fix: Verify tarball before build

- Use sha256sum file to determine version and integrity
- Verify hash before build (and inside, for local usage)

Author: maweil

.github/workflows/main.yml

@@ -10,21 +10,21 @@ jobs:
     container: registry.fedoraproject.org/fedora:37
     steps:
       - name: Install Dependencies
-        run: dnf install -y mingw64-gcc zip make wget tar
+        run: dnf install -y -q mingw64-gcc make wget tar
 
       - uses: actions/checkout@v3
 
       - name: Download make release tar.gz file
-        run: wget "https://ftpmirror.gnu.org/make/make-$(cat build_version.txt).tar.gz"
+        run: wget "https://ftpmirror.gnu.org/make/$(cat build_version.sha256sum | cut -d ' ' -f3)"
 
-      - name: Print out hash of tar.gz file
-        run: sha256sum "make-$(cat build_version.txt).tar.gz"
+      - name: Verify the hash of the tar.gz file
+        run: sha256sum -c build_version.sha256sum
 
       - name: Run the build process
         run: ./cross_build_w64.sh
 
       - name: Hash the built binaries
-        run: sha256sum make-$(cat build_version.txt)/dist/*
+        run: sha256sum make-*/dist/*
 
       - uses: actions/upload-artifact@v3
         with:

build_version.sha256sum

@@ -0,0 +1 @@
+581f4d4e872da74b3941c874215898a7d35802f03732bdccee1d4a7979105d18  make-4.4.tar.gz

build_version.txt

@@ -8,39 +8,51 @@ copy_dependent_dlls(){
   do
     echo "Searching $dll_name" in $dll_source_dir
     find "$dll_source_dir" -name "$dll_name" -exec cp "{}" ./dist \;
-    if [[ $? -eq 0 ]]
+    dist_dll_path="./dist/$dll_name"
+    if [[ -f "$dist_dll_path" ]]
     then
-      dist_dll_path="./dist/$dll_name"
-      if [[ -f "$dist_dll_path" ]]
-      then
-        copy_dependent_dlls "$dist_dll_path"
-      fi
-    else
-      echo "WARNING: Could not find $dll_name"
+      copy_dependent_dlls "$dist_dll_path"
     fi
   done
 }
 
-make_version="$(cat build_version.txt)"
+
+
+# Verify tarball integrity first
+echo "##############################"
+echo "Verifying integrity of tarball"
+echo "##############################"
+sha256sum -c build_version.sha256sum
+
+tarball=$(cat build_version.sha256sum | cut -d " " -f3)
+make_version=${tarball%.tar.gz}
 host_triplet="x86_64-w64-mingw32"
-rm -rf "make-$make_version" || echo "No existing make directory"
+rm -rf "$make_version" || echo "No existing make directory"
 
-tar -xzvf "make-$make_version.tar.gz"
-cd "make-$make_version"
+tar -xzf "$tarball"
+cd "$make_version"
 
 # Cleanup target directory
 rm -rf ./dist
 mkdir -p ./dist
 mkdir -p install_target
 
+echo "##########################################"
+echo "Building $make_version for $host_triplet"
+echo "##########################################"
 # By default, --export-dynamic is used which is not supported for PE binaries. 
 # Therefore override the LDFLAGS accordingly
 LDFLAGS='-Wl,--export-all-symbols -fstack-protector -lssp' mingw64-configure --without-guile
 mingw64-make && mv make.exe ./dist
 if [[ $? -eq 0 ]]
 then
+  echo "#######################################"
+  echo "Copying needed shared libraries to dist"
+  echo "#######################################"
+
   copy_dependent_dlls ./dist/make.exe
-  zip -r "make-$make_version-w64.zip" dist/*
+  
+  echo "################################"
   echo "Build complete. Result in ./dist"
+  echo "################################"
 fi
-