From d61b9cab65419c1973a27cc21e448973869b3e0f Mon Sep 17 00:00:00 2001 From: Andrew Stribblehill Date: Fri, 18 Jun 2021 15:43:30 +0200 Subject: [PATCH] Checksum archives as well as binaries Often, checksums are based on the archive files. This gives some measure of confidence that the file won't exploit a tar or zip vulnerability. --- scripts/xcompile.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/xcompile.sh b/scripts/xcompile.sh index 449de054..15996e4b 100755 --- a/scripts/xcompile.sh +++ b/scripts/xcompile.sh @@ -7,12 +7,13 @@ set -e CGO_ENABLED=0 gox -ldflags "${LDFLAGS}" -output="build/yq_{{.OS}}_{{.Arch}}" --osarch="darwin/amd64 darwin/arm64 freebsd/386 freebsd/amd64 freebsd/arm linux/386 linux/amd64 linux/arm linux/arm64 linux/mips linux/mips64 linux/mips64le linux/mipsle linux/ppc64 linux/ppc64le linux/s390x netbsd/386 netbsd/amd64 netbsd/arm openbsd/386 openbsd/amd64 windows/386 windows/amd64" cd build + +find . -executable -type f | xargs -I {} tar czvf {}.tar.gz {} + rhash -r -a . -o checksums rhash --list-hashes > checksums_hashes_order -find . -executable -type f | xargs -I {} tar czvf {}.tar.gz {} - # just in case find thinks this is executable... rm -f checksums_hashes_order.tar.gz rm -f checksums.tar.gz