Checksum archives as well as binaries

Often, checksums are based on the archive files. This gives some measure of confidence that the file won't exploit a tar or zip vulnerability.
This commit is contained in:
Andrew Stribblehill 2021-06-18 15:43:30 +02:00 committed by Mike Farah
parent 5df0e49b1e
commit d61b9cab65

View File

@ -7,12 +7,13 @@ set -e
CGO_ENABLED=0 gox -ldflags "${LDFLAGS}" -output="build/yq_{{.OS}}_{{.Arch}}" --osarch="darwin/amd64 darwin/arm64 freebsd/386 freebsd/amd64 freebsd/arm linux/386 linux/amd64 linux/arm linux/arm64 linux/mips linux/mips64 linux/mips64le linux/mipsle linux/ppc64 linux/ppc64le linux/s390x netbsd/386 netbsd/amd64 netbsd/arm openbsd/386 openbsd/amd64 windows/386 windows/amd64"
cd build
find . -executable -type f | xargs -I {} tar czvf {}.tar.gz {}
rhash -r -a . -o checksums
rhash --list-hashes > checksums_hashes_order
find . -executable -type f | xargs -I {} tar czvf {}.tar.gz {}
# just in case find thinks this is executable...
rm -f checksums_hashes_order.tar.gz
rm -f checksums.tar.gz