From cd3006c02053093ce42c1b423bd81afb567046ad Mon Sep 17 00:00:00 2001 From: benthecarman Date: Sat, 27 Nov 2021 11:51:34 -0600 Subject: [PATCH] Verify binary download hashes (#3849) * Update lnd to v0.14.1 * Verify binary download sha256 sums --- bitcoind-rpc/bitcoind-rpc.sbt | 75 ++++++++++++++++++++++++++++--- clightning-rpc/clightning-rpc.sbt | 27 ++++++++--- eclair-rpc/eclair-rpc.sbt | 25 +++++++++-- lnd-rpc/lnd-rpc.sbt | 30 +++++++++++-- 4 files changed, 137 insertions(+), 20 deletions(-) diff --git a/bitcoind-rpc/bitcoind-rpc.sbt b/bitcoind-rpc/bitcoind-rpc.sbt index 0f27933f2e..ccf6f6c30e 100644 --- a/bitcoind-rpc/bitcoind-rpc.sbt +++ b/bitcoind-rpc/bitcoind-rpc.sbt @@ -1,7 +1,8 @@ import java.nio.file.Files +import java.security.MessageDigest import scala.collection.JavaConverters._ import scala.concurrent.duration.DurationInt -import scala.concurrent.{Await, Future} +import scala.concurrent.{Await, Future, Promise} import scala.util.Properties name := "bitcoin-s-bitcoind-rpc" @@ -45,7 +46,6 @@ TaskKeys.downloadBitcoind := { implicit val ec = scala.concurrent.ExecutionContext.global val downloads = versions.map { version => - val versionDir = binaryDir resolve version val archiveLocation = binaryDir resolve s"$version.$suffix" val location = if (version == experimentalVersion) @@ -70,18 +70,79 @@ TaskKeys.downloadBitcoind := { s"Directory $expectedEndLocation already exists, skipping download of version $version") Future.unit } else { - Future { + // copy of FutureUtil.makeAsync + def makeAsync(func: () => Unit): Future[Unit] = { + val resultP = Promise[Unit]() + + ec.execute { () => + val result: Unit = func() + resultP.success(result) + } + + resultP.future + } + + makeAsync { () => logger.info( s"Downloading bitcoind version $version from location: $location") logger.info(s"Placing the file in $archiveLocation") val downloadCommand = url(location) #> archiveLocation.toFile downloadCommand.!! - logger.info(s"Download complete, unzipping result") + val bytes = Files.readAllBytes(archiveLocation) + val hash = MessageDigest + .getInstance("SHA-256") + .digest(bytes) + .map("%02x" format _) + .mkString - val extractCommand = s"tar -xzf $archiveLocation --directory $binaryDir" - logger.info(s"Extracting archive with command: $extractCommand") - extractCommand.!! + val expectedHash = + if (Properties.isLinux) + Map( + "22.0" -> "59ebd25dd82a51638b7a6bb914586201e67db67b919b2a1ff08925a7936d1b16", + "0.21.1" -> "366eb44a7a0aa5bd342deea215ec19a184a11f2ca22220304ebb20b9c8917e2b", + "0.20.1" -> "376194f06596ecfa40331167c39bc70c355f960280bd2a645fdbf18f66527397", + "0.19.0.1" -> "732cc96ae2e5e25603edf76b8c8af976fe518dd925f7e674710c6c8ee5189204", + "0.18.1" -> "600d1db5e751fa85903e935a01a74f5cc57e1e7473c15fd3e17ed21e202cfe5a", + "0.17.0.1" -> "6ccc675ee91522eee5785457e922d8a155e4eb7d5524bd130eb0ef0f0c4a6008", + "0.16.3" -> "5d422a9d544742bc0df12427383f9c2517433ce7b58cf672b9a9b17c2ef51e4f", + experimentalVersion -> "f8b1a0ded648249e5e8c14fca3e11a733da8172b05523922c87557ea5eaaa4c5" + ) + else if (Properties.isMac) + Map( + "22.0" -> "2744d199c3343b2d94faffdfb2c94d75a630ba27301a70e47b0ad30a7e0155e9", + "0.21.1" -> "1ea5cedb64318e9868a66d3ab65de14516f9ada53143e460d50af428b5aec3c7", + "0.20.1" -> "b9024dde373ea7dad707363e07ec7e265383204127539ae0c234bff3a61da0d1", + "0.19.0.1" -> "a64e4174e400f3a389abd76f4d6b1853788730013ab1dedc0e64b0a0025a0923", + "0.18.1" -> "b7bbcee7a7540f711b171d6981f939ca8482005fde22689bc016596d80548bb1", + "0.17.0.1" -> "3b1fb3dd596edb656bbc0c11630392e201c1a4483a0e1a9f5dd22b6556cbae12", + "0.16.3" -> "78c3bff3b619a19aed575961ea43cc9e142959218835cf51aede7f0b764fc25d", + experimentalVersion -> "cfd4ed0b8db08fb1355aca44ca282b1de31e83b5862efaac527e3952b0987e55" + ) + else if (Properties.isWin) + Map( + "22.0" -> "9485e4b52ed6cebfe474ab4d7d0c1be6d0bb879ba7246a8239326b2230a77eb1", + "0.21.1" -> "94c80f90184cdc7e7e75988a55b38384de262336abd80b1b30121c6e965dc74e", + "0.20.1" -> "e59fba67afce011d32b5d723a3a0be12da1b8a34f5d7966e504520c48d64716d", + "0.19.0.1" -> "7706593de727d893e4b1e750dc296ea682ccee79acdd08bbc81eaacf3b3173cf", + "0.18.1" -> "b0f94ab43c068bac9c10a59cb3f1b595817256a00b84f0b724f8504b44e1314f", + "0.17.0.1" -> "2d0a0aafe5a963beb965b7645f70f973a17f4fa4ddf245b61d532f2a58449f3e", + "0.16.3" -> "52469c56222c1b5344065ef2d3ce6fc58ae42939a7b80643a7e3ee75ec237da9", + experimentalVersion -> "b7ad8e6c0b91adf820499bf891f22f590e969b834980d4910efac5b082d83c49" + ) + else sys.error(s"Unsupported OS: ${Properties.osName}") + + if (hash.equalsIgnoreCase(expectedHash(version))) { + logger.info(s"Download complete and verified, unzipping result") + + val extractCommand = + s"tar -xzf $archiveLocation --directory $binaryDir" + logger.info(s"Extracting archive with command: $extractCommand") + extractCommand.!! + } else { + logger.error( + s"Downloaded invalid version of bitcoind v$version, got $hash, expected ${expectedHash(version)}") + } logger.info(s"Deleting archive") Files.delete(archiveLocation) diff --git a/clightning-rpc/clightning-rpc.sbt b/clightning-rpc/clightning-rpc.sbt index 09afdd0ab0..ca65f32dc4 100644 --- a/clightning-rpc/clightning-rpc.sbt +++ b/clightning-rpc/clightning-rpc.sbt @@ -1,4 +1,5 @@ import java.nio.file._ +import java.security.MessageDigest import scala.util.Properties name := "bitcoin-s-clightning-rpc" @@ -43,12 +44,28 @@ TaskKeys.downloadCLightning := { val downloadCommand = url(location) #> archiveLocation.toFile downloadCommand.!! - logger.info(s"Download complete, unzipping result") + val bytes = Files.readAllBytes(archiveLocation) + val hash = MessageDigest + .getInstance("SHA-256") + .digest(bytes) + .map("%02x" format _) + .mkString - val extractCommand = - s"tar -xf $archiveLocation --directory $versionDir" - logger.info(s"Extracting archive with command: $extractCommand") - extractCommand.!! + val expectedHash = + if (Properties.isLinux) + "c99e1879e36f108e4c7d9bef597a4179e6c6b5b92b1142f2bc9e888cf0cf6ea6" + else sys.error(s"Unsupported OS: ${Properties.osName}") + + if (hash.equalsIgnoreCase(expectedHash)) { + logger.info(s"Download complete and verified, unzipping result") + + val extractCommand = s"tar -xf $archiveLocation --directory $versionDir" + logger.info(s"Extracting archive with command: $extractCommand") + extractCommand.!! + } else { + logger.error( + s"Downloaded invalid version of c-lightning, got $hash, expected $expectedHash") + } logger.info(s"Deleting archive") Files.delete(archiveLocation) diff --git a/eclair-rpc/eclair-rpc.sbt b/eclair-rpc/eclair-rpc.sbt index ecfc3f7eb2..fe41c78f1d 100644 --- a/eclair-rpc/eclair-rpc.sbt +++ b/eclair-rpc/eclair-rpc.sbt @@ -1,5 +1,5 @@ import java.nio.file._ - +import java.security.MessageDigest import scala.util.Properties name := "bitcoin-s-eclair-rpc" @@ -40,9 +40,26 @@ TaskKeys.downloadEclair := { s"Downloading Eclair $version from location: $location, to destination: $archiveLocation") (url(location) #> archiveLocation.toFile).!! - val extractCommand = s"unzip $archiveLocation -d $versionDir" - logger.info(s"Extracting archive with command: $extractCommand") - extractCommand.!! + val bytes = Files.readAllBytes(archiveLocation) + val hash = MessageDigest + .getInstance("SHA-256") + .digest(bytes) + .map("%02x" format _) + .mkString + + val expectedHash = + "e2407173036d9e2176c129f2328018c543c732a96d1f05c0fb35864c15efc9ba" + + if (hash.equalsIgnoreCase(expectedHash)) { + logger.info(s"Download complete and verified, unzipping result") + + val extractCommand = s"unzip $archiveLocation -d $versionDir" + logger.info(s"Extracting archive with command: $extractCommand") + extractCommand.!! + } else { + logger.error( + s"Downloaded invalid version of eclair, got $hash, expected $expectedHash") + } logger.info(s"Deleting archive") Files.delete(archiveLocation) diff --git a/lnd-rpc/lnd-rpc.sbt b/lnd-rpc/lnd-rpc.sbt index 65bddca6f0..77e328e1bb 100644 --- a/lnd-rpc/lnd-rpc.sbt +++ b/lnd-rpc/lnd-rpc.sbt @@ -1,4 +1,5 @@ import java.nio.file._ +import java.security.MessageDigest import scala.util.Properties name := "bitcoin-s-lnd-rpc" @@ -49,11 +50,32 @@ TaskKeys.downloadLnd := { val downloadCommand = url(location) #> archiveLocation.toFile downloadCommand.!! - logger.info(s"Download complete, unzipping result") + val bytes = Files.readAllBytes(archiveLocation) + val hash = MessageDigest + .getInstance("SHA-256") + .digest(bytes) + .map("%02x" format _) + .mkString - val extractCommand = s"tar -xzf $archiveLocation --directory $binaryDir" - logger.info(s"Extracting archive with command: $extractCommand") - extractCommand.!! + val expectedHash = + if (Properties.isLinux) + "7034e4aea3f404a9bbb1d157653741eb0e020c3d3272f854d3e2cefa0070f24a" + else if (Properties.isMac) + "046409faf7e5049d6ddfdbe2a556fa0b5e6cc651bccce039c6f736b72390ad1d" + else if (Properties.isWin) + "661d0538ca04c4f890d3d9a72717916f41350e810ae06f884e7ed97b38bf783f" + else sys.error(s"Unsupported OS: ${Properties.osName}") + + if (hash.equalsIgnoreCase(expectedHash)) { + logger.info(s"Download complete and verified, unzipping result") + + val extractCommand = s"tar -xzf $archiveLocation --directory $binaryDir" + logger.info(s"Extracting archive with command: $extractCommand") + extractCommand.!! + } else { + logger.error( + s"Downloaded invalid version of lnd, got $hash, expected $expectedHash") + } logger.info(s"Deleting archive") Files.delete(archiveLocation)