aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Štetiar <ynezz@true.cz>2023-05-26 11:41:18 +0200
committerChristian Marangi <ansuelsmth@gmail.com>2023-10-24 17:12:06 +0200
commit6cdd9a6de493cc9b8152a73d8449673b1190d1ff (patch)
tree5a400674218bf7966f7e3bd4fb104ec24aac6f76
parent37395ecb3214f6c086668b9f1a3c3405e06acfe8 (diff)
downloadupstream-6cdd9a6de493cc9b8152a73d8449673b1190d1ff.tar.gz
upstream-6cdd9a6de493cc9b8152a73d8449673b1190d1ff.tar.bz2
upstream-6cdd9a6de493cc9b8152a73d8449673b1190d1ff.zip
ci: build: verify downloaded toolchain tarball
CDNs are known to ship outdated or corrupted files, if it unpacks correctly, it necessarily doesn't mean, that we're using the desired content. So lets fix it by checking the tarball as well. I'm adding GPG checking explicitly, its not needed, but just double checking, that everything is working as expected on build infrastructure. Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 95dde523297c652072ee96ac32d22912a43ef761)
Diffstat
-rw-r--r--.github/workflows/build.yml14
1 files changed, 12 insertions, 2 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index efaf759403..367a43383b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -280,13 +280,23 @@ jobs:
restore-keys: |
ccache-${{ inputs.ccache_type }}-${{ inputs.target }}/${{ inputs.subtarget }}-
+ - name: Import GPG keys
+ shell: su buildbot -c "sh -e {0}"
+ if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
+ run: gpg --receive-keys 0xCD84BCED626471F1 0x1D53D1877742E911 0xCD54E82DADB3684D
+
- name: Download external toolchain/sdk
if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
shell: su buildbot -c "sh -e {0}"
working-directory: openwrt
run: |
- wget -O - https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz \
- | tar --xz -xf -
+ wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz
+ wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums.asc
+ wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums
+ gpg --with-fingerprint --verify sha256sums.asc
+ sha256sum --check --ignore-missing sha256sums
+ tar --xz -xf ${{ env.TOOLCHAIN_FILE }}.tar.xz
+ rm ${{ env.TOOLCHAIN_FILE }}.tar.xz sha256sums
- name: Configure testing kernel
if: inputs.testing == true
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-25 06:34:24 +0000