envoy: validate binary checksum (#1908)

* envoy: validate binary checksum * address comments * change to info * fix order
2025-05-10 07:37:33 +02:00 · 2021-02-18 15:22:46 -07:00 · 2021-02-18 15:22:46 -07:00 · b1871b0f2e
commit b1871b0f2e
parent cc5335bd7f
6 changed files with 102 additions and 31 deletions
--- a/scripts/embed-envoy.bash
+++ b/scripts/embed-envoy.bash
@ -2,42 +2,16 @@
 set -euo pipefail

 BINARY=$1
-
-ENVOY_VERSION=1.16.2
 DIR=$(dirname "${BINARY}")
-TARGET="${TARGET:-"$(go env GOOS)_$(go env GOARCH)"}"
-
-if [[ "${TARGET}" == darwin_* ]]; then
-  ENVOY_PLATFORM="darwin"
-elif [[ "${TARGET}" == linux_* ]]; then
-  ENVOY_PLATFORM="linux_glibc"
-else
-  echo "unsupported TARGET: ${TARGET}"
-  exit 1
-fi
-
-## TODO we should be able to replace this with a utility that consumes
-## https://godoc.org/github.com/tetratelabs/getenvoy/pkg/binary/envoy
-## https://golang.org/pkg/archive/zip/#Writer.SetOffset
-export PATH=$PATH:$(go env GOPATH)/bin
-if [ "$TARGET" == "linux_arm64" ]; then
-  ENVOY_PATH="$DIR/$TARGET"
-  mkdir -p "$ENVOY_PATH"
-  curl -L -o "$ENVOY_PATH/envoy" https://github.com/pomerium/envoy-binaries/releases/download/v${ENVOY_VERSION}/envoy-linux-arm64
-else
-  env HOME="${DIR}" getenvoy fetch standard:${ENVOY_VERSION}/${ENVOY_PLATFORM}
-  ENVOY_PATH=${DIR}/.getenvoy/builds/standard/${ENVOY_VERSION}/${ENVOY_PLATFORM}/bin
-fi
-ARCHIVE="${ENVOY_PATH}/envoy.zip"

 (
-  cd "${ENVOY_PATH}"
+  cd "$DIR"
  zip envoy.zip envoy
 )

-echo "appending ${ARCHIVE} to ${BINARY}"
+echo "appending $DIR/envoy.zip to ${BINARY}"

 if [ "$(unzip -z -qq "$BINARY" 2>&1)" != "" ]; then
-  cat "${ARCHIVE}" >>"${BINARY}"
+  cat "$DIR/envoy.zip" >>"${BINARY}"
 fi
 zip -A "${BINARY}"
--- a/scripts/get-envoy.bash
+++ b/scripts/get-envoy.bash
@ -0,0 +1,54 @@
+#!/bin/bash
+set -euo pipefail
+
+PATH="$PATH:$(go env GOPATH)/bin"
+export PATH
+
+_envoy_version=1.16.2
+_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/../bin"
+_target="${TARGET:-"$(go env GOOS)_$(go env GOARCH)"}"
+
+if [[ "${_target}" == darwin_* ]]; then
+    _envoy_platform="darwin"
+elif [[ "${_target}" == linux_* ]]; then
+    _envoy_platform="linux_glibc"
+else
+    echo "unsupported TARGET: ${_target}"
+    exit 1
+fi
+
+is_command() {
+    command -v "$1" >/dev/null
+}
+
+hash_sha256() {
+    TARGET=${1:-/dev/stdin}
+    if is_command gsha256sum; then
+        hash=$(gsha256sum "$TARGET") || return 1
+        echo "$hash" | cut -d ' ' -f 1
+    elif is_command sha256sum; then
+        hash=$(sha256sum "$TARGET") || return 1
+        echo "$hash" | cut -d ' ' -f 1
+    elif is_command shasum; then
+        hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
+        echo "$hash" | cut -d ' ' -f 1
+    elif is_command openssl; then
+        hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
+        echo "$hash" | cut -d ' ' -f a
+    else
+        echo "hash_sha256 unable to find command to compute sha-256 hash"
+        return 1
+    fi
+}
+
+mkdir -p "$_dir"
+
+if [ "$_target" == "linux_arm64" ]; then
+    mkdir -p "$_dir"
+    curl -L -o "$_dir/envoy" https://github.com/pomerium/envoy-binaries/releases/download/v${_envoy_version}/envoy-linux-arm64
+else
+    env HOME="$_dir" getenvoy fetch standard:${_envoy_version}/${_envoy_platform}
+    cp -f "$_dir/.getenvoy/builds/standard/${_envoy_version}/${_envoy_platform}/bin/envoy" "$_dir/envoy"
+fi
+
+hash_sha256 "$_dir/envoy" >"$_dir/envoy.sha256"