From 5767844f340c7a994a3828a2cf6082403e435cd7 Mon Sep 17 00:00:00 2001
From: Andrea Fassina <fasenderos@gmail.com>
Date: Thu, 25 May 2023 21:46:07 +0200
Subject: [PATCH] tools: log and verify sha256sum

PR-URL: https://github.com/nodejs/node/pull/48088
Refs: https://github.com/nodejs/security-wg/issues/973
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
---
 tools/dep_updaters/update-ada.sh     |   6 +-
 tools/dep_updaters/update-base64.sh  |  10 ++-
 tools/dep_updaters/update-brotli.sh  |   8 +-
 tools/dep_updaters/update-c-ares.sh  |   8 +-
 tools/dep_updaters/update-libuv.sh   |  10 ++-
 tools/dep_updaters/update-llhttp.sh  |  14 ++--
 tools/dep_updaters/update-nghttp2.sh |   8 ++
 tools/dep_updaters/update-nghttp3.sh |   4 +
 tools/dep_updaters/update-ngtcp2.sh  |   4 +
 tools/dep_updaters/update-npm.sh     |   7 +-
 tools/dep_updaters/update-openssl.sh | 105 +++++++++++++++++++++++++++
 tools/dep_updaters/update-simdutf.sh |   6 +-
 tools/dep_updaters/update-uvwasi.sh  |   5 ++
 tools/dep_updaters/update-zlib.sh    |   9 ++-
 tools/dep_updaters/utils.sh          |  30 ++++++++
 15 files changed, 219 insertions(+), 15 deletions(-)
 create mode 100755 tools/dep_updaters/update-openssl.sh
 create mode 100644 tools/dep_updaters/utils.sh

diff --git a/tools/dep_updaters/update-ada.sh b/tools/dep_updaters/update-ada.sh
index 5b693520349313..e97c73fa12aac8 100755
--- a/tools/dep_updaters/update-ada.sh
+++ b/tools/dep_updaters/update-ada.sh
@@ -6,6 +6,9 @@ BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd)
 DEPS_DIR="$BASE_DIR/deps"
 ADA_VERSION=$1
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 if [ "$#" -le 0 ]; then
   echo "Error: please provide an ada version to update to"
   echo "	e.g. $0 1.0.0"
@@ -25,13 +28,14 @@ cleanup () {
 trap cleanup INT TERM EXIT
 
 ADA_REF="v$ADA_VERSION"
-ADA_ZIP="ada-$ADA_VERSION.zip"
+ADA_ZIP="ada-$ADA_REF.zip"
 ADA_LICENSE="LICENSE-MIT"
 
 cd "$WORKSPACE"
 
 echo "Fetching ada source archive..."
 curl -sL -o "$ADA_ZIP" "https://github.com/ada-url/ada/releases/download/$ADA_REF/singleheader.zip"
+log_and_verify_sha256sum "ada" "$ADA_ZIP"
 unzip "$ADA_ZIP"
 rm "$ADA_ZIP"
 
diff --git a/tools/dep_updaters/update-base64.sh b/tools/dep_updaters/update-base64.sh
index 05d1c58402d1d6..539c75713374ef 100755
--- a/tools/dep_updaters/update-base64.sh
+++ b/tools/dep_updaters/update-base64.sh
@@ -8,6 +8,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/aklomp/base64/releases/latest');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -39,8 +42,13 @@ trap cleanup INT TERM EXIT
 
 cd "$WORKSPACE"
 
+BASE64_TARBALL="base64-v$NEW_VERSION.tar.gz"
+
 echo "Fetching base64 source archive"
-curl -sL "https://api.github.com/repos/aklomp/base64/tarball/v$NEW_VERSION" | tar xzf -
+curl -sL -o "$BASE64_TARBALL" "https://api.github.com/repos/aklomp/base64/tarball/v$NEW_VERSION"
+log_and_verify_sha256sum "base64" "$BASE64_TARBALL"
+gzip -dc "$BASE64_TARBALL" | tar xf -
+rm "$BASE64_TARBALL"
 mv aklomp-base64-* base64
 
 echo "Replacing existing base64"
diff --git a/tools/dep_updaters/update-brotli.sh b/tools/dep_updaters/update-brotli.sh
index 651ae57d3f2e62..3e9d6eddeaf665 100755
--- a/tools/dep_updaters/update-brotli.sh
+++ b/tools/dep_updaters/update-brotli.sh
@@ -8,6 +8,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/google/brotli/releases/latest');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -44,10 +47,11 @@ trap cleanup INT TERM EXIT
 
 cd "$WORKSPACE"
 
-BROTLI_TARBALL="v$NEW_VERSION.tar.gz"
+BROTLI_TARBALL="brotli-v$NEW_VERSION.tar.gz"
 
 echo "Fetching brotli source archive"
-curl -sL -o "$BROTLI_TARBALL" "https://github.com/google/brotli/archive/$BROTLI_TARBALL"
+curl -sL -o "$BROTLI_TARBALL" "https://github.com/google/brotli/archive/v$NEW_VERSION.tar.gz"
+log_and_verify_sha256sum "brotli" "$BROTLI_TARBALL"
 gzip -dc "$BROTLI_TARBALL" | tar xf -
 rm "$BROTLI_TARBALL"
 mv "brotli-$NEW_VERSION" "brotli"
diff --git a/tools/dep_updaters/update-c-ares.sh b/tools/dep_updaters/update-c-ares.sh
index 79d964e61f08a5..4bef7d20abca19 100755
--- a/tools/dep_updaters/update-c-ares.sh
+++ b/tools/dep_updaters/update-c-ares.sh
@@ -8,6 +8,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/c-ares/c-ares/releases/latest');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -43,7 +46,10 @@ ARES_TARBALL="c-ares-$NEW_VERSION.tar.gz"
 cd "$WORKSPACE"
 
 echo "Fetching c-ares source archive"
-curl -sL "https://github.com/c-ares/c-ares/releases/download/$ARES_REF/$ARES_TARBALL" | tar xz
+curl -sL -o "$ARES_TARBALL" "https://github.com/c-ares/c-ares/releases/download/$ARES_REF/$ARES_TARBALL"
+log_and_verify_sha256sum "c-ares" "$ARES_TARBALL"
+gzip -dc "$ARES_TARBALL" | tar xf -
+rm "$ARES_TARBALL"
 mv "c-ares-$NEW_VERSION" cares
 
 echo "Removing tests"
diff --git a/tools/dep_updaters/update-libuv.sh b/tools/dep_updaters/update-libuv.sh
index b679d935a91431..ac95f25874db83 100755
--- a/tools/dep_updaters/update-libuv.sh
+++ b/tools/dep_updaters/update-libuv.sh
@@ -7,6 +7,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/libuv/libuv/releases/latest');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -45,8 +48,13 @@ trap cleanup INT TERM EXIT
 
 cd "$WORKSPACE"
 
+LIBUV_TARBALL="libuv-v$NEW_VERSION.tar.gz"
+
 echo "Fetching libuv source archive..."
-curl -sL "https://api.github.com/repos/libuv/libuv/tarball/v$NEW_VERSION" | tar xzf -
+curl -sL -o "$LIBUV_TARBALL" "https://api.github.com/repos/libuv/libuv/tarball/v$NEW_VERSION"
+log_and_verify_sha256sum "libuv" "$LIBUV_TARBALL"
+gzip -dc "$LIBUV_TARBALL" | tar xf -
+rm "$LIBUV_TARBALL"
 mv libuv-libuv-* uv
 
 echo "Replacing existing libuv (except GYP build files)"
diff --git a/tools/dep_updaters/update-llhttp.sh b/tools/dep_updaters/update-llhttp.sh
index 9c46536f205b40..30fb06667ece5b 100755
--- a/tools/dep_updaters/update-llhttp.sh
+++ b/tools/dep_updaters/update-llhttp.sh
@@ -9,6 +9,9 @@ DEPS_DIR="${BASE_DIR}/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/nodejs/llhttp/releases/latest');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -52,19 +55,20 @@ if echo "$NEW_VERSION" | grep -qs "/" ; then # Download a release
   echo "Checking out branch $BRANCH ..."
   git checkout "$BRANCH"
 
-  echo "Building llhtttp ..."
+  echo "Building llhttp ..."
   npm install
   make release
 
-  echo "Copying llhtttp release ..."
+  echo "Copying llhttp release ..."
   rm -rf "$DEPS_DIR/llhttp"
   cp -a release "$DEPS_DIR/llhttp"
 else
   echo "Download llhttp release $NEW_VERSION ..."
-  curl -sL -o llhttp.tar.gz "https://github.com/nodejs/llhttp/archive/refs/tags/release/v$NEW_VERSION.tar.gz"
-  gzip -dc llhttp.tar.gz | tar xf -
+  LLHTTP_TARBALL="llhttp-v$NEW_VERSION.tar.gz"
+  curl -sL -o "$LLHTTP_TARBALL" "https://github.com/nodejs/llhttp/archive/refs/tags/release/v$NEW_VERSION.tar.gz"
+  gzip -dc "$LLHTTP_TARBALL" | tar xf -
 
-  echo "Copying llhtttp release ..."
+  echo "Copying llhttp release ..."
   rm -rf "$DEPS_DIR/llhttp"
   cp -a "llhttp-release-v$NEW_VERSION" "$DEPS_DIR/llhttp"
 fi
diff --git a/tools/dep_updaters/update-nghttp2.sh b/tools/dep_updaters/update-nghttp2.sh
index c53a620ba096ec..5ee7f1f08da0a2 100755
--- a/tools/dep_updaters/update-nghttp2.sh
+++ b/tools/dep_updaters/update-nghttp2.sh
@@ -8,6 +8,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/nghttp2/nghttp2/releases/latest');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -44,6 +47,11 @@ cd "$WORKSPACE"
 
 echo "Fetching nghttp2 source archive"
 curl -sL -o "$NGHTTP2_TARBALL" "https://github.com/nghttp2/nghttp2/releases/download/$NGHTTP2_REF/$NGHTTP2_TARBALL"
+
+DEPOSITED_CHECKSUM=$(curl -sL "https://github.com/nghttp2/nghttp2/releases/download/$NGHTTP2_REF/checksums.txt" | grep "$NGHTTP2_TARBALL")
+
+log_and_verify_sha256sum "nghttp2" "$NGHTTP2_TARBALL" "$DEPOSITED_CHECKSUM"
+
 gzip -dc "$NGHTTP2_TARBALL" | tar xf -
 rm "$NGHTTP2_TARBALL"
 mv "nghttp2-$NEW_VERSION" nghttp2
diff --git a/tools/dep_updaters/update-nghttp3.sh b/tools/dep_updaters/update-nghttp3.sh
index a3c035d871774b..f10165960dabae 100755
--- a/tools/dep_updaters/update-nghttp3.sh
+++ b/tools/dep_updaters/update-nghttp3.sh
@@ -7,6 +7,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/ngtcp2/nghttp3/releases');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -44,6 +47,7 @@ cd "$WORKSPACE"
 
 echo "Fetching nghttp3 source archive..."
 curl -sL -o "$NGHTTP3_ZIP.zip" "https://github.com/ngtcp2/nghttp3/archive/refs/tags/$NGHTTP3_REF.zip"
+log_and_verify_sha256sum "nghttp3" "$NGHTTP3_ZIP.zip"
 unzip "$NGHTTP3_ZIP.zip"
 rm "$NGHTTP3_ZIP.zip"
 mv "$NGHTTP3_ZIP" nghttp3
diff --git a/tools/dep_updaters/update-ngtcp2.sh b/tools/dep_updaters/update-ngtcp2.sh
index 0e7d43cb4ce0d7..9e9803ee6197e6 100755
--- a/tools/dep_updaters/update-ngtcp2.sh
+++ b/tools/dep_updaters/update-ngtcp2.sh
@@ -7,6 +7,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/ngtcp2/ngtcp2/releases');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -44,6 +47,7 @@ cd "$WORKSPACE"
 
 echo "Fetching ngtcp2 source archive..."
 curl -sL -o "$NGTCP2_ZIP.zip" "https://github.com/ngtcp2/ngtcp2/archive/refs/tags/$NGTCP2_REF.zip"
+log_and_verify_sha256sum "ngtcp2" "$NGTCP2_ZIP.zip"
 unzip "$NGTCP2_ZIP.zip"
 rm "$NGTCP2_ZIP.zip"
 mv "$NGTCP2_ZIP" ngtcp2
diff --git a/tools/dep_updaters/update-npm.sh b/tools/dep_updaters/update-npm.sh
index 9706bbfca85fe2..72aac6de1ce98f 100755
--- a/tools/dep_updaters/update-npm.sh
+++ b/tools/dep_updaters/update-npm.sh
@@ -7,6 +7,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NPM="$DEPS_DIR/npm/bin/npm-cli.js"
 
 NPM_VERSION=$1
@@ -30,12 +33,14 @@ trap cleanup INT TERM EXIT
 
 cd "$WORKSPACE"
 
-NPM_TGZ=npm.tgz
+NPM_TGZ="npm-v$NPM_VERSION.tar.gz"
 
 NPM_TARBALL="$($NODE "$NPM" view npm@"$NPM_VERSION" dist.tarball)"
 
 curl -s "$NPM_TARBALL" > "$NPM_TGZ"
 
+log_and_verify_sha256sum "npm" "$NPM_TGZ"
+
 rm -rf "$DEPS_DIR/npm"
 
 mkdir "$DEPS_DIR/npm"
diff --git a/tools/dep_updaters/update-openssl.sh b/tools/dep_updaters/update-openssl.sh
new file mode 100755
index 00000000000000..710bf3219aaf97
--- /dev/null
+++ b/tools/dep_updaters/update-openssl.sh
@@ -0,0 +1,105 @@
+#!/bin/sh
+set -e
+# Shell script to update OpenSSL in the source tree to a specific version
+# Based on https://github.com/nodejs/node/blob/main/doc/contributing/maintaining-openssl.md
+
+cleanup() {
+  EXIT_CODE=$?
+  [ -d "$WORKSPACE" ] && rm -rf "$WORKSPACE"
+  exit $EXIT_CODE
+}
+
+download() {
+  if [ -z "$1" ]; then
+    echo "Error: please provide an OpenSSL version to update to"
+    echo "	e.g. ./$0 download 3.0.7+quic1"
+    exit 1
+  fi
+
+  OPENSSL_VERSION=$1
+  echo "Making temporary workspace..."
+  WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')
+
+  # shellcheck disable=SC1091
+  . "$BASE_DIR/tools/dep_updaters/utils.sh"
+
+  cd "$WORKSPACE"
+
+  echo "Fetching OpenSSL source archive..."
+  OPENSSL_TARBALL="openssl-v$OPENSSL_VERSION.tar.gz"
+  curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/openssl-$OPENSSL_VERSION"
+  log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"
+  gzip -dc "$OPENSSL_TARBALL" | tar xf -
+  rm "$OPENSSL_TARBALL"
+  mv quictls-openssl-* openssl
+
+  echo "Replacing existing OpenSSL..."
+  rm -rf "$DEPS_DIR/openssl/openssl"
+  mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/"
+
+  echo "All done!"
+  echo ""
+  echo "Please git add openssl, and commit the new version:"
+  echo ""
+  echo "$ git add -A deps/openssl/openssl"
+  echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$OPENSSL_VERSION\""
+  echo ""
+}
+
+regenerate() {
+  command -v perl >/dev/null 2>&1 || { echo >&2 "Error: 'Perl' required but not installed."; exit 1; }
+  command -v nasm >/dev/null 2>&1 || { echo >&2 "Error: 'nasm' required but not installed."; exit 1; }
+  command -v as >/dev/null 2>&1 || { echo >&2 "Error: 'GNU as' required but not installed."; exit 1; }
+  perl -e "use Text::Template">/dev/null 2>&1 || { echo >&2 "Error: 'Text::Template' Perl module required but not installed."; exit 1; }
+
+  echo "Regenerating platform-dependent files..."
+
+  make -C "$DEPS_DIR/openssl/config" clean
+  # Needed for compatibility with nasm on 32-bit Windows
+  # See https://github.com/nodejs/node/blob/main/doc/contributing/maintaining-openssl.md#2-execute-make-in-depsopensslconfig-directory
+  sed -i 's/#ifdef/%ifdef/g' "$DEPS_DIR/openssl/openssl/crypto/perlasm/x86asm.pl"
+  sed -i 's/#endif/%endif/g' "$DEPS_DIR/openssl/openssl/crypto/perlasm/x86asm.pl"
+  make -C "$DEPS_DIR/openssl/config"
+
+  echo "All done!"
+  echo ""
+  echo "Please commit the regenerated files:"
+  echo ""
+  echo "$ git add -A deps/openssl/config/archs deps/openssl/openssl"
+  echo "$ git commit -m \"deps: update archs files for openssl\""
+  echo ""
+}
+
+help() {
+    echo "Shell script to update OpenSSL in the source tree to a specific version"
+    echo "Sub-commands:"
+    printf "%-23s %s\n" "help" "show help menu and commands"
+    printf "%-23s %s\n" "download" "download and replace OpenSSL source code with new version"
+    printf "%-23s %s\n" "regenerate" "regenerate platform-specific files"
+    echo ""
+    exit "${1:-0}"
+}
+
+main() {
+  if [ ${#} -eq 0 ]; then
+    help 0
+  fi
+
+  trap cleanup INT TERM EXIT
+
+  BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd)
+  DEPS_DIR="$BASE_DIR/deps"
+
+  case ${1} in
+    help | download | regenerate )
+      $1 "${2}"
+    ;;
+    * )
+      echo "unknown command: $1"
+      help 1
+      exit 1
+    ;;
+  esac
+}
+
+main "$@"
diff --git a/tools/dep_updaters/update-simdutf.sh b/tools/dep_updaters/update-simdutf.sh
index dba4ba49c62516..9eaa9f8149ef63 100755
--- a/tools/dep_updaters/update-simdutf.sh
+++ b/tools/dep_updaters/update-simdutf.sh
@@ -7,6 +7,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/simdutf/simdutf/releases/latest');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -36,13 +39,14 @@ cleanup () {
 trap cleanup INT TERM EXIT
 
 SIMDUTF_REF="v$NEW_VERSION"
-SIMDUTF_ZIP="simdutf-$NEW_VERSION.zip"
+SIMDUTF_ZIP="simdutf-$SIMDUTF_REF.zip"
 SIMDUTF_LICENSE="LICENSE-MIT"
 
 cd "$WORKSPACE"
 
 echo "Fetching simdutf source archive..."
 curl -sL -o "$SIMDUTF_ZIP" "https://github.com/simdutf/simdutf/releases/download/$SIMDUTF_REF/singleheader.zip"
+log_and_verify_sha256sum "simdutf" "$SIMDUTF_ZIP"
 unzip "$SIMDUTF_ZIP"
 rm "$SIMDUTF_ZIP"
 rm ./*_demo.cpp
diff --git a/tools/dep_updaters/update-uvwasi.sh b/tools/dep_updaters/update-uvwasi.sh
index a6a66bf4e7672f..8ba9dbd9e1d150 100755
--- a/tools/dep_updaters/update-uvwasi.sh
+++ b/tools/dep_updaters/update-uvwasi.sh
@@ -8,6 +8,9 @@ DEPS_DIR="$BASE_DIR/deps"
 [ -z "$NODE" ] && NODE="$BASE_DIR/out/Release/node"
 [ -x "$NODE" ] || NODE=$(command -v node)
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 NEW_VERSION="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/nodejs/uvwasi/releases/latest');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
@@ -46,6 +49,8 @@ cd "$WORKSPACE"
 echo "Fetching UVWASI source archive..."
 curl -sL -o "$UVWASI_ZIP.zip" "https://github.com/nodejs/uvwasi/archive/refs/tags/v$NEW_VERSION.zip"
 
+log_and_verify_sha256sum "uvwasi" "$UVWASI_ZIP.zip"
+
 echo "Moving existing GYP build file"
 mv "$DEPS_DIR/uvwasi/"*.gyp "$WORKSPACE/"
 rm -rf "$DEPS_DIR/uvwasi/"
diff --git a/tools/dep_updaters/update-zlib.sh b/tools/dep_updaters/update-zlib.sh
index 3902e9221264b0..33e0a9b4552459 100755
--- a/tools/dep_updaters/update-zlib.sh
+++ b/tools/dep_updaters/update-zlib.sh
@@ -7,6 +7,9 @@ set -e
 BASE_DIR=$(cd "$(dirname "$0")/../.." && pwd)
 DEPS_DIR="$BASE_DIR/deps"
 
+# shellcheck disable=SC1091
+. "$BASE_DIR/tools/dep_updaters/utils.sh"
+
 echo "Comparing latest upstream with current revision"
 
 git fetch https://chromium.googlesource.com/chromium/src/third_party/zlib.git HEAD
@@ -49,10 +52,12 @@ cd "$WORKSPACE"
 
 mkdir zlib
 
-ZLIB_TARBALL=zlib.tar.gz
+ZLIB_TARBALL="zlib-v$NEW_VERSION.tar.gz"
 
 echo "Fetching zlib source archive"
-curl -sL -o $ZLIB_TARBALL https://chromium.googlesource.com/chromium/src/+archive/refs/heads/main/third_party/$ZLIB_TARBALL
+curl -sL -o "$ZLIB_TARBALL" https://chromium.googlesource.com/chromium/src/+archive/refs/heads/main/third_party/zlib.tar.gz
+
+log_and_verify_sha256sum "zlib" "$ZLIB_TARBALL"
 
 gzip -dc "$ZLIB_TARBALL" | tar xf - -C zlib/
 
diff --git a/tools/dep_updaters/utils.sh b/tools/dep_updaters/utils.sh
new file mode 100644
index 00000000000000..21231e9410c6a8
--- /dev/null
+++ b/tools/dep_updaters/utils.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# This function logs the archive checksum and, if provided, compares it with
+# the deposited checksum
+#
+# $1 is the package name e.g. 'acorn', 'ada', 'base64' etc. See that file
+# for a complete list of package name
+# $2 is the downloaded archive
+# $3 (optional) is the deposited sha256 cheksum. When provided, it is checked
+# against the checksum generated from the archive
+log_and_verify_sha256sum() {
+  package_name="$1"
+  archive="$2"
+  checksum="$3"
+  bsd_formatted_checksum=$(sha256sum --tag "$archive")
+  if [ -z "$3" ]; then
+    echo "$bsd_formatted_checksum"
+  else
+    archive_checksum=$(sha256sum "$archive")
+    if [ "$checksum" = "$archive_checksum" ]; then
+      echo "Valid $package_name checksum"
+      echo "$bsd_formatted_checksum"
+    else
+      echo "ERROR - Invalid $package_name checksum:"
+      echo "deposited: $checksum"
+      echo "generated: $archive_checksum"
+      exit 1
+    fi
+  fi
+}