Verify bin integrity in npm package

CloudCannon · Mar 14, 2022 · dab3034 · dab3034
1 parent 3b4f707
commit dab3034
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -51,10 +51,16 @@ jobs:
     steps:
       - name: Clone
         uses: actions/checkout@v2
-      - name: Set Version
+      - name: Prepare package
         run: |
           RELEASE_VERSION=${GITHUB_REF#refs/tags/}
           npm version $(echo $RELEASE_VERSION | cut -c1-)
+          mkdir checksums
+          for TARGET in x86_64-unknown-linux-musl x86_64-apple-darwin
+          do
+            ASSET_NAME="rosey-$RELEASE_VERSION-$TARGET.tar.gz.sha256"
+            curl -L https://github.com/CloudCannon/rosey/releases/download/$RELEASE_VERSION/$ASSET_NAME -o checksums/$ASSET_NAME
+          done
       - name: Publish
         run: npm publish
         env:

diff --git a/wrappers/node/lib/download.js b/wrappers/node/lib/download.js
@@ -7,6 +7,7 @@ const url = require('url');
 const URL = url.URL;
 const child_process = require('child_process');
 const proxy_from_env = require('proxy-from-env');
+const { createHash } = require('crypto');
 
 const packageVersion = require('../package.json').version;
 const cacheDir = path.join(__dirname, `../cache`);
@@ -254,6 +255,21 @@ async function cleanCache(){
     }))
 }
 
+function verifyChecksum(assetName, downloadFolder){
+    const checksumPath = path.join(__dirname, '../checksums', `${assetName}.sha256`);
+    const releaseSum = fs.readFileSync(checksumPath, 'utf8').split(" ")[0];
+
+    const assetDownloadPath = path.join(downloadFolder, assetName);
+    const assetBuffer = fs.readFileSync(assetDownloadPath);
+    const hash = createHash('sha256');
+    hash.update(assetBuffer);
+    const assetSum = hash.digest("hex");
+
+    if(assetSum !== releaseSum){
+        throw new Error("Integrity check failed.")
+    }
+}
+
 module.exports = async opts => {
     if (!opts.version) {
         return Promise.reject(new Error('Missing version'));
@@ -272,10 +288,20 @@ module.exports = async opts => {
     const assetDownloadPath = path.join(tmpDir, assetName);
     try {
         await getAssetFromGithubApi(opts, assetName, tmpDir)
+        await verifyChecksum(assetName, tmpDir);
     } catch (e) {
         console.log('Deleting invalid download cache');
         try {
             await fsUnlink(assetDownloadPath);
+            const expectedName = path.join(opts.destDir, 'rosey');
+
+            if (await fsExists(expectedName)) {
+                await fsUnlink(expectedName);
+            }
+
+            if (await fsExists(expectedName + '.exe')) {
+                await fsUnlink(expectedName + '.exe');
+            }
         } catch (e) { }
 
         throw e;