From 95dde523297c652072ee96ac32d22912a43ef761 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
Date: Fri, 26 May 2023 11:41:18 +0200
Subject: [PATCH] ci: build: verify downloaded toolchain tarball
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

CDNs are known to ship outdated or corrupted files, if it unpacks
correctly, it necessarily doesn't mean, that we're using the desired
content. So lets fix it by checking the tarball as well.

I'm adding GPG checking explicitly, its not needed, but just double
checking, that everything is working as expected on build
infrastructure.

Signed-off-by: Petr Å tetiar <ynezz@true.cz>
---
 .github/workflows/build.yml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index efaf759403..367a43383b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -280,13 +280,23 @@ jobs:
           restore-keys: |
             ccache-${{ inputs.ccache_type }}-${{ inputs.target }}/${{ inputs.subtarget }}-
 
+      - name: Import GPG keys
+        shell: su buildbot -c "sh -e {0}"
+        if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
+        run: gpg --receive-keys 0xCD84BCED626471F1 0x1D53D1877742E911 0xCD54E82DADB3684D
+
       - name: Download external toolchain/sdk
         if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
         shell: su buildbot -c "sh -e {0}"
         working-directory: openwrt
         run: |
-          wget -O - https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz \
-            | tar --xz -xf -
+          wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz
+          wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums.asc
+          wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums
+          gpg --with-fingerprint --verify sha256sums.asc
+          sha256sum --check --ignore-missing sha256sums
+          tar --xz -xf ${{ env.TOOLCHAIN_FILE }}.tar.xz
+          rm ${{ env.TOOLCHAIN_FILE }}.tar.xz sha256sums
 
       - name: Configure testing kernel
         if: inputs.testing == true
-- 
2.30.2