cx-git-agent
87 lines
2.5 KiB
Bash
Executable File
87 lines
2.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# cxos/vendor/busybox/fetch.sh — download + verify + extract busybox tarball.
|
|
# Mirrors cxos/vendor/linux/fetch.sh shape (PINNED.json driven, --dry, --gpg).
|
|
set -euo pipefail
|
|
|
|
DRY=0
|
|
GPG=0
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
--dry) DRY=1 ;;
|
|
--gpg) GPG=1 ;;
|
|
-h|--help) sed -n '2,4p' "$0" | sed 's/^# \{0,1\}//'; exit 0 ;;
|
|
*) echo "fetch.sh: unknown arg: $arg" >&2; exit 2 ;;
|
|
esac
|
|
done
|
|
|
|
HERE="$(cd "$(dirname "$0")" && pwd)"
|
|
PINNED="$HERE/PINNED.json"
|
|
[[ -f "$PINNED" ]] || { echo "fetch.sh: missing $PINNED" >&2; exit 1; }
|
|
|
|
read -r VERSION TARBALL_URL SIG_URL SHA256 EXTRACTED_DIR < <(
|
|
python3 - "$PINNED" <<'PY'
|
|
import json, sys
|
|
d = json.load(open(sys.argv[1]))
|
|
print(d["version"], d["tarball_url"], d["signature_url"],
|
|
d["sha256"], d["extracted_dir"])
|
|
PY
|
|
)
|
|
|
|
TARBALL="$HERE/busybox-${VERSION}.tar.bz2"
|
|
SIGNATURE="$HERE/busybox-${VERSION}.tar.bz2.sig"
|
|
SRC_DIR="$HERE/src"
|
|
|
|
echo "==> busybox ${VERSION}"
|
|
echo " tarball: ${TARBALL_URL}"
|
|
echo " sha256 : ${SHA256}"
|
|
echo " extract: ${SRC_DIR}/${EXTRACTED_DIR}"
|
|
|
|
if [[ "$DRY" == "1" ]]; then
|
|
echo "==> dry-run; nothing fetched"
|
|
exit 0
|
|
fi
|
|
|
|
mkdir -p "$SRC_DIR"
|
|
|
|
if [[ ! -f "$TARBALL" ]]; then
|
|
echo "==> downloading"
|
|
curl -fsSL --retry 3 -o "$TARBALL" "$TARBALL_URL"
|
|
fi
|
|
|
|
echo "==> verifying sha256"
|
|
ACTUAL_SHA="$(sha256sum "$TARBALL" | awk '{print $1}')"
|
|
if [[ "$ACTUAL_SHA" != "$SHA256" ]]; then
|
|
echo "fetch.sh: SHA-256 mismatch" >&2
|
|
echo " expected: $SHA256" >&2
|
|
echo " actual : $ACTUAL_SHA" >&2
|
|
rm -f "$TARBALL"
|
|
exit 1
|
|
fi
|
|
echo " ok"
|
|
|
|
if [[ "$GPG" == "1" ]]; then
|
|
command -v gpg >/dev/null 2>&1 || { echo "fetch.sh: --gpg requested but gpg not installed" >&2; exit 1; }
|
|
[[ -f "$SIGNATURE" ]] || curl -fsSL --retry 3 -o "$SIGNATURE" "$SIG_URL"
|
|
FINGERPRINTS="$(python3 -c '
|
|
import json,sys
|
|
for k in json.load(open(sys.argv[1]))["gpg_signing_keys"]:
|
|
print(k["fingerprint"])' "$PINNED")"
|
|
for fp in $FINGERPRINTS; do
|
|
gpg --keyserver hkps://keys.openpgp.org --recv-keys "$fp" >/dev/null 2>&1 || true
|
|
done
|
|
echo "==> verifying gpg signature"
|
|
if ! gpg --verify "$SIGNATURE" "$TARBALL" 2>&1 \
|
|
| grep -qE 'Good signature.*('"$(echo "$FINGERPRINTS" | tr '\n' '|' | sed 's/|$//')"')'; then
|
|
echo "fetch.sh: GPG verification failed" >&2
|
|
exit 1
|
|
fi
|
|
echo " ok"
|
|
fi
|
|
|
|
if [[ ! -d "$SRC_DIR/$EXTRACTED_DIR" ]]; then
|
|
echo "==> extracting"
|
|
tar -xjf "$TARBALL" -C "$SRC_DIR"
|
|
fi
|
|
|
|
echo "==> busybox source ready: $SRC_DIR/$EXTRACTED_DIR"
|