RepoMirrors
/
openwrt
mirror of git://git.openwrt.org/openwrt/openwrt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ci: build: verify downloaded toolchain tarball 

CDNs are known to ship outdated or corrupted files, if it unpacks
correctly, it necessarily doesn't mean, that we're using the desired
content. So lets fix it by checking the tarball as well.

I'm adding GPG checking explicitly, its not needed, but just double
checking, that everything is working as expected on build
infrastructure.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
This commit is contained in:
Petr Štetiar 2023-05-26 11:41:18 +02:00
parent 567784127e
commit 95dde52329
No known key found for this signature in database
GPG Key ID: 58EE120F30CC02D3
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/build.yml vendored
View File

@ -280,13 +280,23 @@ jobs:
restore-keys: |
ccache-${{ inputs.ccache_type }}-${{ inputs.target }}/${{ inputs.subtarget }}-
- name: Import GPG keys
shell: su buildbot -c "sh -e {0}"
if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
run: gpg --receive-keys 0xCD84BCED626471F1 0x1D53D1877742E911 0xCD54E82DADB3684D
- name: Download external toolchain/sdk
if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
shell: su buildbot -c "sh -e {0}"
working-directory: openwrt
run: |
wget -O - https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz \
| tar --xz -xf -
wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz
wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums.asc
wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums
gpg --with-fingerprint --verify sha256sums.asc
sha256sum --check --ignore-missing sha256sums
tar --xz -xf ${{ env.TOOLCHAIN_FILE }}.tar.xz
rm ${{ env.TOOLCHAIN_FILE }}.tar.xz sha256sums
- name: Configure testing kernel
if: inputs.testing == true