mirror/prysm-pulse
1
0
Fork 0
mirror of https://gitlab.com/pulsechaincom/prysm-pulse.git synced 2025-01-03 00:27:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update prysm.sh to include slasher and sig verify (#5543)

Browse Source 
* Add gpg detached signature checks

* Add slasher

* Pull key

* move recv after log

* use shasum, download pgp keys

* only download key if not present

* revert bazelversion change

* Actually fail and allow bypass

Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com>
This commit is contained in:
Preston Van Loon 2020-04-23 07:57:21 -07:00 committed by GitHub
parent 49ca0751b6
commit a6a2ad4409
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 77 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
prysm.sh
View File

@ -10,6 +10,8 @@ set -eu
# Use USE_PRYSM_VERSION to specify a specific release version. # Use USE_PRYSM_VERSION to specify a specific release version.
# Example: USE_PRYSM_VERSION=v0.3.3 ./prysm.sh beacon-chain # Example: USE_PRYSM_VERSION=v0.3.3 ./prysm.sh beacon-chain
readonly PRYLABS_SIGNING_KEY=0AE0051D647BA3C1A917AF4072E33E4DF1A5036E
function color() { function color() {
# Usage: color "31;5" "string" # Usage: color "31;5" "string"
# Some valid values for color: # Some valid values for color:
@ -62,7 +64,7 @@ function get_realpath() {
# Complain if no arguments were provided. # Complain if no arguments were provided.
if [ "$#" -lt 1 ]; then if [ "$#" -lt 1 ]; then
color "31" "Usage: ./prysm.sh PROCESS FLAGS." color "31" "Usage: ./prysm.sh PROCESS FLAGS."
color "31" "PROCESS can be beacon-chain or validator." color "31" "PROCESS can be beacon-chain, validator, or slasher."
exit 1 exit 1
fi fi
@ -81,7 +83,7 @@ case "$OSTYPE" in
cygwin*) system="windows" ;; cygwin*) system="windows" ;;
*) exit 1 ;; *) exit 1 ;;
esac esac
readonly system
if [ "$system" == "windows" ]; then if [ "$system" == "windows" ]; then
arch="amd64.exe" arch="amd64.exe"
@ -103,34 +105,82 @@ function get_prysm_version() {
fi fi
} }
function verify() {
file=$1
hash shasum 2>/dev/null || { echo >&2 "shasum is not available. Not verifying integrity of downloaded binary."; return failed_verification; }
hash gpg 2>/dev/null || { echo >&2 "gpg is not available. Not verifying integrity of downloaded binary."; return failed_verification; }
color "37" "Verifying binary integrity."
gpg --list-keys $PRYLABS_SIGNING_KEY >/dev/null 2>&1 || curl --silent https://prysmaticlabs.com/releases/pgp_keys.asc | gpg --import
(cd $wrapper_dir; shasum -a 256 -c "${file}.sha256" || failed_verification)
(cd $wrapper_dir; gpg -u $PRYLABS_SIGNING_KEY --verify "${file}.sig" $file || failed_verification)
color "32;1" "Verified ${file} has been signed by Prysmatic Labs."
}
function failed_verification() {
skip=${PRYSM_ALLOW_UNVERIFIED_BINARIES-0}
if [[ $skip == 1 ]]; then
return 0
fi
color "31" "Failed to verify Prysm binary. Please erase downloads in the \
dist directory and run this script again. Alternatively, you can use a \
A prior version by specifying environment variable USE_PRYSM_VERSION \
with the specific version, as desired. Example: USE_PRYSM_VERSION=v1.0.0-alpha.5 \
If you must wish to continue running an unverified binary, specific the \
environment variable PRYSM_ALLOW_UNVERIFIED_BINARIES=1"
exit 1
}
get_prysm_version get_prysm_version
color "37" "Latest Prysm version is $prysm_version." color "37" "Latest Prysm version is $prysm_version."
BEACON_CHAIN_REAL="${wrapper_dir}/beacon-chain-${prysm_version}-${system}-${arch}" BEACON_CHAIN_REAL="${wrapper_dir}/beacon-chain-${prysm_version}-${system}-${arch}"
VALIDATOR_REAL="${wrapper_dir}/validator-${prysm_version}-${system}-${arch}" VALIDATOR_REAL="${wrapper_dir}/validator-${prysm_version}-${system}-${arch}"
SLASHER_REAL="${wrapper_dir}/slasher-${prysm_version}-${system}-${arch}"
if [[ ! -x $BEACON_CHAIN_REAL ]]; then if [[ $1 == beacon-chain ]]; then
color "34" "Downloading beacon chain@${prysm_version} to ${BEACON_CHAIN_REAL} (${reason})" if [[ ! -x $BEACON_CHAIN_REAL ]]; then
file=beacon-chain-${prysm_version}-${system}-${arch} color "34" "Downloading beacon chain@${prysm_version} to ${BEACON_CHAIN_REAL} (${reason})"
curl -L "https://prysmaticlabs.com/releases/${file}" -o $BEACON_CHAIN_REAL file=beacon-chain-${prysm_version}-${system}-${arch}
curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256" curl -L "https://prysmaticlabs.com/releases/${file}" -o $BEACON_CHAIN_REAL
curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig" curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
chmod +x $BEACON_CHAIN_REAL curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
else chmod +x $BEACON_CHAIN_REAL
color "37" "Beacon chain is up to date." else
color "37" "Beacon chain is up to date."
fi
fi fi
if [[ ! -x $VALIDATOR_REAL ]]; then if [[ $1 == validator ]]; then
color "34" "Downloading validator@${prysm_version} to ${VALIDATOR_REAL} (${reason})" if [[ ! -x $VALIDATOR_REAL ]]; then
color "34" "Downloading validator@${prysm_version} to ${VALIDATOR_REAL} (${reason})"
file=validator-${prysm_version}-${system}-${arch} file=validator-${prysm_version}-${system}-${arch}
curl -L "https://prysmaticlabs.com/releases/${file}" -o $VALIDATOR_REAL curl -L "https://prysmaticlabs.com/releases/${file}" -o $VALIDATOR_REAL
curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256" curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig" curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
chmod +x $VALIDATOR_REAL chmod +x $VALIDATOR_REAL
else else
color "37" "Validator is up to date." color "37" "Validator is up to date."
fi
fi
if [[ $1 == slasher ]]; then
if [[ ! -x $SLASHER_REAL ]]; then
color "34" "Downloading slasher@${prysm_version} to ${SLASHER_REAL} (${reason})"
file=slasher-${prysm_version}-${system}-${arch}
curl -L "https://prysmaticlabs.com/releases/${file}" -o $SLASHER_REAL
curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
chmod +x $SLASHER_REAL
else
color "37" "Slasher is up to date."
fi
fi fi
case $1 in case $1 in
@ -142,11 +192,17 @@ case $1 in
readonly process=$VALIDATOR_REAL readonly process=$VALIDATOR_REAL
;; ;;
slasher)
readonly process=$SLASHER_REAL
;;
*) *)
color "31" "Usage: ./prysm.sh PROCESS FLAGS." color "31" "Usage: ./prysm.sh PROCESS FLAGS."
color "31" "PROCESS can be beacon-chain or validator." color "31" "PROCESS can be beacon-chain, validator, or slasher."
;; ;;
esac esac
verify $process
color "36" "Starting Prysm $1 ${@:2}" color "36" "Starting Prysm $1 ${@:2}"
exec -a "$0" "${process}" "${@:2}" exec -a "$0" "${process}" "${@:2}"