From b2b08569085694c977c5438e7b187e3bb807832a Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Mon, 2 Oct 2023 19:09:34 +0200 Subject: [PATCH] Add helper script to verify release binaries The script checks that the released binaries and the container binaries can be reproduced. --- helpers/verify-release-binaries.sh | 133 +++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100755 helpers/verify-release-binaries.sh diff --git a/helpers/verify-release-binaries.sh b/helpers/verify-release-binaries.sh new file mode 100755 index 000000000..a41885862 --- /dev/null +++ b/helpers/verify-release-binaries.sh @@ -0,0 +1,133 @@ +#!/bin/bash + +set -euo pipefail + +if [[ $# -lt 2 ]]; then + echo "Usage: $0 restic_version go_version" + exit 1 +fi + +restic_version="$1" +go_version="$2" + +# invalid if zero +is_valid=1 + +tmpdir="$(mktemp -d -p .)" +cd "${tmpdir}" +echo -e "Running checks in ${tmpdir}\n" + +highlight() { + echo "@@${1//?/@}@@" + echo "@ ${1} @" + echo "@@${1//?/@}@@" +} + + +highlight "Verifying release self-consistency" + +curl -OLSs https://github.com/restic/restic/releases/download/v${restic_version}/restic-${restic_version}.tar.gz.asc +# tarball is downloaded while processing the SHA256SUMS +curl -OLSs https://github.com/restic/restic/releases/download/v${restic_version}/SHA256SUMS.asc +curl -OLSs https://github.com/restic/restic/releases/download/v${restic_version}/SHA256SUMS + +export GNUPGHOME=$PWD/gnupg +mkdir -p 700 $GNUPGHOME +curl -OLSs https://restic.net/gpg-key-alex.asc +gpg --import gpg-key-alex.asc +gpg --verify SHA256SUMS.asc SHA256SUMS + +for i in $(cat SHA256SUMS | cut -d " " -f 3 ) ; do + echo "Downloading $i" + curl -OLSs https://github.com/restic/restic/releases/download/v${restic_version}/"$i" +done +shasum -a256 -c SHA256SUMS || echo "WARNING: RELEASE BINARIES DO NOT MATCH SHA256SUMS!" && is_valid=0 +gpg --verify restic-${restic_version}.tar.gz.asc restic-${restic_version}.tar.gz +# TODO verify that the release does not contain any unexpected files + + +highlight "Verifying tarball matches tagged commit" + +tar xzf "restic-${restic_version}.tar.gz" +git clone -b "v${restic_version}" https://github.com/restic/restic.git +rm -rf restic/.git +diff -r restic restic-${restic_version} + + +highlight "Regenerating builder container" + +git clone https://github.com/restic/builder.git +docker pull debian:stable +docker build --no-cache -t restic/builder:tmp --build-arg GO_VERSION=${go_version} builder + + +highlight "Reproducing release binaries" + +mkdir output +docker run --rm \ + --volume "$PWD/restic-${restic_version}:/restic" \ + --volume "$PWD/output:/output" \ + restic/builder:tmp \ + go run helpers/build-release-binaries/main.go --version "${restic_version}" + +cp "restic-${restic_version}.tar.gz" output +cp SHA256SUMS output + +# check that all release binaries have been reproduced successfully +(cd output && shasum -a256 -c SHA256SUMS) || echo "WARNING: REPRODUCED BINARIES DO NOT MATCH RELEASE BINARIES!" && is_valid=0 +# and that the SHA256SUMS files does not miss binaries +for i in output/restic* ; do grep "$(basename "$i")" SHA256SUMS > /dev/null || echo "WARNING: $i MISSING FROM RELEASE SHA256SUMS FILE!" && is_valid=0 ; done + + +extract_docker() { + image=$1 + docker_platform=$2 + restic_platform=$3 + out=restic_${restic_version}_linux_${restic_platform}.bz2 + + docker image pull --platform "linux/${docker_platform}" ${image}:${restic_version} > /dev/null + docker image save ${image}:${restic_version} -o docker.tar + + mkdir img + tar xvf docker.tar -C img --wildcards \*/layer.tar > /dev/null + rm docker.tar + for i in img/*/layer.tar; do + tar -xvf "$i" -C img usr/bin/restic 2> /dev/null 1>&2 || true + if [[ -f img/usr/bin/restic ]]; then + if [[ -f restic-docker ]]; then + echo "WARNING: CONTAINER CONTAINS MULTIPLE RESTIC BINARIES" + is_valid=0 + fi + mv img/usr/bin/restic restic-docker + fi + done + + rm -rf img + bzip2 restic-docker + mv restic-docker.bz2 docker/${out} + grep ${out} SHA256SUMS >> docker/SHA256SUMS +} + +ctr=0 +for img in restic/restic ghcr.io/restic/restic; do + highlight "Verifying binaries in docker containers from $img" + mkdir docker + + extract_docker "$img" arm/v7 arm + extract_docker "$img" arm64 arm64 + extract_docker "$img" 386 386 + extract_docker "$img" amd64 amd64 + + (cd docker && shasum -a256 -c SHA256SUMS) || echo "WARNING: DOCKER CONTAINER DOES NOT CONTAIN RELEASE BINARIES!" && is_valid=0 + + mv docker docker-$(( ctr++ )) +done + + +if [[ $is_valid -ne 1 ]]; then + highlight "Failed to reproduce some binaries, check the script output for details" + exit 1 +else + cd .. + rm -rf "${tmpdir}" +fi