Verify binary download hashes (#3849)

* Update lnd to v0.14.1 * Verify binary download sha256 sums
2024-11-19 01:40:55 +01:00 · 2021-11-27 11:51:34 -06:00 · 2021-11-27 11:51:34 -06:00 · cd3006c020
commit cd3006c020
parent 09f0ac4657
4 changed files with 137 additions and 20 deletions
--- a/bitcoind-rpc/bitcoind-rpc.sbt
+++ b/bitcoind-rpc/bitcoind-rpc.sbt
@ -1,7 +1,8 @@
 import java.nio.file.Files
+import java.security.MessageDigest
 import scala.collection.JavaConverters._
 import scala.concurrent.duration.DurationInt
-import scala.concurrent.{Await, Future}
+import scala.concurrent.{Await, Future, Promise}
 import scala.util.Properties

 name := "bitcoin-s-bitcoind-rpc"
@ -45,7 +46,6 @@ TaskKeys.downloadBitcoind := {

  implicit val ec = scala.concurrent.ExecutionContext.global
  val downloads = versions.map { version =>
-    val versionDir = binaryDir resolve version
    val archiveLocation = binaryDir resolve s"$version.$suffix"
    val location =
      if (version == experimentalVersion)
@ -70,18 +70,79 @@ TaskKeys.downloadBitcoind := {
        s"Directory $expectedEndLocation already exists, skipping download of version $version")
      Future.unit
    } else {
-      Future {
+      // copy of FutureUtil.makeAsync
+      def makeAsync(func: () => Unit): Future[Unit] = {
+        val resultP = Promise[Unit]()
+
+        ec.execute { () =>
+          val result: Unit = func()
+          resultP.success(result)
+        }
+
+        resultP.future
+      }
+
+      makeAsync { () =>
        logger.info(
          s"Downloading bitcoind version $version from location: $location")
        logger.info(s"Placing the file in $archiveLocation")
        val downloadCommand = url(location) #> archiveLocation.toFile
        downloadCommand.!!

-        logger.info(s"Download complete, unzipping result")
+        val bytes = Files.readAllBytes(archiveLocation)
+        val hash = MessageDigest
+          .getInstance("SHA-256")
+          .digest(bytes)
+          .map("%02x" format _)
+          .mkString

-        val extractCommand = s"tar -xzf $archiveLocation --directory $binaryDir"
-        logger.info(s"Extracting archive with command: $extractCommand")
-        extractCommand.!!
+        val expectedHash =
+          if (Properties.isLinux)
+            Map(
+              "22.0" -> "59ebd25dd82a51638b7a6bb914586201e67db67b919b2a1ff08925a7936d1b16",
+              "0.21.1" -> "366eb44a7a0aa5bd342deea215ec19a184a11f2ca22220304ebb20b9c8917e2b",
+              "0.20.1" -> "376194f06596ecfa40331167c39bc70c355f960280bd2a645fdbf18f66527397",
+              "0.19.0.1" -> "732cc96ae2e5e25603edf76b8c8af976fe518dd925f7e674710c6c8ee5189204",
+              "0.18.1" -> "600d1db5e751fa85903e935a01a74f5cc57e1e7473c15fd3e17ed21e202cfe5a",
+              "0.17.0.1" -> "6ccc675ee91522eee5785457e922d8a155e4eb7d5524bd130eb0ef0f0c4a6008",
+              "0.16.3" -> "5d422a9d544742bc0df12427383f9c2517433ce7b58cf672b9a9b17c2ef51e4f",
+              experimentalVersion -> "f8b1a0ded648249e5e8c14fca3e11a733da8172b05523922c87557ea5eaaa4c5"
+            )
+          else if (Properties.isMac)
+            Map(
+              "22.0" -> "2744d199c3343b2d94faffdfb2c94d75a630ba27301a70e47b0ad30a7e0155e9",
+              "0.21.1" -> "1ea5cedb64318e9868a66d3ab65de14516f9ada53143e460d50af428b5aec3c7",
+              "0.20.1" -> "b9024dde373ea7dad707363e07ec7e265383204127539ae0c234bff3a61da0d1",
+              "0.19.0.1" -> "a64e4174e400f3a389abd76f4d6b1853788730013ab1dedc0e64b0a0025a0923",
+              "0.18.1" -> "b7bbcee7a7540f711b171d6981f939ca8482005fde22689bc016596d80548bb1",
+              "0.17.0.1" -> "3b1fb3dd596edb656bbc0c11630392e201c1a4483a0e1a9f5dd22b6556cbae12",
+              "0.16.3" -> "78c3bff3b619a19aed575961ea43cc9e142959218835cf51aede7f0b764fc25d",
+              experimentalVersion -> "cfd4ed0b8db08fb1355aca44ca282b1de31e83b5862efaac527e3952b0987e55"
+            )
+          else if (Properties.isWin)
+            Map(
+              "22.0" -> "9485e4b52ed6cebfe474ab4d7d0c1be6d0bb879ba7246a8239326b2230a77eb1",
+              "0.21.1" -> "94c80f90184cdc7e7e75988a55b38384de262336abd80b1b30121c6e965dc74e",
+              "0.20.1" -> "e59fba67afce011d32b5d723a3a0be12da1b8a34f5d7966e504520c48d64716d",
+              "0.19.0.1" -> "7706593de727d893e4b1e750dc296ea682ccee79acdd08bbc81eaacf3b3173cf",
+              "0.18.1" -> "b0f94ab43c068bac9c10a59cb3f1b595817256a00b84f0b724f8504b44e1314f",
+              "0.17.0.1" -> "2d0a0aafe5a963beb965b7645f70f973a17f4fa4ddf245b61d532f2a58449f3e",
+              "0.16.3" -> "52469c56222c1b5344065ef2d3ce6fc58ae42939a7b80643a7e3ee75ec237da9",
+              experimentalVersion -> "b7ad8e6c0b91adf820499bf891f22f590e969b834980d4910efac5b082d83c49"
+            )
+          else sys.error(s"Unsupported OS: ${Properties.osName}")
+
+        if (hash.equalsIgnoreCase(expectedHash(version))) {
+          logger.info(s"Download complete and verified, unzipping result")
+
+          val extractCommand =
+            s"tar -xzf $archiveLocation --directory $binaryDir"
+          logger.info(s"Extracting archive with command: $extractCommand")
+          extractCommand.!!
+        } else {
+          logger.error(
+            s"Downloaded invalid version of bitcoind v$version, got $hash, expected ${expectedHash(version)}")
+        }

        logger.info(s"Deleting archive")
        Files.delete(archiveLocation)
--- a/clightning-rpc/clightning-rpc.sbt
+++ b/clightning-rpc/clightning-rpc.sbt
@ -1,4 +1,5 @@
 import java.nio.file._
+import java.security.MessageDigest
 import scala.util.Properties

 name := "bitcoin-s-clightning-rpc"
@ -43,12 +44,28 @@ TaskKeys.downloadCLightning := {
    val downloadCommand = url(location) #> archiveLocation.toFile
    downloadCommand.!!

-    logger.info(s"Download complete, unzipping result")
+    val bytes = Files.readAllBytes(archiveLocation)
+    val hash = MessageDigest
+      .getInstance("SHA-256")
+      .digest(bytes)
+      .map("%02x" format _)
+      .mkString

-    val extractCommand =
-      s"tar -xf $archiveLocation --directory $versionDir"
-    logger.info(s"Extracting archive with command: $extractCommand")
-    extractCommand.!!
+    val expectedHash =
+      if (Properties.isLinux)
+        "c99e1879e36f108e4c7d9bef597a4179e6c6b5b92b1142f2bc9e888cf0cf6ea6"
+      else sys.error(s"Unsupported OS: ${Properties.osName}")
+
+    if (hash.equalsIgnoreCase(expectedHash)) {
+      logger.info(s"Download complete and verified, unzipping result")
+
+      val extractCommand = s"tar -xf $archiveLocation --directory $versionDir"
+      logger.info(s"Extracting archive with command: $extractCommand")
+      extractCommand.!!
+    } else {
+      logger.error(
+        s"Downloaded invalid version of c-lightning, got $hash, expected $expectedHash")
+    }

    logger.info(s"Deleting archive")
    Files.delete(archiveLocation)
--- a/eclair-rpc/eclair-rpc.sbt
+++ b/eclair-rpc/eclair-rpc.sbt
@ -1,5 +1,5 @@
 import java.nio.file._
-
+import java.security.MessageDigest
 import scala.util.Properties

 name := "bitcoin-s-eclair-rpc"
@ -40,9 +40,26 @@ TaskKeys.downloadEclair := {
      s"Downloading Eclair $version from location: $location, to destination: $archiveLocation")
    (url(location) #> archiveLocation.toFile).!!

-    val extractCommand = s"unzip $archiveLocation -d $versionDir"
-    logger.info(s"Extracting archive with command: $extractCommand")
-    extractCommand.!!
+    val bytes = Files.readAllBytes(archiveLocation)
+    val hash = MessageDigest
+      .getInstance("SHA-256")
+      .digest(bytes)
+      .map("%02x" format _)
+      .mkString
+
+    val expectedHash =
+      "e2407173036d9e2176c129f2328018c543c732a96d1f05c0fb35864c15efc9ba"
+
+    if (hash.equalsIgnoreCase(expectedHash)) {
+      logger.info(s"Download complete and verified, unzipping result")
+
+      val extractCommand = s"unzip $archiveLocation -d $versionDir"
+      logger.info(s"Extracting archive with command: $extractCommand")
+      extractCommand.!!
+    } else {
+      logger.error(
+        s"Downloaded invalid version of eclair, got $hash, expected $expectedHash")
+    }

    logger.info(s"Deleting archive")
    Files.delete(archiveLocation)
--- a/lnd-rpc/lnd-rpc.sbt
+++ b/lnd-rpc/lnd-rpc.sbt
@ -1,4 +1,5 @@
 import java.nio.file._
+import java.security.MessageDigest
 import scala.util.Properties

 name := "bitcoin-s-lnd-rpc"
@ -49,11 +50,32 @@ TaskKeys.downloadLnd := {
    val downloadCommand = url(location) #> archiveLocation.toFile
    downloadCommand.!!

-    logger.info(s"Download complete, unzipping result")
+    val bytes = Files.readAllBytes(archiveLocation)
+    val hash = MessageDigest
+      .getInstance("SHA-256")
+      .digest(bytes)
+      .map("%02x" format _)
+      .mkString

-    val extractCommand = s"tar -xzf $archiveLocation --directory $binaryDir"
-    logger.info(s"Extracting archive with command: $extractCommand")
-    extractCommand.!!
+    val expectedHash =
+      if (Properties.isLinux)
+        "7034e4aea3f404a9bbb1d157653741eb0e020c3d3272f854d3e2cefa0070f24a"
+      else if (Properties.isMac)
+        "046409faf7e5049d6ddfdbe2a556fa0b5e6cc651bccce039c6f736b72390ad1d"
+      else if (Properties.isWin)
+        "661d0538ca04c4f890d3d9a72717916f41350e810ae06f884e7ed97b38bf783f"
+      else sys.error(s"Unsupported OS: ${Properties.osName}")
+
+    if (hash.equalsIgnoreCase(expectedHash)) {
+      logger.info(s"Download complete and verified, unzipping result")
+
+      val extractCommand = s"tar -xzf $archiveLocation --directory $binaryDir"
+      logger.info(s"Extracting archive with command: $extractCommand")
+      extractCommand.!!
+    } else {
+      logger.error(
+        s"Downloaded invalid version of lnd, got $hash, expected $expectedHash")
+    }

    logger.info(s"Deleting archive")
    Files.delete(archiveLocation)