From 471065964ca277f5cce05f5d9e7f5e9b35a8607f Mon Sep 17 00:00:00 2001 From: Philipp Wolfer Date: Fri, 24 Dec 2021 12:14:32 +0100 Subject: [PATCH] packaging: verify checksums for macOS downloaded dependencies --- .github/workflows/package.yml | 4 ++++ scripts/package/macos-setup.sh | 24 ++++++++++++++++-------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 7432a9cc0..ef1f7ba1e 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -29,9 +29,13 @@ jobs: macos-deployment-version: [10.12, 10.14] env: DISCID_VERSION: 0.6.2 + DISCID_SHA256SUM: f9e443ac4c0dd4819c2841fcc82169a46fb9a626352cdb9c7f65dd3624cd31b9 FPCALC_VERSION: 1.5.0 + FPCALC_SHA256SUM: 347fd7eee57e59b56c30221e24dc73358e64a1205c2bf235be38c1d6f2d42ddf ABEXTRACTOR_VERSION: v2.1_beta2-4 + ABEXTRACTOR_SHA256SUM: 00650e89541b9f0fd25d5335c564b133b7d8457449829fcfca8abeab66583260 PYTHON_VERSION: 3.9.8 + PYTHON_SHA256SUM: 58d27898b50cd07fcd0992f12044764dbd84e934dd7cea0e5ffb6540e284214e MACOSX_DEPLOYMENT_TARGET: ${{ matrix.macos-deployment-version }} steps: - uses: actions/checkout@v2 diff --git a/scripts/package/macos-setup.sh b/scripts/package/macos-setup.sh index 05e0cb167..dc485a602 100755 --- a/scripts/package/macos-setup.sh +++ b/scripts/package/macos-setup.sh @@ -7,15 +7,19 @@ brew link gettext --force # Install requested Python version if [ -n "$PYTHON_VERSION" ]; then - wget "https://www.python.org/ftp/python/${PYTHON_VERSION}/python-${PYTHON_VERSION}-macosx10.9.pkg" - sudo installer -pkg "python-${PYTHON_VERSION}-macosx10.9.pkg" -target / + PYTHON_FILENAME=python-$PYTHON_VERSION-macosx10.9.pkg + wget "https://www.python.org/ftp/python/$PYTHON_VERSION/$PYTHON_FILENAME" + echo "$PYTHON_SHA256SUM $PYTHON_FILENAME" | shasum --algorithm 256 --check --status + sudo installer -pkg "$PYTHON_FILENAME" -target / sudo python3 -m ensurepip fi # Install libdiscid if [ ! -f "$HOME/libdiscid/lib/libdiscid.0.dylib" ]; then - wget "ftp://ftp.musicbrainz.org/pub/musicbrainz/libdiscid/libdiscid-$DISCID_VERSION.tar.gz" - tar -xf "libdiscid-$DISCID_VERSION.tar.gz" + DISCID_FILENAME="libdiscid-$DISCID_VERSION.tar.gz" + wget "ftp://ftp.musicbrainz.org/pub/musicbrainz/libdiscid/$DISCID_FILENAME" + echo "$DISCID_SHA256SUM $DISCID_FILENAME" | shasum --algorithm 256 --check --status + tar -xf $DISCID_FILENAME cd "libdiscid-$DISCID_VERSION" ./configure --prefix="$HOME/libdiscid" make install @@ -25,14 +29,18 @@ cp "$HOME/libdiscid/lib/libdiscid.0.dylib" . # Install fpcalc if [ -n "$FPCALC_VERSION" ]; then - wget "https://github.com/acoustid/chromaprint/releases/download/v$FPCALC_VERSION/chromaprint-fpcalc-$FPCALC_VERSION-macos-x86_64.tar.gz" - tar -xf "chromaprint-fpcalc-$FPCALC_VERSION-macos-x86_64.tar.gz" + FPCALC_FILENAME="chromaprint-fpcalc-$FPCALC_VERSION-macos-x86_64.tar.gz" + wget "https://github.com/acoustid/chromaprint/releases/download/v$FPCALC_VERSION/$FPCALC_FILENAME" + echo "$FPCALC_SHA256SUM $FPCALC_FILENAME" | shasum --algorithm 256 --check --status + tar -xf "$FPCALC_FILENAME" cp "chromaprint-fpcalc-$FPCALC_VERSION-macos-x86_64/fpcalc" . fi # Install AcousticBrainz extractor if [ -n "$ABEXTRACTOR_VERSION" ]; then - wget "https://github.com/phw/essentia-extractor-builds/releases/download/$ABEXTRACTOR_VERSION/essentia-extractor-$ABEXTRACTOR_VERSION-macos.tar.gz" - tar -xf "essentia-extractor-$ABEXTRACTOR_VERSION-macos.tar.gz" + ABEXTRACTOR_FILENAME="essentia-extractor-$ABEXTRACTOR_VERSION-macos.tar.gz" + wget "https://github.com/phw/essentia-extractor-builds/releases/download/$ABEXTRACTOR_VERSION/$ABEXTRACTOR_FILENAME" + echo "$ABEXTRACTOR_SHA256SUM $ABEXTRACTOR_FILENAME" | shasum --algorithm 256 --check --status + tar -xf "$ABEXTRACTOR_FILENAME" cp "essentia-extractor-$ABEXTRACTOR_VERSION-macos/streaming_extractor_music" . fi