From 68c391fa10b3c373c1bd66378ad11e24589cbc69 Mon Sep 17 00:00:00 2001 From: Sami Tikka Date: Tue, 14 Jul 2015 01:49:28 +0300 Subject: [PATCH] Verify download using sha1 checksum, if possible Download also SHASUMS.txt file and check the downloaded tar package is good. Apparently the older node versions do not have a SHASUMS.txt file, so do not fail, just warn, if the SHASUMS.txt cannot be downloaded. --- libexec/nodenv-install | 52 ++++++++++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 12 deletions(-) diff --git a/libexec/nodenv-install b/libexec/nodenv-install index fe753f4..45f2a5b 100755 --- a/libexec/nodenv-install +++ b/libexec/nodenv-install @@ -25,6 +25,30 @@ sort_versions() { LC_ALL=C sort -t. -k 1,1 -k 2,2n -k 3,3n -k 4,4n -k 5,5n } +verified_download() { + url="$1" + filename=$(basename "$url") + shasum_url=$(dirname "$url")/SHASUMS.txt + download_dir=$(mktemp -d /tmp/nodenv.XXXXXX) + curl --silent --show-error --fail "$url" --output "$download_dir/$filename" || return 1 + if curl --silent --show-error --fail "$shasum_url" --output "$download_dir/SHASUMS.txt"; then + # make a checksum file with only one entry + awk -v "f=$filename" '$2 == f' "$download_dir/SHASUMS.txt" > "$download_dir/SHASUM.txt" + ( + cd "$download_dir" + shasum -c "SHASUM.txt" >/dev/null + ) || { + rm -rf "$download_dir" + echo "ERROR: Download of $url failed checksum check" >&2 + return 1 + } + else + echo "WARNING: $shasum_url not found, download cannot be verified." >&2 + fi + # Provide downloaded, verified filename to caller + echo "$download_dir/$filename" +} + # Provide nodenv completions if [ "$1" = "--complete" ]; then list_definitions @@ -47,23 +71,25 @@ cd "$version_dir" if [ "$compile" = "--source" ]; then # Let's fetch the source and build it - download="http://nodejs.org/dist/${version}/node-${version}.tar.gz" - alt_download="http://nodejs.org/dist/node-${version}.tar.gz" + download="https://nodejs.org/dist/${version}/node-${version}.tar.gz" + alt_download="https://nodejs.org/dist/node-${version}.tar.gz" # Can't get too clever here set +e + node_file=$(verified_download $download || verified_download $alt_download) || { + rm -rf "$version_dir" + exit 1 + } # Download source and compile it - (curl -s -f "$download" > /tmp/node-$version.tar.gz || \ - curl -s -f "$alt_download" > /tmp/node-$version.tar.gz) && \ - tar zxf /tmp/node-$version.tar.gz -C /tmp && \ + tar zxf "$node_file" -C /tmp && \ cd /tmp/node-$version && \ ($PYTHON ./configure --prefix="$version_dir" && make && make install) 2>&1 > /tmp/nodenv-install-$version.log && \ - rm /tmp/node-$version.tar.gz && \ + rm "$node_file" && \ rm -rf /tmp/node-$version || \ { cd $OLDPWD - rm -rf "$version_dir" /tmp/node-$version.tar.gz /tmp/node-$version + rm -rf "$version_dir" "$node_file" /tmp/node-$version echo "nodenv: installation of $version from source failed" >&2 exit 1 @@ -79,15 +105,18 @@ else fi # URL to download from - download="http://nodejs.org/dist/${version}/node-${version}-${platform}-${arch}.tar.gz" + download="https://nodejs.org/dist/${version}/node-${version}-${platform}-${arch}.tar.gz" # Can't get too clever here set +e # Download binary tarball and install - curl -s -f "$download" > /tmp/node-$version.tar.gz && \ - tar zxf /tmp/node-$version.tar.gz --strip-components 1 && \ - rm /tmp/node-$version.tar.gz || \ + node_file=$(verified_download $download) || { + rm -rf "$version_dir" + exit 1 + } + tar zxf "$node_file" --strip-components 1 && \ + rm -f "$node_file" || \ { cd $OLDPWD rmdir "$version_dir" @@ -101,4 +130,3 @@ chmod -R 755 $version_dir echo "Installed ${version}" cd $OLDPWD -