feat: verify downloaded zig version
parent
4f12c907f3
commit
7e8d01be0e
File diff suppressed because one or more lines are too long
20
index.js
20
index.js
|
@ -1,11 +1,13 @@
|
|||
'use strict'
|
||||
|
||||
const os = require('os')
|
||||
const fs = require('fs/promises')
|
||||
const path = require('path')
|
||||
const semver = require('semver')
|
||||
const actions = require('@actions/core')
|
||||
const cache = require('@actions/cache')
|
||||
const toolCache = require('@actions/tool-cache')
|
||||
const { Minizign } = require('zig-minisign')
|
||||
const {
|
||||
extForPlatform,
|
||||
resolveCommit,
|
||||
|
@ -40,6 +42,24 @@ async function downloadZig (platform, version, useCache = true) {
|
|||
|
||||
actions.info(`no cached version found. downloading zig ${variantName}`)
|
||||
const downloadPath = await toolCache.downloadTool(downloadUrl)
|
||||
|
||||
const downloadUrlSig = `${downloadUrl}.minisig`
|
||||
actions.info(`fetching signature ${downloadUrlSig}`)
|
||||
const downloadPathSig = await toolCache.downloadTool(downloadUrlSig)
|
||||
|
||||
const signatureFile = await fs.readFile(downloadPathSig)
|
||||
const file = await fs.readFile(downloadPath)
|
||||
|
||||
const minizign = new Minizign()
|
||||
await minizign.init()
|
||||
|
||||
// Public Key from https://ziglang.org/download
|
||||
const pk = minizign.publicKey('RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U')
|
||||
const signature = minizign.signature(signatureFile)
|
||||
pk.verify(signature, file)
|
||||
actions.info(`verified zig signature`)
|
||||
actions.info(`Trusted comment: ${signature.getTrustedComment()}`)
|
||||
|
||||
const zigPath = ext === 'zip'
|
||||
? await toolCache.extractZip(downloadPath)
|
||||
: await toolCache.extractTar(downloadPath, undefined, 'x')
|
||||
|
|
|
@ -11,7 +11,8 @@
|
|||
"@actions/core": "^1.2.2",
|
||||
"@actions/tool-cache": "^2.0.1",
|
||||
"semver": "^7.1.3",
|
||||
"simple-get": "^4.0.0"
|
||||
"simple-get": "^4.0.0",
|
||||
"zig-minisign": "^0.1.3"
|
||||
},
|
||||
"devDependencies": {
|
||||
"esbuild": "^0.20.0",
|
||||
|
|
Loading…
Reference in New Issue