Verify checksums of makeself deps. (#11791)

5 files changed, 21 insertions, 5 deletions

diff --git a/packaging/makeself/functions.sh b/packaging/makeself/functions.sh
index 15818d3b2a..afc8a9ac98 100755
--- a/packaging/makeself/functions.sh
+++ b/packaging/makeself/functions.sh
@@ -29,13 +29,25 @@ set -euo pipefail
 # -----------------------------------------------------------------------------
 
 fetch() {
-  local dir="${1}" url="${2}"
+  local dir="${1}" url="${2}" sha256="${3}"
   local tar="${dir}.tar.gz"
 
   if [ ! -f "${NETDATA_MAKESELF_PATH}/tmp/${tar}" ]; then
     run wget -O "${NETDATA_MAKESELF_PATH}/tmp/${tar}" "${url}"
   fi
 
+  # Check SHA256 of gzip'd tar file (apparently alpine's sha256sum requires
+  # two empty spaces between the checksum and the file's path)
+  set +e
+  echo "${sha256}  ${NETDATA_MAKESELF_PATH}/tmp/${tar}" | sha256sum -c -s
+  local rc=$?
+  if [ ${rc} -ne 0 ]; then
+      echo >&2 "SHA256 verification of tar file ${tar} failed (rc=${rc})"
+      echo >&2 "expected: ${sha256}, got $(sha256sum "${NETDATA_MAKESELF_PATH}/tmp/${tar}")"
+      exit 1
+  fi
+  set -e
+
   if [ ! -d "${NETDATA_MAKESELF_PATH}/tmp/${dir}" ]; then
     cd "${NETDATA_MAKESELF_PATH}/tmp"
     run tar -zxpf "${tar}"
diff --git a/packaging/makeself/jobs/50-bash-5.1.8.install.sh b/packaging/makeself/jobs/50-bash-5.1.8.install.sh
index cf47275432..246ea70857 100755
--- a/packaging/makeself/jobs/50-bash-5.1.8.install.sh
+++ b/packaging/makeself/jobs/50-bash-5.1.8.install.sh
@@ -6,7 +6,8 @@
 
 [ -n "${GITHUB_ACTIONS}" ] && echo "::group::building bash"
 
-fetch "bash-5.1.8" "http://ftp.gnu.org/gnu/bash/bash-5.1.8.tar.gz"
+fetch "bash-5.1.8" "http://ftp.gnu.org/gnu/bash/bash-5.1.8.tar.gz" \
+    0cfb5c9bb1a29f800a97bd242d19511c997a1013815b805e0fdd32214113d6be
 
 export PKG_CONFIG_PATH="/openssl-static/lib/pkgconfig"
 
diff --git a/packaging/makeself/jobs/50-curl-7.78.0.install.sh b/packaging/makeself/jobs/50-curl-7.78.0.install.sh
index d83c65419a..b70d8542bd 100755
--- a/packaging/makeself/jobs/50-curl-7.78.0.install.sh
+++ b/packaging/makeself/jobs/50-curl-7.78.0.install.sh
@@ -6,7 +6,8 @@
 
 [ -n "${GITHUB_ACTIONS}" ] && echo "::group::Building cURL"
 
-fetch "curl-7.78.0" "https://curl.haxx.se/download/curl-7.78.0.tar.gz"
+fetch "curl-7.78.0" "https://curl.haxx.se/download/curl-7.78.0.tar.gz" \
+    ed936c0b02c06d42cf84b39dd12bb14b62d77c7c4e875ade022280df5dcc81d7
 
 export CFLAGS="-I/openssl-static/include"
 export LDFLAGS="-static -L/openssl-static/lib"
diff --git a/packaging/makeself/jobs/50-fping-5.0.install.sh b/packaging/makeself/jobs/50-fping-5.0.install.sh
index 64c71d5646..54cfc667ce 100755
--- a/packaging/makeself/jobs/50-fping-5.0.install.sh
+++ b/packaging/makeself/jobs/50-fping-5.0.install.sh
@@ -6,7 +6,8 @@
 
 [ -n "${GITHUB_ACTIONS}" ] && echo "::group::Building fping"
 
-fetch "fping-5.0" "https://fping.org/dist/fping-5.0.tar.gz"
+fetch "fping-5.0" "https://fping.org/dist/fping-5.0.tar.gz" \
+    ed38c0b9b64686a05d1b3bc1d66066114a492e04e44eef1821d43b1263cd57b8
 
 export CFLAGS="-static -I/openssl-static/include"
 export LDFLAGS="-static -L/openssl-static/lib"
diff --git a/packaging/makeself/jobs/50-ioping-1.2.install.sh b/packaging/makeself/jobs/50-ioping-1.2.install.sh
index 67df88a0b5..f318999dd5 100755
--- a/packaging/makeself/jobs/50-ioping-1.2.install.sh
+++ b/packaging/makeself/jobs/50-ioping-1.2.install.sh
@@ -6,7 +6,8 @@
 
 [ -n "${GITHUB_ACTIONS}" ] && echo "::group::Building ioping"
 
-fetch "ioping-1.2" "https://github.com/koct9i/ioping/archive/v1.2.tar.gz"
+fetch "ioping-1.2" "https://github.com/koct9i/ioping/archive/v1.2.tar.gz" \
+    d3e4497c653a1e96df67c72ce2b70da18e9f5e3b93179a5bb57a6e30ceacfa75
 
 export CFLAGS="-static"