feat(index): Check checksum after download

hugo-checksums.txt

@@ -0,0 +1,26 @@
+9684d0537b86bc3b9d188663a04be490d894d45222ad0397fe9a6229cb404a76  hugo_0.56.1_NetBSD-32bit.tar.gz
+a497af1d1c62e462c034231cb2c5cd0a433f69f0497a3cba293f98a379a199fa  hugo_0.56.1_Linux-ARM64.tar.gz
+2842e643bede752a73d62475d9533ea9d9cbf149f1768c0a6a5e3b7aebd04a9a  hugo_extended_0.56.1_Linux-64bit.deb
+4e737877835507a54687af2f767d69c4841e0d13ea26dc4eac8aab7c33ac7cb5  hugo_extended_0.56.1_macOS-64bit.tar.gz
+3b65fd97b544735462d0d432bdde7ff49465a8cece22b25ec2a9af5b438cf851  hugo_0.56.1_Windows-64bit.zip
+99ebdcbd846d5e151568ca58613dcf84a61d16433931eaf673781ddd09d964af  hugo_0.56.1_Linux-32bit.tar.gz
+a11f9d488e9c7d9be8516beddfdd35a6232de80f143d6e690b2b26ba34d771cf  hugo_0.56.1_macOS-32bit.tar.gz
+1b72b5b2cb1f0ec858b5daf1675f3f3883cb24222ef00266f15392ce8ce7d848  hugo_0.56.1_FreeBSD-32bit.tar.gz
+a02bba8e9391008e4d773bbd09e9f11a35f00d599b668e388ae0857dbef48a54  hugo_0.56.1_Linux-64bit.tar.gz
+cde6105946befdfc26769051f83795c3c55068db1d7582098fe1655027d2c133  hugo_0.56.1_DragonFlyBSD-64bit.tar.gz
+365e987956fee2cb3ffac30423dfdd94af08ec9fa1f0fbe0346784431cce3f87  hugo_0.56.1_Linux-ARM.tar.gz
+af68761aaae76954cfd78a99b310143998efb629e47d2048f8e24b3311f23a28  hugo_extended_0.56.1_Linux-64bit.tar.gz
+08e85b08afbc3ab419601be7bc14d5ac75254fdd77b74b0576bcae52e00036b5  hugo_0.56.1_OpenBSD-64bit.tar.gz
+4167cf37bc536e239a371fc27032f4bd09aa72350476d18f37395677deb58768  hugo_0.56.1_OpenBSD-32bit.tar.gz
+bb2e7741cb059a03b0613ae054ca839e2cdafb2bf77d07c37df91c5e2b803433  hugo_0.56.1_OpenBSD-ARM.tar.gz
+5729fc9ef3cc84c46ab8c2d114a5c1884466835363d4e5a2c25b140c8e9e2019  hugo_0.56.1_Linux-ARM.deb
+2920c24bb51bebbe8fd429147b13447087c435d999acdbd3a5ecf1048c9f2b47  hugo_0.56.1_NetBSD-64bit.tar.gz
+085607cb25361a48cf65a6ab10cf7ea29c7ab31f689feca17e50e3aef367a4d7  hugo_0.56.1_Linux-ARM64.deb
+aa6008e12b07e59b8f371edfa1d7da69cc90224f01aa6471a4428018d9edce59  hugo_0.56.1_Linux-32bit.deb
+ab9517cfe66172833280afb7a2a731a0d8c7edf26d861eaef42aa41deb17671b  hugo_0.56.1_Linux-64bit.deb
+99a44ad0e58446e17e966805b6c60b161bebc76017a11215f07684735b56bcc0  hugo_0.56.1_Windows-32bit.zip
+4732a8169209efeadf46a9de75ea21d0d4b4341b606d20b2f645533944bf1199  hugo_0.56.1_NetBSD-ARM.tar.gz
+c05066136a537ad3ce4f6624e43bf1625866bb92c06da1e2c6271347b51c8d9a  hugo_0.56.1_FreeBSD-64bit.tar.gz
+dfc3f887692e0eb377cc5be02adca4ce8864cdd0ac6a56f2c68f52e4a710d821  hugo_0.56.1_macOS-64bit.tar.gz
+9b82eb59f67823bff6ebaf83b9804e3c3e0a4a150fcd3d2c564c65ac9e3282ba  hugo_extended_0.56.1_Windows-64bit.zip
+fefa258f9f861aaea46d1e9c4eb87c02024d2919f17d403dff373281e745c2f9  hugo_0.56.1_FreeBSD-ARM.tar.gz

lib/bin-wrapper.js

@@ -0,0 +1,81 @@
+
+'use strict';
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const url = require('url');
+const BinWrapperBase = require('bin-wrapper');
+const importLazy = require('import-lazy')(require);
+const decompress = importLazy('decompress');
+const download = importLazy('download');
+const osFilterObj = importLazy('os-filter-obj');
+
+const checksumPath = path.join(__dirname, '../hugo-checksums.txt');
+
+function readFileAsync(filePath) {
+  return new Promise((resolve, reject) => {
+    fs.readFile(filePath, 'utf8', (err, data) => {
+      if (err) {
+        reject(err);
+        return;
+      }
+      resolve(data);
+    });
+  })
+}
+function chmodAsync(filePath, mode) {
+  return new Promise((resolve, reject) => {
+    fs.chmod(filePath, mode, (err) => {
+      if (err) {
+        reject(err);
+        return;
+      }
+      resolve();
+    });
+  });
+}
+module.exports = class BinWrapper extends BinWrapperBase {
+	/**
+	 * Override original download() to check checksum before download and after decompress
+	 */
+  download() {
+    const files = osFilterObj(this.src() || []);
+
+    if (files.length === 0) {
+      return Promise.reject(new Error('No binary found matching your system. It\'s probably not supported.'));
+    }
+    const fileUrl = files[0].url;
+    const parsedUrl = url.parse(fileUrl);
+    const parsedPath = path.parse(parsedUrl.pathname);
+    const fileBaseName = parsedPath.base;
+
+    return Promise.all([
+      download(fileUrl),
+      readFileAsync(checksumPath)
+    ])
+    .then(([data, checksums]) => {
+      const lines = checksums.split('\n');
+      const found = lines.map(line => {
+        // parsing goreleaser checksum format
+        // see: https://github.com/goreleaser/goreleaser/blob/master/internal/pipe/checksums/checksums.go#L81
+        return line.split('  ');
+      }).find(([,baseName]) => {
+        return baseName === fileBaseName;
+      });
+      if (!found) {
+        return Promise.reject(new Error('No checksum found.'));
+      }
+      const checksum = found[0];
+      if (crypto.createHash('sha256').update(data).digest('hex') !== checksum) {
+        return Promise.reject(new Error('Hugo binary checksum does not match.'));
+      }
+      return decompress(data, this.dest(), { strip: this.options.strip });
+    })
+    .then(files => {
+      return Promise.all(files.map(file => file.path).map(fileName => {
+        return chmodAsync(path.join(this.dest(), fileName), 0o755);
+      }));
+    });
+  }
+}

lib/index.js

@@ -1,8 +1,8 @@
 'use strict';
 
 const path = require('path');
-const BinWrapper = require('bin-wrapper');
 const pkgConf = require('pkg-conf');
+const BinWrapper = require('./bin-wrapper');
 const pkg = require('../package');
 
 const { hugoVersion } = pkg;

package.json

@@ -12,6 +12,10 @@
   },
   "dependencies": {
     "bin-wrapper": "^4.1.0",
+    "decompress": "^4.2.0",
+    "download": "^7.1.0",
+    "import-lazy": "^4.0.0",
+    "os-filter-obj": "^2.0.0",
     "pkg-conf": "^3.1.0",
     "rimraf": "^2.6.3",
     "signale": "^1.4.0"