ci: build: verify downloaded toolchain tarball

CDNs are known to ship outdated or corrupted files, if it unpacks correctly, it necessarily doesn't mean, that we're using the desired content. So lets fix it by checking the tarball as well. I'm adding GPG checking explicitly, its not needed, but just double checking, that everything is working as expected on build infrastructure. Signed-off-by: Petr Štetiar <[email protected]>
hex-ci · May 31, 2023 · 95dde52 · 95dde52
1 parent 5677841
commit 95dde52
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -280,13 +280,23 @@ jobs:
           restore-keys: |
             ccache-${{ inputs.ccache_type }}-${{ inputs.target }}/${{ inputs.subtarget }}-
 
+      - name: Import GPG keys
+        shell: su buildbot -c "sh -e {0}"
+        if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
+        run: gpg --receive-keys 0xCD84BCED626471F1 0x1D53D1877742E911 0xCD54E82DADB3684D
+
       - name: Download external toolchain/sdk
         if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
         shell: su buildbot -c "sh -e {0}"
         working-directory: openwrt
         run: |
-          wget -O - https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz \
-            | tar --xz -xf -
+          wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz
+          wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums.asc
+          wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums
+          gpg --with-fingerprint --verify sha256sums.asc
+          sha256sum --check --ignore-missing sha256sums
+          tar --xz -xf ${{ env.TOOLCHAIN_FILE }}.tar.xz
+          rm ${{ env.TOOLCHAIN_FILE }}.tar.xz sha256sums
 
       - name: Configure testing kernel
         if: inputs.testing == true