Skip to content

Commit

Permalink
Fix draft release installer
Browse files Browse the repository at this point in the history 
This is something we only require for testing our releases

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
  • Loading branch information
@marcofranssen
marcofranssen committed Feb 14, 2022
1 parent 4d3ee36 commit 419b873
Showing 1 changed file with 12 additions and 6 deletions.
18 changes: 12 additions & 6 deletions install-slsa-provenance.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ fi

set -e

GITHUB_API=${GITHUB_API:-'https://api.github.com'}

# default to relative path if INSTALL_PATH is not set
INSTALL_PATH=${INSTALL_PATH:-$(realpath ./.slsa-provenance)}

Expand All @@ -24,13 +26,17 @@ RELEASE="https://github.com/philips-labs/slsa-provenance-action/releases/downloa

if [[ "$VERSION" == *-draft ]] ; then
curl_args=(-H "Authorization: token $GITHUB_TOKEN")
html_url=$(curl "${curl_args[@]}" -s https://api.github.com/repos/philips-labs/slsa-provenance-action/releases\?per_page\=10 | jq 'map(select(.name == "v0.6.2-draft"))' | jq -r '.[0].html_url')
RELEASE=${html_url/tag/download}
assets=$(curl "${curl_args[@]}" -s "${GITHUB_API}/repos/philips-labs/slsa-provenance-action/releases?per_page=10" | jq "map(select(.name == \"${VERSION}\"))" | jq -r '.[0].assets')
fi

function download {
log_info "Downloading ${1}"
curl "${curl_args[@]}" -sLo --show-error "${1}" "${2}"
url="${2}"
if [[ "$VERSION" == *-draft ]] ; then
url="$(echo "${assets}" | jq "map(select(.name == \"$1\"))" | jq -r '.[0].url')"
curl_args+=(-H 'Accept: application/octet-stream')
fi
log_info "Downloading ${1} from ${url}"
curl -sLo "${1}" --show-error "${curl_args[@]}" "${url}"
echo
}

Expand Down Expand Up @@ -85,8 +91,8 @@ if [ -x "$(command -v cosign)" ] ; then
download cosign.pub "$RELEASE/cosign.pub"

log_info "Verifying signature…"
cosign verify-blob --key cosign.pub --signature slsa-provenance.sig "${ARCHIVE}"
rm slsa-provenance.sig cosign.pub
cosign verify-blob --key cosign.pub --signature "${ARCHIVE}.sig" "${ARCHIVE}"
rm "${ARCHIVE}.sig" cosign.pub
else
log_warning >&2
log_warning " cosign binary not installed in PATH. Unable to verify signature!" >&2
Expand Down

0 comments on commit 419b873

Please sign in to comment.