diff --git a/dist/lib/checksum.js b/dist/lib/checksum.js index b700ed4..e383bbc 100644 --- a/dist/lib/checksum.js +++ b/dist/lib/checksum.js @@ -36,35 +36,15 @@ var __importStar = (this && this.__importStar) || function (mod) { __setModuleDefault(result, mod); return result; }; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.getNotationCheckSum = exports.validateCheckSum = void 0; +exports.hash = exports.getNotationCheckSum = void 0; const crypto = __importStar(require("crypto")); const fs = __importStar(require("fs")); const install_1 = require("./install"); const notation_releases_json_1 = __importDefault(require("./data/notation_releases.json")); -// validateCheckSum validates checksum of file at path against ground truth. -function validateCheckSum(path, groundTruth) { - return __awaiter(this, void 0, void 0, function* () { - const sha256 = yield hash(path); - if (sha256 !== groundTruth) { - throw new Error(`checksum of downloaded plugin ${sha256} does not match ground truth ${groundTruth}`); - } - console.log("Successfully checked download checksum against ground truth"); - }); -} -exports.validateCheckSum = validateCheckSum; // getNotationCheckSum returns checksum of user specified official Notation CLI // release. function getNotationCheckSum(version) { @@ -78,7 +58,7 @@ function getNotationCheckSum(version) { return checksum; } } - throw new Error(`Notation release does not support user input version ${version}`); + throw new Error(`Notation CLI release does not support user input version ${version}`); } exports.getNotationCheckSum = getNotationCheckSum; // hash computes SH256 of file at path. @@ -91,4 +71,5 @@ function hash(path) { stream.on('end', () => resolve(hash.digest('hex'))); }); } +exports.hash = hash; //# sourceMappingURL=checksum.js.map \ No newline at end of file diff --git a/dist/lib/checksum.js.map b/dist/lib/checksum.js.map index 4154788..067a1aa 100644 --- a/dist/lib/checksum.js.map +++ b/dist/lib/checksum.js.map @@ -1 +1 @@ -{"version":3,"file":"checksum.js","sourceRoot":"","sources":["../../src/lib/checksum.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,+CAAiC;AACjC,uCAAyB;AACzB,uCAA+C;AAC/C,2FAA6D;AAE7D,4EAA4E;AAC5E,SAAsB,gBAAgB,CAAC,IAAY,EAAE,WAAmB;;QACpE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,IAAI,MAAM,KAAK,WAAW,EAAE;YACxB,MAAM,IAAI,KAAK,CAAC,iCAAiC,MAAM,gCAAgC,WAAW,EAAE,CAAC,CAAC;SACzG;QACD,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAA;IAC9E,CAAC;CAAA;AAND,4CAMC;AAED,+EAA+E;AAC/E,WAAW;AACX,SAAgB,mBAAmB,CAAC,OAAe;IAC/C,MAAM,QAAQ,GAAG,IAAA,qBAAW,GAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,IAAA,iBAAO,GAAE,CAAC;IAC/B,KAAK,MAAM,OAAO,IAAI,gCAAuB,EAAE;QAC3C,IAAI,OAAO,CAAC,SAAS,CAAC,KAAK,OAAO,EAAE;YAChC,OAAO,CAAC,GAAG,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;YAClD,IAAI,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,UAAU,CAAC,CAAC;YAC3D,OAAO,CAAC,GAAG,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;YACpD,OAAO,QAAQ,CAAC;SACnB;KACJ;IACD,MAAM,IAAI,KAAK,CAAC,wDAAwD,OAAO,EAAE,CAAC,CAAC;AACvF,CAAC;AAZD,kDAYC;AAED,uCAAuC;AACvC,SAAS,IAAI,CAAC,IAAY;IACtB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACvC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/C,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;AACP,CAAC"} \ No newline at end of file +{"version":3,"file":"checksum.js","sourceRoot":"","sources":["../../src/lib/checksum.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,+CAAiC;AACjC,uCAAyB;AACzB,uCAA+C;AAC/C,2FAA6D;AAE7D,+EAA+E;AAC/E,WAAW;AACX,SAAgB,mBAAmB,CAAC,OAAe;IAC/C,MAAM,QAAQ,GAAG,IAAA,qBAAW,GAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,IAAA,iBAAO,GAAE,CAAC;IAC/B,KAAK,MAAM,OAAO,IAAI,gCAAuB,EAAE;QAC3C,IAAI,OAAO,CAAC,SAAS,CAAC,KAAK,OAAO,EAAE;YAChC,OAAO,CAAC,GAAG,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;YAClD,IAAI,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,UAAU,CAAC,CAAC;YAC3D,OAAO,CAAC,GAAG,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;YACpD,OAAO,QAAQ,CAAC;SACnB;KACJ;IACD,MAAM,IAAI,KAAK,CAAC,4DAA4D,OAAO,EAAE,CAAC,CAAC;AAC3F,CAAC;AAZD,kDAYC;AAED,uCAAuC;AACvC,SAAgB,IAAI,CAAC,IAAY;IAC7B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACvC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/C,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;AACP,CAAC;AARD,oBAQC"} \ No newline at end of file diff --git a/dist/lib/install.js b/dist/lib/install.js index ce2c5a9..4adee38 100644 --- a/dist/lib/install.js +++ b/dist/lib/install.js @@ -37,7 +37,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.getArch = exports.getPlatform = exports.getConfigHome = exports.getNotationDownloadURL = void 0; +exports.getBinaryExtension = exports.getArch = exports.getPlatform = exports.getConfigHome = exports.getNotationDownloadURL = void 0; const os = __importStar(require("os")); const path = __importStar(require("path")); // Get the URL to download Notatoin CLI @@ -67,7 +67,7 @@ function getConfigHome() { case 'linux': return process.env.XDG_CONFIG_HOME ? process.env.XDG_CONFIG_HOME : path.join(os.homedir(), '.config'); default: - throw new Error(`Unknown platform: ${platform}`); + throw new Error(`unknown platform: ${platform}`); } } exports.getConfigHome = getConfigHome; @@ -82,7 +82,7 @@ function getPlatform() { case 'win32': return 'windows'; default: - throw new Error(`Unsupported platform: ${platform}`); + throw new Error(`unsupported platform: ${platform}`); } } exports.getPlatform = getPlatform; @@ -95,8 +95,13 @@ function getArch() { case 'arm64': return 'arm64'; default: - throw new Error(`Unsupported architecture: ${architecture}`); + throw new Error(`unsupported architecture: ${architecture}`); } } exports.getArch = getArch; +function getBinaryExtension() { + const platform = getPlatform(); + return platform === 'windows' ? '.exe' : ''; +} +exports.getBinaryExtension = getBinaryExtension; //# sourceMappingURL=install.js.map \ No newline at end of file diff --git a/dist/lib/install.js.map b/dist/lib/install.js.map index 6678ab4..f0f5c64 100644 --- a/dist/lib/install.js.map +++ b/dist/lib/install.js.map @@ -1 +1 @@ -{"version":3,"file":"install.js","sourceRoot":"","sources":["../../src/lib/install.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AAE7B,uCAAuC;AACvC,SAAgB,sBAAsB,CAAC,OAAe,EAAE,GAAW;IACjE,IAAI,GAAG,EAAE;QACP,OAAO,GAAG,CAAA;KACX;IACD,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,OAAO,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,YAAY,OAAO,IAAI,QAAQ,IAAI,YAAY,EAAE,CAAC;IACnE,MAAM,SAAS,GAAG,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC5D,OAAO,gEAAgE,OAAO,IAAI,QAAQ,IAAI,SAAS,EAAE,CAAC;AAC5G,CAAC;AATD,wDASC;AAED,gEAAgE;AAChE,qFAAqF;AACrF,SAAgB,aAAa;IACzB,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,QAAQ,QAAQ,EAAE;QACd,KAAK,OAAO;YACR,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE;gBACtB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;aAC3C;YACD,OAAO,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;QAC/B,KAAK,QAAQ;YACT,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC;QACrE,KAAK,OAAO;YACR,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;QAC1G;YACI,MAAM,IAAI,KAAK,CAAC,qBAAqB,QAAQ,EAAE,CAAC,CAAC;KACxD;AACL,CAAC;AAfD,sCAeC;AAED,wEAAwE;AACxE,SAAgB,WAAW;IACzB,MAAM,QAAQ,GAAW,EAAE,CAAC,QAAQ,EAAE,CAAC;IACvC,QAAQ,QAAQ,EAAE;QACd,KAAK,OAAO;YACR,OAAO,OAAO,CAAC;QACnB,KAAK,QAAQ;YACT,OAAO,QAAQ,CAAC;QACpB,KAAK,OAAO;YACR,OAAO,SAAS,CAAC;QACrB;YACI,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,EAAE,CAAC,CAAC;KAC5D;AACH,CAAC;AAZD,kCAYC;AAED,gEAAgE;AAChE,SAAgB,OAAO;IACrB,MAAM,YAAY,GAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IACvC,QAAQ,YAAY,EAAE;QAClB,KAAK,KAAK;YACN,OAAO,OAAO,CAAC;QACnB,KAAK,OAAO;YACR,OAAO,OAAO,CAAC;QACnB;YACI,MAAM,IAAI,KAAK,CAAC,6BAA6B,YAAY,EAAE,CAAC,CAAC;KACpE;AACH,CAAC;AAVD,0BAUC"} \ No newline at end of file +{"version":3,"file":"install.js","sourceRoot":"","sources":["../../src/lib/install.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AAE7B,uCAAuC;AACvC,SAAgB,sBAAsB,CAAC,OAAe,EAAE,GAAW;IACjE,IAAI,GAAG,EAAE;QACP,OAAO,GAAG,CAAA;KACX;IACD,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,OAAO,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,YAAY,OAAO,IAAI,QAAQ,IAAI,YAAY,EAAE,CAAC;IACnE,MAAM,SAAS,GAAG,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC5D,OAAO,gEAAgE,OAAO,IAAI,QAAQ,IAAI,SAAS,EAAE,CAAC;AAC5G,CAAC;AATD,wDASC;AAED,gEAAgE;AAChE,qFAAqF;AACrF,SAAgB,aAAa;IACzB,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,QAAQ,QAAQ,EAAE;QACd,KAAK,OAAO;YACR,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE;gBACtB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;aAC3C;YACD,OAAO,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;QAC/B,KAAK,QAAQ;YACT,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC;QACrE,KAAK,OAAO;YACR,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;QAC1G;YACI,MAAM,IAAI,KAAK,CAAC,qBAAqB,QAAQ,EAAE,CAAC,CAAC;KACxD;AACL,CAAC;AAfD,sCAeC;AAED,wEAAwE;AACxE,SAAgB,WAAW;IACzB,MAAM,QAAQ,GAAW,EAAE,CAAC,QAAQ,EAAE,CAAC;IACvC,QAAQ,QAAQ,EAAE;QACd,KAAK,OAAO;YACR,OAAO,OAAO,CAAC;QACnB,KAAK,QAAQ;YACT,OAAO,QAAQ,CAAC;QACpB,KAAK,OAAO;YACR,OAAO,SAAS,CAAC;QACrB;YACI,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,EAAE,CAAC,CAAC;KAC5D;AACH,CAAC;AAZD,kCAYC;AAED,gEAAgE;AAChE,SAAgB,OAAO;IACrB,MAAM,YAAY,GAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IACvC,QAAQ,YAAY,EAAE;QAClB,KAAK,KAAK;YACN,OAAO,OAAO,CAAC;QACnB,KAAK,OAAO;YACR,OAAO,OAAO,CAAC;QACnB;YACI,MAAM,IAAI,KAAK,CAAC,6BAA6B,YAAY,EAAE,CAAC,CAAC;KACpE;AACH,CAAC;AAVD,0BAUC;AAED,SAAgB,kBAAkB;IAC9B,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,OAAO,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;AAChD,CAAC;AAHD,gDAGC"} \ No newline at end of file diff --git a/dist/setup.js b/dist/setup.js index f653996..f9d33fe 100644 --- a/dist/setup.js +++ b/dist/setup.js @@ -63,14 +63,15 @@ function setup() { } // download Notation CLI and validate checksum const downloadURL = (0, install_1.getNotationDownloadURL)(version, notation_url); - console.log(`Downloading Notation CLI from ${downloadURL}`); + console.log(`downloading Notation CLI from ${downloadURL}`); const pathToTarball = yield tc.downloadTool(downloadURL); - if (notation_url) { - yield (0, checksum_1.validateCheckSum)(pathToTarball, notation_checksum); - } - else { - yield (0, checksum_1.validateCheckSum)(pathToTarball, (0, checksum_1.getNotationCheckSum)(version)); + console.log("downloading Notation CLI completed"); + const sha256 = yield (0, checksum_1.hash)(pathToTarball); + const expectedCheckSum = notation_url ? notation_checksum : (0, checksum_1.getNotationCheckSum)(version); + if (sha256 !== expectedCheckSum) { + throw new Error(`checksum of downloaded Notation CLI ${sha256} does not match expected checksum ${expectedCheckSum}`); } + console.log("successfully verified download checksum"); // extract the tarball/zipball onto host runner const extract = downloadURL.endsWith('.zip') ? tc.extractZip : tc.extractTar; const pathToCLI = yield extract(pathToTarball); @@ -82,7 +83,7 @@ function setup() { core.setFailed(e); } else { - core.setFailed('Unknown error during notation setup'); + core.setFailed('unknown error during notation setup'); } } }); diff --git a/dist/setup.js.map b/dist/setup.js.map index b677cf9..eda5e7a 100644 --- a/dist/setup.js.map +++ b/dist/setup.js.map @@ -1 +1 @@ -{"version":3,"file":"setup.js","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AACtC,wDAA0C;AAC1C,6CAAqE;AACrE,2CAAuD;AAEvD,kCAAkC;AAClC,SAAe,KAAK;;QAChB,IAAI;YACA,mBAAmB;YACnB,MAAM,OAAO,GAAW,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACjD,MAAM,YAAY,GAAW,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,iBAAiB,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;YAElE,eAAe;YACf,IAAI,YAAY,IAAI,CAAC,iBAAiB,EAAE;gBACpC,MAAM,IAAI,KAAK,CAAC,kFAAkF,CAAC,CAAA;aACtG;YAED,8CAA8C;YAC9C,MAAM,WAAW,GAAG,IAAA,gCAAsB,EAAC,OAAO,EAAE,YAAY,CAAC,CAAC;YAClE,OAAO,CAAC,GAAG,CAAC,iCAAiC,WAAW,EAAE,CAAC,CAAC;YAC5D,MAAM,aAAa,GAAW,MAAM,EAAE,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;YACjE,IAAI,YAAY,EAAE;gBACd,MAAM,IAAA,2BAAgB,EAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;aAC5D;iBAAM;gBACH,MAAM,IAAA,2BAAgB,EAAC,aAAa,EAAE,IAAA,8BAAmB,EAAC,OAAO,CAAC,CAAC,CAAC;aACvE;YAED,+CAA+C;YAC/C,MAAM,OAAO,GAAG,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC;YAC7E,MAAM,SAAS,GAAW,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;YAEvD,yBAAyB;YACzB,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;SAC3B;QAAC,OAAO,CAAC,EAAE;YACR,IAAI,CAAC,YAAY,KAAK,EAAE;gBACpB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;aACrB;iBAAM;gBACH,IAAI,CAAC,SAAS,CAAC,qCAAqC,CAAC,CAAC;aACzD;SACJ;IACL,CAAC;CAAA;AAIC,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,KAAK,EAAE,CAAC;CACT;AAJD,iBAAS,KAAK,CAAC"} \ No newline at end of file +{"version":3,"file":"setup.js","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AACtC,wDAA0C;AAC1C,6CAAyD;AACzD,2CAAuD;AAEvD,kCAAkC;AAClC,SAAe,KAAK;;QAChB,IAAI;YACA,mBAAmB;YACnB,MAAM,OAAO,GAAW,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACjD,MAAM,YAAY,GAAW,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,iBAAiB,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;YAElE,eAAe;YACf,IAAI,YAAY,IAAI,CAAC,iBAAiB,EAAE;gBACpC,MAAM,IAAI,KAAK,CAAC,kFAAkF,CAAC,CAAA;aACtG;YAED,8CAA8C;YAC9C,MAAM,WAAW,GAAG,IAAA,gCAAsB,EAAC,OAAO,EAAE,YAAY,CAAC,CAAC;YAClE,OAAO,CAAC,GAAG,CAAC,iCAAiC,WAAW,EAAE,CAAC,CAAC;YAC5D,MAAM,aAAa,GAAW,MAAM,EAAE,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAA;YACjD,MAAM,MAAM,GAAG,MAAM,IAAA,eAAI,EAAC,aAAa,CAAC,CAAC;YACzC,MAAM,gBAAgB,GAAG,YAAY,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAA,8BAAmB,EAAC,OAAO,CAAC,CAAC;YACzF,IAAI,MAAM,KAAK,gBAAgB,EAAE;gBAC7B,MAAM,IAAI,KAAK,CAAC,uCAAuC,MAAM,qCAAqC,gBAAgB,EAAE,CAAC,CAAC;aACzH;YACD,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAA;YAEtD,+CAA+C;YAC/C,MAAM,OAAO,GAAG,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC;YAC7E,MAAM,SAAS,GAAW,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;YAEvD,yBAAyB;YACzB,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;SAC3B;QAAC,OAAO,CAAC,EAAE;YACR,IAAI,CAAC,YAAY,KAAK,EAAE;gBACpB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;aACrB;iBAAM;gBACH,IAAI,CAAC,SAAS,CAAC,qCAAqC,CAAC,CAAC;aACzD;SACJ;IACL,CAAC;CAAA;AAIC,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,KAAK,EAAE,CAAC;CACT;AAJD,iBAAS,KAAK,CAAC"} \ No newline at end of file diff --git a/dist/sign.js b/dist/sign.js index 731093d..7e36b7d 100644 --- a/dist/sign.js +++ b/dist/sign.js @@ -52,21 +52,42 @@ const path = __importStar(require("path")); const fs = __importStar(require("fs")); const checksum_1 = require("./lib/checksum"); const install_1 = require("./lib/install"); +// plugin inputs from user const plugin_name = core.getInput('plugin_name'); +if (!plugin_name) { + throw new Error("input plugin_name is required"); +} +const plugin_url = core.getInput('plugin_url'); +if (!plugin_url) { + throw new Error("input plugin_url is required"); +} +const plugin_checksum = core.getInput('plugin_checksum').toLowerCase(); +if (!plugin_checksum) { + throw new Error("input plugin_checksum is required"); +} +const notationPluginBinary = `notation-${plugin_name}` + (0, install_1.getBinaryExtension)(); // sign signs the target artifact with Notation. function sign() { return __awaiter(this, void 0, void 0, function* () { try { - yield setupPlugin(); - yield exec.getExecOutput('notation', ['plugin', 'ls']); // inputs from user const key_id = core.getInput('key_id'); const plugin_config = core.getInput('plugin_config'); - const pluginConfigList = getPluginConfigList(plugin_config); const target_artifact_ref = core.getInput('target_artifact_reference'); const signature_format = core.getInput('signature_format'); const allow_referrers_api = core.getInput('allow_referrers_api'); + // sanity check + if (!key_id) { + throw new Error("input key_id is required"); + } + if (!target_artifact_ref) { + throw new Error("input target_artifact_reference is required"); + } + // setting up notation signing plugin + yield setupPlugin(); + yield exec.getExecOutput('notation', ['plugin', 'ls']); // sign core process + const pluginConfigList = getPluginConfigList(plugin_config); let notationCommand = ['sign', '--signature-format', signature_format, '--id', key_id, '--plugin', plugin_name, ...pluginConfigList]; if (allow_referrers_api.toLowerCase() === 'true') { // if process.env.NOTATION_EXPERIMENTAL is not set, notation would @@ -80,7 +101,7 @@ function sign() { core.setFailed(e); } else { - core.setFailed('Unknown error during notation sign'); + core.setFailed('unknown error during notation sign'); } } }); @@ -89,23 +110,35 @@ function sign() { function setupPlugin() { return __awaiter(this, void 0, void 0, function* () { try { - // inputs from user - const plugin_url = core.getInput('plugin_url'); - const plugin_checksum = core.getInput('plugin_checksum').toLowerCase(); - console.log(`signing plugin url is ${plugin_url}`); - // download signing plugin and validate checksum + console.log(`input plugin_name is ${plugin_name}`); + console.log(`input plugin url is ${plugin_url}`); + console.log(`input plugin checksum is ${plugin_checksum}`); + // check if plugin is already installed + const notationPluginPath = path.join((0, install_1.getConfigHome)(), `notation/plugins/${plugin_name}`); + if (checkPluginExistence(notationPluginPath)) { + console.log(`plugin ${plugin_name} is already installed`); + return; + } + // download signing plugin, validate checksum and plugin name + console.log("downloading signing plugin..."); const pathToTarball = yield tc.downloadTool(plugin_url); - yield (0, checksum_1.validateCheckSum)(pathToTarball, plugin_checksum); - // extract and install the plugin + console.log("downloading signing plugin completed"); + const sha256 = yield (0, checksum_1.hash)(pathToTarball); + if (sha256 !== plugin_checksum) { + throw new Error(`checksum of downloaded plugin ${sha256} does not match expected checksum ${plugin_checksum}`); + } + console.log("successfully verified download checksum"); + yield validateDownloadPluginName(pathToTarball); + console.log("successfully validated downloaded plugin name"); + // install the plugin const extract = plugin_url.endsWith('.zip') ? tc.extractZip : tc.extractTar; - const pluginPath = path.join((0, install_1.getConfigHome)(), `notation/plugins/${plugin_name}`); - fs.mkdirSync(pluginPath, { recursive: true, }); - yield extract(pathToTarball, pluginPath); - console.log(`Successfully moved the plugin binary to ${pluginPath}`); - fs.chmod(pluginPath, 0o755, (err) => { + fs.mkdirSync(notationPluginPath, { recursive: true, }); + yield extract(pathToTarball, notationPluginPath); + console.log(`successfully extracted the plugin binary to ${notationPluginPath}`); + fs.chmod(path.join(notationPluginPath, notationPluginBinary), 0o755, (err) => { if (err) throw err; - console.log(`Successfully changed permission of plugin binary`); + console.log(`successfully changed permission of plugin binary`); }); } catch (e) { @@ -113,11 +146,29 @@ function setupPlugin() { throw e; } else { - throw new Error("Unknown error during setting up notation signing plugin"); + throw new Error("unknown error during setting up notation signing plugin"); } } }); } +// checkPluginExistence checks if the plugin is already installed in Notation +function checkPluginExistence(notationPluginPath) { + const pluginBinaryPath = path.join(notationPluginPath, notationPluginBinary); + return fs.existsSync(pluginBinaryPath); +} +// validateDownloadPluginName validates the downloaded plugin binary name +// matches with user input plugin name +function validateDownloadPluginName(pathToTarball) { + return __awaiter(this, void 0, void 0, function* () { + const extract = plugin_url.endsWith('.zip') ? tc.extractZip : tc.extractTar; + const curDir = yield extract(pathToTarball); + const expectedPluginBinaryPath = path.join(curDir, notationPluginBinary); + if (!fs.existsSync(expectedPluginBinaryPath)) { + throw new Error(`downloaded plugin does not match user input plugin_name, expected "${notationPluginBinary}" not found`); + } + }); +} +// getPluginConfigList assembles --plugin-config for notaiton sign command function getPluginConfigList(pluginConfig) { if (!pluginConfig) { return []; diff --git a/dist/sign.js.map b/dist/sign.js.map index dde5371..c7ac8e1 100644 --- a/dist/sign.js.map +++ b/dist/sign.js.map @@ -1 +1 @@ -{"version":3,"file":"sign.js","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AACtC,oDAAsC;AACtC,wDAA0C;AAC1C,2CAA6B;AAC7B,uCAAyB;AACzB,6CAAgD;AAChD,2CAA4C;AAE5C,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;AAEjD,gDAAgD;AAChD,SAAe,IAAI;;QACf,IAAI;YACA,MAAM,WAAW,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;YAEvD,mBAAmB;YACnB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACvC,MAAM,aAAa,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;YACrD,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;YAC5D,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAAC;YACvE,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;YAC3D,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;YAEjE,oBAAoB;YACpB,IAAI,eAAe,GAAa,CAAC,MAAM,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,gBAAgB,CAAC,CAAC;YAC/I,IAAI,mBAAmB,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE;gBAC9C,kEAAkE;gBAClE,gCAAgC;gBAChC,eAAe,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;aACjD;YACD,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,GAAG,eAAe,EAAE,mBAAmB,CAAC,CAAC,CAAC;SACnF;QAAC,OAAO,CAAU,EAAE;YACjB,IAAI,CAAC,YAAY,KAAK,EAAE;gBACpB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;aACrB;iBAAM;gBACH,IAAI,CAAC,SAAS,CAAC,oCAAoC,CAAC,CAAC;aACxD;SACJ;IACL,CAAC;CAAA;AAED,mDAAmD;AACnD,SAAe,WAAW;;QACtB,IAAI;YACA,mBAAmB;YACnB,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAC/C,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,WAAW,EAAE,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,yBAAyB,UAAU,EAAE,CAAC,CAAC;YAEnD,gDAAgD;YAChD,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;YACxD,MAAM,IAAA,2BAAgB,EAAC,aAAa,EAAE,eAAe,CAAC,CAAC;YAEvD,iCAAiC;YACjC,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC;YAC5E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,IAAA,uBAAa,GAAE,EAAE,oBAAoB,WAAW,EAAE,CAAC,CAAC;YACjF,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,GAAG,CAAC,CAAC;YAC/C,MAAM,OAAO,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,2CAA2C,UAAU,EAAE,CAAC,CAAC;YACrE,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE;gBAChC,IAAI,GAAG;oBAAE,MAAM,GAAG,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;YACpE,CAAC,CAAC,CAAC;SACN;QAAC,OAAO,CAAU,EAAE;YACjB,IAAI,CAAC,YAAY,KAAK,EAAE;gBACpB,MAAM,CAAC,CAAC;aACX;iBAAM;gBACH,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;aAC9E;SACJ;IACL,CAAC;CAAA;AAED,SAAS,mBAAmB,CAAC,YAAoB;IAC7C,IAAI,CAAC,YAAY,EAAE;QACf,OAAO,EAAE,CAAC;KACb;IACD,IAAI,gBAAgB,GAAa,EAAE,CAAC;IACpC,KAAK,IAAI,MAAM,IAAI,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE;QAC5C,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,IAAI,MAAM,EAAE;YACR,gBAAgB,CAAC,IAAI,CAAC,kBAAkB,GAAG,MAAM,CAAC,CAAC;SACtD;KACJ;IACD,OAAO,gBAAgB,CAAC;AAC5B,CAAC;AAID,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IACzB,IAAI,EAAE,CAAC;CACV;AAJD,iBAAS,IAAI,CAAC"} \ No newline at end of file +{"version":3,"file":"sign.js","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AACtC,oDAAsC;AACtC,wDAA0C;AAC1C,2CAA6B;AAC7B,uCAAyB;AACzB,6CAAoC;AACpC,2CAAgE;AAEhE,0BAA0B;AAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;AACjD,IAAI,CAAC,WAAW,EAAE;IACd,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;CACpD;AACD,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;AAC/C,IAAI,CAAC,UAAU,EAAE;IACb,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;CACnD;AACD,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,WAAW,EAAE,CAAC;AACvE,IAAI,CAAC,eAAe,EAAE;IAClB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;CACxD;AACD,MAAM,oBAAoB,GAAG,YAAY,WAAW,EAAE,GAAG,IAAA,4BAAkB,GAAE,CAAC;AAE9E,gDAAgD;AAChD,SAAe,IAAI;;QACf,IAAI;YACA,mBAAmB;YACnB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACvC,MAAM,aAAa,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;YACrD,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAAC;YACvE,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;YAC3D,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;YAEjE,eAAe;YACf,IAAI,CAAC,MAAM,EAAE;gBACT,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;aAC/C;YACD,IAAI,CAAC,mBAAmB,EAAE;gBACtB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;aAClE;YAED,qCAAqC;YACrC,MAAM,WAAW,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;YAEvD,oBAAoB;YACpB,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;YAC5D,IAAI,eAAe,GAAa,CAAC,MAAM,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,gBAAgB,CAAC,CAAC;YAC/I,IAAI,mBAAmB,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE;gBAC9C,kEAAkE;gBAClE,gCAAgC;gBAChC,eAAe,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;aACjD;YACD,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,GAAG,eAAe,EAAE,mBAAmB,CAAC,CAAC,CAAC;SACnF;QAAC,OAAO,CAAU,EAAE;YACjB,IAAI,CAAC,YAAY,KAAK,EAAE;gBACpB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;aACrB;iBAAM;gBACH,IAAI,CAAC,SAAS,CAAC,oCAAoC,CAAC,CAAC;aACxD;SACJ;IACL,CAAC;CAAA;AAED,mDAAmD;AACnD,SAAe,WAAW;;QACtB,IAAI;YACA,OAAO,CAAC,GAAG,CAAC,wBAAwB,WAAW,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,uBAAuB,UAAU,EAAE,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CAAC,4BAA4B,eAAe,EAAE,CAAC,CAAC;YAE3D,uCAAuC;YACvC,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,IAAA,uBAAa,GAAE,EAAE,oBAAoB,WAAW,EAAE,CAAC,CAAC;YACzF,IAAI,oBAAoB,CAAC,kBAAkB,CAAC,EAAE;gBAC1C,OAAO,CAAC,GAAG,CAAC,UAAU,WAAW,uBAAuB,CAAC,CAAC;gBAC1D,OAAM;aACT;YAED,6DAA6D;YAC7D,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAA;YAC5C,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;YACxD,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAA;YACnD,MAAM,MAAM,GAAG,MAAM,IAAA,eAAI,EAAC,aAAa,CAAC,CAAC;YACzC,IAAI,MAAM,KAAK,eAAe,EAAE;gBAC5B,MAAM,IAAI,KAAK,CAAC,iCAAiC,MAAM,qCAAqC,eAAe,EAAE,CAAC,CAAC;aAClH;YACD,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAA;YACtD,MAAM,0BAA0B,CAAC,aAAa,CAAC,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAA;YAE5D,qBAAqB;YACrB,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC;YAC5E,EAAE,CAAC,SAAS,CAAC,kBAAkB,EAAE,EAAE,SAAS,EAAE,IAAI,GAAG,CAAC,CAAC;YACvD,MAAM,OAAO,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CAAC,+CAA+C,kBAAkB,EAAE,CAAC,CAAC;YACjF,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,oBAAoB,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE;gBACzE,IAAI,GAAG;oBAAE,MAAM,GAAG,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;YACpE,CAAC,CAAC,CAAC;SACN;QAAC,OAAO,CAAU,EAAE;YACjB,IAAI,CAAC,YAAY,KAAK,EAAE;gBACpB,MAAM,CAAC,CAAC;aACX;iBAAM;gBACH,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;aAC9E;SACJ;IACL,CAAC;CAAA;AAED,6EAA6E;AAC7E,SAAS,oBAAoB,CAAC,kBAA0B;IACpD,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,oBAAoB,CAAC,CAAC;IAC7E,OAAO,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;AAC3C,CAAC;AAED,yEAAyE;AACzE,sCAAsC;AACtC,SAAe,0BAA0B,CAAC,aAAqB;;QAC3D,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC;QAC5E,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;QAC5C,MAAM,wBAAwB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;QACzE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,wBAAwB,CAAC,EAAE;YAC1C,MAAM,IAAI,KAAK,CAAC,sEAAsE,oBAAoB,aAAa,CAAC,CAAC;SAC5H;IACL,CAAC;CAAA;AAED,0EAA0E;AAC1E,SAAS,mBAAmB,CAAC,YAAoB;IAC7C,IAAI,CAAC,YAAY,EAAE;QACf,OAAO,EAAE,CAAC;KACb;IACD,IAAI,gBAAgB,GAAa,EAAE,CAAC;IACpC,KAAK,IAAI,MAAM,IAAI,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE;QAC5C,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,IAAI,MAAM,EAAE;YACR,gBAAgB,CAAC,IAAI,CAAC,kBAAkB,GAAG,MAAM,CAAC,CAAC;SACtD;KACJ;IACD,OAAO,gBAAgB,CAAC;AAC5B,CAAC;AAID,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IACzB,IAAI,EAAE,CAAC;CACV;AAJD,iBAAS,IAAI,CAAC"} \ No newline at end of file diff --git a/dist/verify.js b/dist/verify.js index 07dfb71..288df56 100644 --- a/dist/verify.js +++ b/dist/verify.js @@ -59,8 +59,18 @@ function verify() { const trust_policy = core.getInput('trust_policy'); // .github/trustpolicy/trustpolicy.json const trust_store = core.getInput('trust_store'); // .github/truststore const allow_referrers_api = core.getInput('allow_referrers_api'); + // sanity check + if (!target_artifact_ref) { + throw new Error("input target_artifact_reference is required"); + } + if (!trust_policy) { + throw new Error("input trust_policy is required"); + } + if (!trust_store) { + throw new Error("input trust_store is required"); + } // configure Notation trust policy - yield exec.getExecOutput('notation', ['policy', 'import', trust_policy]); + yield exec.getExecOutput('notation', ['policy', 'import', '--force', trust_policy]); yield exec.getExecOutput('notation', ['policy', 'show']); // configure Notation trust store yield configTrustStore(trust_store); @@ -80,7 +90,7 @@ function verify() { core.setFailed(e); } else { - core.setFailed('Unknown error during notation verify'); + core.setFailed('unknown error during notation verify'); } } }); diff --git a/dist/verify.js.map b/dist/verify.js.map index 5df56a8..ff287ee 100644 --- a/dist/verify.js.map +++ b/dist/verify.js.map @@ -1 +1 @@ -{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AACtC,oDAAsC;AACtC,uCAAyB;AACzB,2CAA6B;AAE7B,MAAM,IAAI,GAAG,MAAM,CAAC;AAEpB,oDAAoD;AACpD,SAAe,MAAM;;QACjB,IAAI;YACA,mBAAmB;YACnB,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAAC;YACvE,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,uCAAuC;YAC3F,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,qBAAqB;YACvE,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;YAEjE,kCAAkC;YAClC,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;YACzE,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;YAEzD,iCAAiC;YACjC,MAAM,gBAAgB,CAAC,WAAW,CAAC,CAAC;YACpC,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;YAErD,sBAAsB;YACtB,IAAI,mBAAmB,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE;gBAC9C,kEAAkE;gBAClE,gCAAgC;gBAChC,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,IAAI,CAAC,CAAC,CAAC;aACxG;iBAAM;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,mBAAmB,EAAE,IAAI,CAAC,CAAC,CAAC;aAC/E;SACJ;QAAC,OAAO,CAAU,EAAE;YACjB,IAAI,CAAC,YAAY,KAAK,EAAE;gBACpB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;aACrB;iBAAM;gBACH,IAAI,CAAC,SAAS,CAAC,sCAAsC,CAAC,CAAC;aAC1D;SACJ;IACL,CAAC;CAAA;AAED,mEAAmE;AACnE,4HAA4H;AAC5H,SAAe,gBAAgB,CAAC,GAAW;;QACvC,IAAI,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,0BAA0B;QACrE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE;YAChC,MAAM,IAAI,KAAK,CAAC,gCAAgC,cAAc,EAAE,CAAC,CAAC;SACrE;QACD,IAAI,eAAe,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,8EAA8E;QAC/H,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE;YAC7C,IAAI,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;YACvD,IAAI,WAAW,GAAG,SAAS,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,wFAAwF;YACzI,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE;gBACzC,IAAI,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,wCAAwC;gBACzE,IAAI,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,aAAa;gBAC7D,IAAI,QAAQ,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,4GAA4G;gBACvJ,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC;aAC5G;SACJ;IACL,CAAC;CAAA;AAED,0DAA0D;AAC1D,SAAS,SAAS,CAAC,GAAW;IAC1B,OAAO,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,EAAC,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAC,CAAC;SAC1D,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;SAClC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,4DAA4D;AAC5D,SAAS,cAAc,CAAC,GAAW;IAC/B,OAAO,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,EAAC,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAC,CAAC;SAC1D,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;SACnC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAID,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IACzB,MAAM,EAAE,CAAC;CACZ;AAJD,iBAAS,MAAM,CAAC"} \ No newline at end of file +{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AACtC,oDAAsC;AACtC,uCAAyB;AACzB,2CAA6B;AAE7B,MAAM,IAAI,GAAG,MAAM,CAAC;AAEpB,oDAAoD;AACpD,SAAe,MAAM;;QACjB,IAAI;YACA,mBAAmB;YACnB,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAAC;YACvE,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,uCAAuC;YAC3F,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,qBAAqB;YACvE,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;YAEjE,eAAe;YACf,IAAI,CAAC,mBAAmB,EAAE;gBACtB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;aAClE;YACD,IAAI,CAAC,YAAY,EAAE;gBACf,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;aACrD;YACD,IAAI,CAAC,WAAW,EAAE;gBACd,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;aACpD;YAED,kCAAkC;YAClC,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC,CAAC;YACpF,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;YAEzD,iCAAiC;YACjC,MAAM,gBAAgB,CAAC,WAAW,CAAC,CAAC;YACpC,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;YAErD,sBAAsB;YACtB,IAAI,mBAAmB,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE;gBAC9C,kEAAkE;gBAClE,gCAAgC;gBAChC,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,IAAI,CAAC,CAAC,CAAC;aACxG;iBAAM;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,mBAAmB,EAAE,IAAI,CAAC,CAAC,CAAC;aAC/E;SACJ;QAAC,OAAO,CAAU,EAAE;YACjB,IAAI,CAAC,YAAY,KAAK,EAAE;gBACpB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;aACrB;iBAAM;gBACH,IAAI,CAAC,SAAS,CAAC,sCAAsC,CAAC,CAAC;aAC1D;SACJ;IACL,CAAC;CAAA;AAED,mEAAmE;AACnE,4HAA4H;AAC5H,SAAe,gBAAgB,CAAC,GAAW;;QACvC,IAAI,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,0BAA0B;QACrE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE;YAChC,MAAM,IAAI,KAAK,CAAC,gCAAgC,cAAc,EAAE,CAAC,CAAC;SACrE;QACD,IAAI,eAAe,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,8EAA8E;QAC/H,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE;YAC7C,IAAI,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;YACvD,IAAI,WAAW,GAAG,SAAS,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,wFAAwF;YACzI,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE;gBACzC,IAAI,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,wCAAwC;gBACzE,IAAI,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,aAAa;gBAC7D,IAAI,QAAQ,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,4GAA4G;gBACvJ,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC;aAC5G;SACJ;IACL,CAAC;CAAA;AAED,0DAA0D;AAC1D,SAAS,SAAS,CAAC,GAAW;IAC1B,OAAO,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,EAAC,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAC,CAAC;SAC1D,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;SAClC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,4DAA4D;AAC5D,SAAS,cAAc,CAAC,GAAW;IAC/B,OAAO,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,EAAC,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAC,CAAC;SAC1D,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;SACnC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAID,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IACzB,MAAM,EAAE,CAAC;CACZ;AAJD,iBAAS,MAAM,CAAC"} \ No newline at end of file diff --git a/src/lib/checksum.ts b/src/lib/checksum.ts index 8287d59..07993b7 100644 --- a/src/lib/checksum.ts +++ b/src/lib/checksum.ts @@ -18,15 +18,6 @@ import * as fs from 'fs'; import {getPlatform, getArch} from './install'; import notationReleases from './data/notation_releases.json'; -// validateCheckSum validates checksum of file at path against ground truth. -export async function validateCheckSum(path: string, groundTruth: string) { - const sha256 = await hash(path); - if (sha256 !== groundTruth) { - throw new Error(`checksum of downloaded plugin ${sha256} does not match ground truth ${groundTruth}`); - } - console.log("Successfully checked download checksum against ground truth") -} - // getNotationCheckSum returns checksum of user specified official Notation CLI // release. export function getNotationCheckSum(version: string): string { @@ -40,11 +31,11 @@ export function getNotationCheckSum(version: string): string { return checksum; } } - throw new Error(`Notation release does not support user input version ${version}`); + throw new Error(`Notation CLI release does not support user input version ${version}`); } // hash computes SH256 of file at path. -function hash(path: string): Promise { +export function hash(path: string): Promise { return new Promise((resolve, reject) => { const hash = crypto.createHash('sha256'); const stream = fs.createReadStream(path); diff --git a/src/lib/install.ts b/src/lib/install.ts index bd20785..567202c 100644 --- a/src/lib/install.ts +++ b/src/lib/install.ts @@ -43,7 +43,7 @@ export function getConfigHome(): string { case 'linux': return process.env.XDG_CONFIG_HOME ? process.env.XDG_CONFIG_HOME : path.join(os.homedir(), '.config'); default: - throw new Error(`Unknown platform: ${platform}`); + throw new Error(`unknown platform: ${platform}`); } } @@ -58,7 +58,7 @@ export function getPlatform(): string { case 'win32': return 'windows'; default: - throw new Error(`Unsupported platform: ${platform}`); + throw new Error(`unsupported platform: ${platform}`); } } @@ -71,6 +71,11 @@ export function getArch(): string { case 'arm64': return 'arm64'; default: - throw new Error(`Unsupported architecture: ${architecture}`); + throw new Error(`unsupported architecture: ${architecture}`); } +} + +export function getBinaryExtension(): string { + const platform = getPlatform(); + return platform === 'windows' ? '.exe' : ''; } \ No newline at end of file diff --git a/src/setup.ts b/src/setup.ts index b4006b1..e668c40 100644 --- a/src/setup.ts +++ b/src/setup.ts @@ -15,7 +15,7 @@ import * as core from '@actions/core'; import * as tc from '@actions/tool-cache'; -import {validateCheckSum, getNotationCheckSum} from './lib/checksum'; +import {hash, getNotationCheckSum} from './lib/checksum'; import { getNotationDownloadURL } from './lib/install'; // setup sets up the Notation CLI. @@ -33,13 +33,15 @@ async function setup(): Promise { // download Notation CLI and validate checksum const downloadURL = getNotationDownloadURL(version, notation_url); - console.log(`Downloading Notation CLI from ${downloadURL}`); + console.log(`downloading Notation CLI from ${downloadURL}`); const pathToTarball: string = await tc.downloadTool(downloadURL); - if (notation_url) { - await validateCheckSum(pathToTarball, notation_checksum); - } else { - await validateCheckSum(pathToTarball, getNotationCheckSum(version)); + console.log("downloading Notation CLI completed") + const sha256 = await hash(pathToTarball); + const expectedCheckSum = notation_url ? notation_checksum : getNotationCheckSum(version); + if (sha256 !== expectedCheckSum) { + throw new Error(`checksum of downloaded Notation CLI ${sha256} does not match expected checksum ${expectedCheckSum}`); } + console.log("successfully verified download checksum") // extract the tarball/zipball onto host runner const extract = downloadURL.endsWith('.zip') ? tc.extractZip : tc.extractTar; @@ -51,7 +53,7 @@ async function setup(): Promise { if (e instanceof Error) { core.setFailed(e); } else { - core.setFailed('Unknown error during notation setup'); + core.setFailed('unknown error during notation setup'); } } } diff --git a/src/sign.ts b/src/sign.ts index 67b7d21..a0fb645 100644 --- a/src/sign.ts +++ b/src/sign.ts @@ -18,26 +18,48 @@ import * as exec from '@actions/exec'; import * as tc from '@actions/tool-cache'; import * as path from 'path'; import * as fs from 'fs'; -import {validateCheckSum} from './lib/checksum'; -import {getConfigHome} from './lib/install'; +import {hash} from './lib/checksum'; +import {getConfigHome, getBinaryExtension} from './lib/install'; +// plugin inputs from user const plugin_name = core.getInput('plugin_name'); +if (!plugin_name) { + throw new Error("input plugin_name is required"); +} +const plugin_url = core.getInput('plugin_url'); +if (!plugin_url) { + throw new Error("input plugin_url is required"); +} +const plugin_checksum = core.getInput('plugin_checksum').toLowerCase(); +if (!plugin_checksum) { + throw new Error("input plugin_checksum is required"); +} +const notationPluginBinary = `notation-${plugin_name}` + getBinaryExtension(); // sign signs the target artifact with Notation. async function sign(): Promise { try { - await setupPlugin(); - await exec.getExecOutput('notation', ['plugin', 'ls']); - // inputs from user const key_id = core.getInput('key_id'); const plugin_config = core.getInput('plugin_config'); - const pluginConfigList = getPluginConfigList(plugin_config); const target_artifact_ref = core.getInput('target_artifact_reference'); const signature_format = core.getInput('signature_format'); const allow_referrers_api = core.getInput('allow_referrers_api'); + // sanity check + if (!key_id) { + throw new Error("input key_id is required"); + } + if (!target_artifact_ref) { + throw new Error("input target_artifact_reference is required"); + } + + // setting up notation signing plugin + await setupPlugin(); + await exec.getExecOutput('notation', ['plugin', 'ls']); + // sign core process + const pluginConfigList = getPluginConfigList(plugin_config); let notationCommand: string[] = ['sign', '--signature-format', signature_format, '--id', key_id, '--plugin', plugin_name, ...pluginConfigList]; if (allow_referrers_api.toLowerCase() === 'true') { // if process.env.NOTATION_EXPERIMENTAL is not set, notation would @@ -49,7 +71,7 @@ async function sign(): Promise { if (e instanceof Error) { core.setFailed(e); } else { - core.setFailed('Unknown error during notation sign'); + core.setFailed('unknown error during notation sign'); } } } @@ -57,34 +79,65 @@ async function sign(): Promise { // setupPlugin sets up the Notation signing plugin. async function setupPlugin() { try { - // inputs from user - const plugin_url = core.getInput('plugin_url'); - const plugin_checksum = core.getInput('plugin_checksum').toLowerCase(); - console.log(`signing plugin url is ${plugin_url}`); + console.log(`input plugin_name is ${plugin_name}`); + console.log(`input plugin url is ${plugin_url}`); + console.log(`input plugin checksum is ${plugin_checksum}`); + + // check if plugin is already installed + const notationPluginPath = path.join(getConfigHome(), `notation/plugins/${plugin_name}`); + if (checkPluginExistence(notationPluginPath)) { + console.log(`plugin ${plugin_name} is already installed`); + return + } - // download signing plugin and validate checksum + // download signing plugin, validate checksum and plugin name + console.log("downloading signing plugin...") const pathToTarball = await tc.downloadTool(plugin_url); - await validateCheckSum(pathToTarball, plugin_checksum); - - // extract and install the plugin + console.log("downloading signing plugin completed") + const sha256 = await hash(pathToTarball); + if (sha256 !== plugin_checksum) { + throw new Error(`checksum of downloaded plugin ${sha256} does not match expected checksum ${plugin_checksum}`); + } + console.log("successfully verified download checksum") + await validateDownloadPluginName(pathToTarball); + console.log("successfully validated downloaded plugin name") + + // install the plugin const extract = plugin_url.endsWith('.zip') ? tc.extractZip : tc.extractTar; - const pluginPath = path.join(getConfigHome(), `notation/plugins/${plugin_name}`); - fs.mkdirSync(pluginPath, { recursive: true, }); - await extract(pathToTarball, pluginPath); - console.log(`Successfully moved the plugin binary to ${pluginPath}`); - fs.chmod(pluginPath, 0o755, (err) => { + fs.mkdirSync(notationPluginPath, { recursive: true, }); + await extract(pathToTarball, notationPluginPath); + console.log(`successfully extracted the plugin binary to ${notationPluginPath}`); + fs.chmod(path.join(notationPluginPath, notationPluginBinary), 0o755, (err) => { if (err) throw err; - console.log(`Successfully changed permission of plugin binary`); + console.log(`successfully changed permission of plugin binary`); }); } catch (e: unknown) { if (e instanceof Error) { throw e; } else { - throw new Error("Unknown error during setting up notation signing plugin"); + throw new Error("unknown error during setting up notation signing plugin"); } } } +// checkPluginExistence checks if the plugin is already installed in Notation +function checkPluginExistence(notationPluginPath: string): boolean { + const pluginBinaryPath = path.join(notationPluginPath, notationPluginBinary); + return fs.existsSync(pluginBinaryPath); +} + +// validateDownloadPluginName validates the downloaded plugin binary name +// matches with user input plugin name +async function validateDownloadPluginName(pathToTarball: string) { + const extract = plugin_url.endsWith('.zip') ? tc.extractZip : tc.extractTar; + const curDir = await extract(pathToTarball); + const expectedPluginBinaryPath = path.join(curDir, notationPluginBinary); + if (!fs.existsSync(expectedPluginBinaryPath)) { + throw new Error(`downloaded plugin does not match user input plugin_name, expected "${notationPluginBinary}" not found`); + } +} + +// getPluginConfigList assembles --plugin-config for notaiton sign command function getPluginConfigList(pluginConfig: string): string[] { if (!pluginConfig) { return []; diff --git a/src/verify.ts b/src/verify.ts index 3b80e30..155f46b 100644 --- a/src/verify.ts +++ b/src/verify.ts @@ -29,8 +29,19 @@ async function verify(): Promise { const trust_store = core.getInput('trust_store'); // .github/truststore const allow_referrers_api = core.getInput('allow_referrers_api'); + // sanity check + if (!target_artifact_ref) { + throw new Error("input target_artifact_reference is required"); + } + if (!trust_policy) { + throw new Error("input trust_policy is required"); + } + if (!trust_store) { + throw new Error("input trust_store is required"); + } + // configure Notation trust policy - await exec.getExecOutput('notation', ['policy', 'import', trust_policy]); + await exec.getExecOutput('notation', ['policy', 'import', '--force', trust_policy]); await exec.getExecOutput('notation', ['policy', 'show']); // configure Notation trust store @@ -49,7 +60,7 @@ async function verify(): Promise { if (e instanceof Error) { core.setFailed(e); } else { - core.setFailed('Unknown error during notation verify'); + core.setFailed('unknown error during notation verify'); } } }