1.11.1.1403
Loading