Skip to content

Commit

Permalink
Merge pull request #313 from apigee/issue312
Browse files Browse the repository at this point in the history
feat: adds support to verify signature when downloading #312
  • Loading branch information
ssvaidyanathan authored Oct 10, 2023
2 parents 8e33e2f + 43fdaef commit 593f5f5
Showing 1 changed file with 21 additions and 0 deletions.
21 changes: 21 additions & 0 deletions downloadLatest.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ NAME="apigeecli_$APIGEECLI_VERSION"

cd "$tmp" || exit
URL="https://github.com/apigee/apigeecli/releases/download/${APIGEECLI_VERSION}/apigeecli_${APIGEECLI_VERSION}_${OSEXT}_${APIGEECLI_ARCH}.zip"
SIG_URL="https://github.com/apigee/apigeecli/releases/download/${APIGEECLI_VERSION}/apigeecli_${APIGEECLI_VERSION}_${OSEXT}_${APIGEECLI_ARCH}.zip.sig"
COSIGN_PUBLIC_KEY="https://raw.githubusercontent.com/apigee/apigeecli/main/cosign.pub"

download_cli() {
printf "\nDownloading %s from %s ...\n" "$NAME" "$URL"
Expand All @@ -75,6 +77,25 @@ download_cli() {
fi
curl -fsLO "$URL"
filename="apigeecli_${APIGEECLI_VERSION}_${OSEXT}_${APIGEECLI_ARCH}.zip"
# Check if cosign is installed
set +e # disable exit on error
cosign version 2>&1 >/dev/null
RESULT=$?
set -e # re-enable exit on error
if [ $RESULT -eq 0 ]; then
echo "Verifying the signature of the binary " "$filename"
echo "Downloading the cosign public key"
curl -fsLO -H 'Cache-Control: no-cache, no-store' "$COSIGN_PUBLIC_KEY"
echo "Downloading the signature file " "$SIG_URL"
curl -fsLO -H 'Cache-Control: no-cache, no-store' "$SIG_URL"
sig_filename="apigeecli_${OSEXT}_${APIGEECLI_ARCH}.zip.sig"
echo "Verifying the signature"
cosign verify-blob --key cosign.pub --signature "$sig_filename" "$filename"
rm "$sig_filename"
rm cosign.pub
else
echo "cosign is not installed, skipping signature verification"
fi
unzip "${filename}"
rm "${filename}"
}
Expand Down

0 comments on commit 593f5f5

Please sign in to comment.