Skip to content

Adding Signature Validation When getFrogbot.sh Downloads Frogbot #1312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
orto17 wants to merge 2 commits into
base: dev
Choose a base branch
from
+102 −6
Open

Adding Signature Validation When getFrogbot.sh Downloads Frogbot #1312

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5578b84
signature validation
orto17 May 10, 2026
cb1e837
Merge branch 'dev' into signature-validation
orto17 May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 87 additions & 6 deletions buildscripts/getFrogbot.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,23 +96,104 @@ echoGreetings() {
echo "Frogbot downloaded successfully!"
}

getDownloadCommand() {
download_to() {
dl_url="$1"
dl_out="$2"
if [ -n "${REMOTE_PATH}" ]; then
if [ -n "${JF_ACCESS_TOKEN}" ]; then
curl -fLg -H "Authorization:Bearer ${JF_ACCESS_TOKEN}" -X GET "${URL}" -o "${FILE_NAME}"
curl -fLg -H "Authorization:Bearer ${JF_ACCESS_TOKEN}" -X GET "${dl_url}" -o "${dl_out}"
else
curl -fLg -u "${JF_USER}:${JF_PASSWORD}" -X GET "${URL}" -o "${FILE_NAME}"
curl -fLg -u "${JF_USER}:${JF_PASSWORD}" -X GET "${dl_url}" -o "${dl_out}"
fi
else
curl -fLg -X GET "${URL}" -o "${FILE_NAME}"
curl -fLg -X GET "${dl_url}" -o "${dl_out}"
fi
}

download_optional() {
dl_url="$1"
dl_out="$2"
if [ -n "${REMOTE_PATH}" ]; then
if [ -n "${JF_ACCESS_TOKEN}" ]; then
curl -sfLg -H "Authorization:Bearer ${JF_ACCESS_TOKEN}" -X GET "${dl_url}" -o "${dl_out}" && return 0
else
curl -sfLg -u "${JF_USER}:${JF_PASSWORD}" -X GET "${dl_url}" -o "${dl_out}" && return 0
fi
else
curl -sfLg -X GET "${dl_url}" -o "${dl_out}" && return 0
fi
return 1
}

verify_checksum() {
if command -v sha256sum >/dev/null 2>&1; then
sha256sum -c "${FILE_NAME}.sha256"
elif command -v shasum >/dev/null 2>&1; then
shasum -a 256 -c "${FILE_NAME}.sha256"
else
echo "Neither sha256sum nor shasum was found; cannot verify the binary checksum." >&2
return 1
fi
}

verify_checksum_or_exit() {
if [ "${FROGBOT_INSECURE_SKIP_CHECKSUM_VERIFICATION:-}" = "1" ]; then
echo "WARNING: skipping checksum verification (FROGBOT_INSECURE_SKIP_CHECKSUM_VERIFICATION=1)." >&2
return 0
fi
checksum_url="${URL}.sha256"
if ! download_to "${checksum_url}" "${FILE_NAME}.sha256"; then
echo "Failed to download the checksum file for this Frogbot build." >&2
echo "Releases that predate checksum publishing require FROGBOT_INSECURE_SKIP_CHECKSUM_VERIFICATION=1 (not recommended)." >&2
rm -f "${FILE_NAME}"
exit 1
fi
if ! verify_checksum; then
echo "Checksum verification failed." >&2
rm -f "${FILE_NAME}" "${FILE_NAME}.sha256"
exit 1
fi
rm -f "${FILE_NAME}.sha256"
}

verify_gpg_if_signature_present() {
sig_url="${URL}.asc"
if ! download_optional "${sig_url}" "${FILE_NAME}.asc"; then
rm -f "${FILE_NAME}.asc"
return 0
fi
key_url="${PLATFORM_URL}/artifactory/${REMOTE_PATH}frogbot/v2/${VERSION}/frogbot-signing-key.asc"
if ! download_optional "${key_url}" "frogbot-signing-key.asc"; then
echo "A detached signature was published but frogbot-signing-key.asc could not be downloaded for this release." >&2
rm -f "${FILE_NAME}" "${FILE_NAME}.asc"
exit 1
fi
if ! command -v gpg >/dev/null 2>&1; then
echo "gpg is required to verify the Frogbot release signature." >&2
rm -f "${FILE_NAME}" "${FILE_NAME}.asc" "frogbot-signing-key.asc"
exit 1
fi
GNUPGHOME=$(mktemp -d "${TMPDIR:-/tmp}/frogbot-gpg.XXXXXX")
export GNUPGHOME
gpg --batch --import "frogbot-signing-key.asc" >/dev/null 2>&1
if ! gpg --batch --verify "${FILE_NAME}.asc" "${FILE_NAME}"; then
echo "GPG signature verification failed." >&2
rm -rf "${GNUPGHOME}"
rm -f "${FILE_NAME}" "${FILE_NAME}.asc" "frogbot-signing-key.asc"
exit 1
fi
rm -rf "${GNUPGHOME}"
rm -f "${FILE_NAME}.asc" "frogbot-signing-key.asc"
}

download() {
getDownloadCommand && setPermissions && echoGreetings
download_to "${URL}" "${FILE_NAME}" || { rm -f "${FILE_NAME}"; exit 1; }
verify_checksum_or_exit
verify_gpg_if_signature_present
setPermissions && echoGreetings
}

setFrogbotVersion "$@"
setFrogbotRemoteRepositoryIfNeeded
setFrogbotDownloadProperties
download
download
15 changes: 15 additions & 0 deletions release/buildAndUpload.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,20 @@ buildAndUpload () {
destPath="$pkgPath/$version/$pkg/$exeName"
echo "Uploading $exeName to $destPath ..."
jf rt u "./$exeName" "$destPath"
sha256sum "$exeName" >"${exeName}.sha256"
jf rt u "./${exeName}.sha256" "$pkgPath/$version/$pkg/${exeName}.sha256"
rm -f "./${exeName}.sha256"
if [[ -n "${FROGBOT_GPG_KEY_ID:-}" ]] && command -v gpg >/dev/null 2>&1; then
gpg --batch --yes --local-user "$FROGBOT_GPG_KEY_ID" --detach-sign --armor -o "${exeName}.asc" "./$exeName"
jf rt u "./${exeName}.asc" "$pkgPath/$version/$pkg/${exeName}.asc"
rm -f "./${exeName}.asc"
fi
}

upload_signing_public_key() {
if [[ -n "${FROGBOT_GPG_PUBLIC_KEY_FILE:-}" ]] && [[ -f "${FROGBOT_GPG_PUBLIC_KEY_FILE}" ]]; then
jf rt u "${FROGBOT_GPG_PUBLIC_KEY_FILE}" "$pkgPath/$version/frogbot-signing-key.asc"
fi
}

# Verify version provided in pipelines UI matches version in frogbot source code.
Expand Down Expand Up @@ -70,4 +84,5 @@ buildAndUpload 'frogbot-mac-386' 'darwin' 'amd64' ''
buildAndUpload 'frogbot-mac-arm64' 'darwin' 'arm64' ''
buildAndUpload 'frogbot-windows-amd64' 'windows' 'amd64' '.exe'

upload_signing_public_key
jf rt u "./buildscripts/getFrogbot.sh" "$pkgPath/$version/" --flat
Loading