From a6a2ad4409588aeefafa073f1fa96daaf84528b1 Mon Sep 17 00:00:00 2001 From: Preston Van Loon Date: Thu, 23 Apr 2020 07:57:21 -0700 Subject: [PATCH] Update prysm.sh to include slasher and sig verify (#5543) * Add gpg detached signature checks * Add slasher * Pull key * move recv after log * use shasum, download pgp keys * only download key if not present * revert bazelversion change * Actually fail and allow bypass Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com> --- prysm.sh | 98 ++++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 77 insertions(+), 21 deletions(-) diff --git a/prysm.sh b/prysm.sh index ce7948c18..ef7073734 100755 --- a/prysm.sh +++ b/prysm.sh @@ -10,6 +10,8 @@ set -eu # Use USE_PRYSM_VERSION to specify a specific release version. # Example: USE_PRYSM_VERSION=v0.3.3 ./prysm.sh beacon-chain +readonly PRYLABS_SIGNING_KEY=0AE0051D647BA3C1A917AF4072E33E4DF1A5036E + function color() { # Usage: color "31;5" "string" # Some valid values for color: @@ -62,7 +64,7 @@ function get_realpath() { # Complain if no arguments were provided. if [ "$#" -lt 1 ]; then color "31" "Usage: ./prysm.sh PROCESS FLAGS." - color "31" "PROCESS can be beacon-chain or validator." + color "31" "PROCESS can be beacon-chain, validator, or slasher." exit 1 fi @@ -81,7 +83,7 @@ case "$OSTYPE" in cygwin*) system="windows" ;; *) exit 1 ;; esac - +readonly system if [ "$system" == "windows" ]; then arch="amd64.exe" @@ -103,34 +105,82 @@ function get_prysm_version() { fi } +function verify() { + file=$1 + + hash shasum 2>/dev/null || { echo >&2 "shasum is not available. Not verifying integrity of downloaded binary."; return failed_verification; } + hash gpg 2>/dev/null || { echo >&2 "gpg is not available. Not verifying integrity of downloaded binary."; return failed_verification; } + + color "37" "Verifying binary integrity." + + gpg --list-keys $PRYLABS_SIGNING_KEY >/dev/null 2>&1 || curl --silent https://prysmaticlabs.com/releases/pgp_keys.asc | gpg --import + (cd $wrapper_dir; shasum -a 256 -c "${file}.sha256" || failed_verification) + (cd $wrapper_dir; gpg -u $PRYLABS_SIGNING_KEY --verify "${file}.sig" $file || failed_verification) + + color "32;1" "Verified ${file} has been signed by Prysmatic Labs." +} + +function failed_verification() { + skip=${PRYSM_ALLOW_UNVERIFIED_BINARIES-0} + if [[ $skip == 1 ]]; then + return 0 + fi + color "31" "Failed to verify Prysm binary. Please erase downloads in the \ +dist directory and run this script again. Alternatively, you can use a \ +A prior version by specifying environment variable USE_PRYSM_VERSION \ +with the specific version, as desired. Example: USE_PRYSM_VERSION=v1.0.0-alpha.5 \ +If you must wish to continue running an unverified binary, specific the \ +environment variable PRYSM_ALLOW_UNVERIFIED_BINARIES=1" + exit 1 +} + get_prysm_version color "37" "Latest Prysm version is $prysm_version." BEACON_CHAIN_REAL="${wrapper_dir}/beacon-chain-${prysm_version}-${system}-${arch}" VALIDATOR_REAL="${wrapper_dir}/validator-${prysm_version}-${system}-${arch}" +SLASHER_REAL="${wrapper_dir}/slasher-${prysm_version}-${system}-${arch}" -if [[ ! -x $BEACON_CHAIN_REAL ]]; then - color "34" "Downloading beacon chain@${prysm_version} to ${BEACON_CHAIN_REAL} (${reason})" - file=beacon-chain-${prysm_version}-${system}-${arch} - curl -L "https://prysmaticlabs.com/releases/${file}" -o $BEACON_CHAIN_REAL - curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256" - curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig" - chmod +x $BEACON_CHAIN_REAL -else - color "37" "Beacon chain is up to date." +if [[ $1 == beacon-chain ]]; then + if [[ ! -x $BEACON_CHAIN_REAL ]]; then + color "34" "Downloading beacon chain@${prysm_version} to ${BEACON_CHAIN_REAL} (${reason})" + file=beacon-chain-${prysm_version}-${system}-${arch} + curl -L "https://prysmaticlabs.com/releases/${file}" -o $BEACON_CHAIN_REAL + curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256" + curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig" + chmod +x $BEACON_CHAIN_REAL + else + color "37" "Beacon chain is up to date." + fi fi -if [[ ! -x $VALIDATOR_REAL ]]; then - color "34" "Downloading validator@${prysm_version} to ${VALIDATOR_REAL} (${reason})" +if [[ $1 == validator ]]; then + if [[ ! -x $VALIDATOR_REAL ]]; then + color "34" "Downloading validator@${prysm_version} to ${VALIDATOR_REAL} (${reason})" - file=validator-${prysm_version}-${system}-${arch} - curl -L "https://prysmaticlabs.com/releases/${file}" -o $VALIDATOR_REAL - curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256" - curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig" - chmod +x $VALIDATOR_REAL -else - color "37" "Validator is up to date." + file=validator-${prysm_version}-${system}-${arch} + curl -L "https://prysmaticlabs.com/releases/${file}" -o $VALIDATOR_REAL + curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256" + curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig" + chmod +x $VALIDATOR_REAL + else + color "37" "Validator is up to date." + fi +fi + +if [[ $1 == slasher ]]; then + if [[ ! -x $SLASHER_REAL ]]; then + color "34" "Downloading slasher@${prysm_version} to ${SLASHER_REAL} (${reason})" + + file=slasher-${prysm_version}-${system}-${arch} + curl -L "https://prysmaticlabs.com/releases/${file}" -o $SLASHER_REAL + curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256" + curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig" + chmod +x $SLASHER_REAL + else + color "37" "Slasher is up to date." + fi fi case $1 in @@ -142,11 +192,17 @@ case $1 in readonly process=$VALIDATOR_REAL ;; + slasher) + readonly process=$SLASHER_REAL + ;; + *) color "31" "Usage: ./prysm.sh PROCESS FLAGS." - color "31" "PROCESS can be beacon-chain or validator." + color "31" "PROCESS can be beacon-chain, validator, or slasher." ;; esac +verify $process + color "36" "Starting Prysm $1 ${@:2}" exec -a "$0" "${process}" "${@:2}"