stackrox · tommartensen · Nov 20, 2023 · Nov 20, 2023 · Nov 20, 2023 · Nov 20, 2023
@@ -135,6 +135,7 @@ cli:
  GOARCH=amd64 GOOS=darwin ./scripts/go-build -o bin/infractl-darwin-amd64 ./cmd/infractl
  GOARCH=arm64 GOOS=darwin ./scripts/go-build -o bin/infractl-darwin-arm64 ./cmd/infractl
  GOARCH=amd64 GOOS=linux ./scripts/go-build -o bin/infractl-linux-amd64 ./cmd/infractl
+ @./scripts/checksums
 
 # cli-local - Builds the infractl client binary
 # When run locally, a Darwin binary is built and installed into the user's GOPATH bin.

@@ -64,6 +64,7 @@ func run(ctx context.Context, conn *grpc.ClientConn, cmd *cobra.Command, _ []str
  if err != nil {
  return nil, err
  }
+ // also download checksums, and check them
 
  infractlFilename, err := moveIntoPlace(tempFilename)
  if err != nil {

@@ -11,6 +11,23 @@
  "application/json"
  ],
  "paths": {
+ "/v1/checksums": {
+ "get": {
+ "summary": "CreateToken generates an arbitrary service account token",
+ "operationId": "Checksums",
+ "responses": {
+ "200": {
+ "description": "A successful response.(streaming responses)",
+ "schema": {
+ "$ref": "#/x-stream-definitions/v1CliChecksumResponse"
+ }
+ }
+ },
+ "tags": [
+ "CliService"
+ ]
+ }
+ },
  "/v1/cli/{os}/{arch}/upgrade": {
  "get": {
  "operationId": "Upgrade",
@@ -500,6 +517,15 @@
  }
  }
  },
+ "v1CliChecksumResponse": {
+ "type": "object",
+ "properties": {
+ "fileChunk": {
+ "type": "string",
+ "format": "byte"
+ }
+ }
+ },
  "v1CliUpgradeResponse": {
  "type": "object",
  "properties": {
@@ -928,6 +954,18 @@
  }
  },
  "x-stream-definitions": {
+ "v1CliChecksumResponse": {
+ "type": "object",
+ "properties": {
+ "result": {
+ "$ref": "#/definitions/v1CliChecksumResponse"
+ },
+ "error": {
+ "$ref": "#/definitions/runtimeStreamError"
+ }
+ },
+ "title": "Stream result of v1CliChecksumResponse"
+ },
  "v1CliUpgradeResponse": {
  "type": "object",
  "properties": {

@@ -452,6 +452,10 @@ message CliUpgradeResponse {
  bytes fileChunk = 1;
 }
 
+message CliChecksumResponse {
+ bytes fileChunk = 1;
+}
+
 // CliService provides an upgrade path for the command line interface.
 service CliService {
  // Upgrade - gets an updated binary if it exists.
@@ -460,6 +464,13 @@ service CliService {
  get: "/v1/cli/{os}/{arch}/upgrade"
  };
  }
+
+ // Checksums - gets a file with checksums for the binaries
+ rpc Checksums (google.protobuf.Empty) returns (stream CliChecksumResponse) {
+ option (google.api.http) = {
+ get: "/v1/checksums"
+ };
+ }
 }
 
 message InfraStatus {

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+main() {
+ local filename="infractl-CHECKSUMS"
+ pushd bin/ >/dev/null || exit 1
+ rm -f "${filename}"
+ shasum --algorithm 512 -- infractl-* > "${filename}"
+ popd >/dev/null || exit 1
+
+}
+
+main "$@"
@@ -4,11 +4,6 @@ main() {
  # Current time in epoch seconds.
  local BUILD_TIMESTAMP="$(date +'%s')"
 
- # The URL for the CircleCI workflow that was run for the current commit.
- local STABLE_CIRCLECI_WORKFLOW_URL
- if [ -n "$CIRCLE_WORKFLOW_ID" ]; then
- STABLE_CIRCLECI_WORKFLOW_URL="https://circleci.com/workflow-run/${CIRCLE_WORKFLOW_ID}"
- fi
 
  # The Git short SHA for the current commit.
  local STABLE_GIT_SHORT_SHA="$(git rev-parse --short HEAD)"

@@ -11,6 +11,7 @@ import (
  "github.com/stackrox/infra/pkg/platform"
  "github.com/stackrox/infra/service/middleware"
  "google.golang.org/grpc"
+ "google.golang.org/protobuf/types/known/emptypb"
 )
 
 const bufferSize = 1000 * 1024
@@ -62,10 +63,38 @@ func (s *cliImpl) Upgrade(request *v1.CliUpgradeRequest, stream v1.CliService_Up
  return nil
 }
 
+func (s *cliImpl) Checksums(_ *emptypb.Empty, stream v1.CliService_ChecksumsServer) error {
+ filename := webRoot + "/downloads/infractl-CHECKSUMS"
+ file, err := os.Open(filename)
+ if err != nil {
+ log.Log(logging.ERROR, "failed to open CHECKSUM file", "error", err)
+ return err
+ }
+ defer file.Close()
+ buff := make([]byte, bufferSize)
+ for {
+ bytesRead, err := file.Read(buff)
+ if err == io.EOF {
+ break
+ }
+ if err != nil {
+ log.Log(logging.ERROR, "error while reading CHECKSUM chunk", "error", err)
+ return err
+ }
+ resp := &v1.CliChecksumResponse{FileChunk: buff[:bytesRead]}
+ if err := stream.Send(resp); err != nil {
+ log.Log(logging.ERROR, "error while sending CHECKSUM chunk", "error", err)
+ return err
+ }
+ }
+ return nil
+}
+
 // Access configures access for this service.
 func (s *cliImpl) Access() map[string]middleware.Access {
  return map[string]middleware.Access{
- "/v1.CliUpgradeService/Download": middleware.Authenticated,
+ "/v1.CliUpgradeService/Download": middleware.Authenticated,
+ "/v1.CliUpgradeService/Checksums": middleware.Authenticated,
  }
 }
 

@@ -8,6 +8,7 @@ export default function InfractlPageSection(): ReactElement {
  'Download for Intel Mac': '/downloads/infractl-darwin-amd64',
  'Download for M1 Mac': '/downloads/infractl-darwin-arm64',
  'Download for Linux': '/downloads/infractl-linux-amd64',
+ 'Checksums (SHA-512)': '/downloads/infractl-CHECKSUMS',
  };
  const infractlLinks = Object.entries(infractlDownloads).map(([label, value]) => (
  <a key={value} href={value} download className="btn btn-base mr-2">

@@ -46,11 +46,16 @@ export default function UserServiceAccountToken(): ReactElement {
  example, you may put it in your Go executable directory.
  </p>
  <p className="my-2">
- Here are the commands to move the file, allow it to execute on an Intel-based Mac, confirm
- its location, and help you learn about its features.
+ Additionally, you may verify the integrity of the binary by downloading the{' '}
+ <code>CHECKSUMS (SHA-512)</code> file.
+ </p>
+ <p className="my-2">
+ Here are the commands to check the integrity, move the file, allow it to execute on an
+ Intel-based Mac, confirm its location, and help you learn about its features.
  </p>
  <pre className="border border-base-400 p-4 text-lg whitespace-pre-wrap">
- $ install ~/Downloads/infractl-darwin-amd64 $GOPATH/bin/infractl
+ $ shasum --check --ignore-missing infractl-CHECKSUMS
+ <br />$ install infractl-darwin-amd64 $GOPATH/bin/infractl
  <br />$ xattr -c $GOPATH/bin/infractl
  <br />$ which infractl
  <br />$ infractl help