From 91985c7994764f52c8e9d864db8ec9cf2eb1df5c Mon Sep 17 00:00:00 2001
From: Jeremy Attali <contact@jtheoof.me>
Date: Sat, 20 Feb 2021 16:20:32 -0500
Subject: [PATCH] fix(release): properly check sha256 remote content

We need to verify the sources from github match our local content.
We do this by building our own version of the git release (using `git
archive`) and checking the SHA-256 checksums against the local and
remote.

After that it's safe to sign the remote `tar.gz` and upload the
signature file to the release.

One caveat is that if Github upates their git release commmand, this
script will break. We'll worry about it when that happens.

This drops support for `zip` signature. I wish there was a way to
prevent the zip source code when doing a new release.

Closes #90
---
 script/sign-post-release | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/script/sign-post-release b/script/sign-post-release
index 801a05d..8a720b6 100755
--- a/script/sign-post-release
+++ b/script/sign-post-release
@@ -17,7 +17,6 @@ init() {
   command -v gh >/dev/null 2>&1 || { echo >&2 "github cli tool required: pacman -S github-cli"; exit 1; }
 
   mkdir -p $release_folder
-  cd $release_folder
 }
 
 get_release_version() {
@@ -25,24 +24,41 @@ get_release_version() {
   echo "found latest version: $version"
 }
 
+build_archives_from_source() {
+  echo "building source archives..."
+  cd $git_root
+  git archive -o "$release_folder/local-$app_name-$version.tar.gz" --format tar.gz --prefix "$app_name-$version/" "v$version"
+}
+
+
 download_source_for_release() {
   echo "downloading source assets..."
-  curl --output $app_name-$version.zip https://github.com/jtheoof/$app_name/archive/v$version.zip
-  curl --output $app_name-$version.tar.gz https://github.com/jtheoof/$app_name/archive/v$version.tar.gz
+  cd $release_folder
+  curl --location --output github-$app_name-$version.tar.gz https://github.com/jtheoof/$app_name/archive/v$version.tar.gz
+}
+
+verify_sha256_checksums() {
+  echo "verifying signatures..."
+  cd $release_folder
+  sha256sum local-$app_name-$version.tar.gz | awk '{ print $1 }' > local-$app_name-$version.tar.gz.sha256
+
+  # sha256sum --check will exit if the checksums do not match
+  echo "$(cat local-$app_name-$version.tar.gz.sha256) github-$app_name-$version.tar.gz" | sha256sum --check
 }
 
 sign_release_source() {
   echo "signing source assets..."
-  gpg --detach-sign $app_name-$version.zip
-  gpg --detach-sign $app_name-$version.tar.gz
+  cd $release_folder
+  gpg --output $app_name-$version.tar.gz.sig --detach-sign github-$app_name-$version.tar.gz
 }
 
 upload_signed_assets_to_release() {
   echo "uploading signatures to github release..."
-  gh release upload v$version $app_name-$version.zip.sig --clobber
-  gh release upload v$version $app_name-$version.tar.gz.sig --clobber
+  cd $release_folder
+  gh release upload v$version $app_name-$version.tar.gz.sig  --clobber
 }
 
+
 main() {
   init
   get_release_version
@@ -52,7 +68,9 @@ main() {
     die "version not found, is the git tag valid?"  
   fi
 
+  build_archives_from_source
   download_source_for_release
+  verify_sha256_checksums
   sign_release_source
   upload_signed_assets_to_release
 }