Update prysm.sh to include slasher and sig verify (#5543)

* Add gpg detached signature checks * Add slasher * Pull key * move recv after log * use shasum, download pgp keys * only download key if not present * revert bazelversion change * Actually fail and allow bypass Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com>
2025-01-03 00:27:38 +00:00 · 2020-04-23 07:57:21 -07:00 · 2020-04-23 07:57:21 -07:00 · a6a2ad4409
commit a6a2ad4409
parent 49ca0751b6
1 changed files with 77 additions and 21 deletions
--- a/prysm.sh
+++ b/prysm.sh
@ -10,6 +10,8 @@ set -eu
 # Use USE_PRYSM_VERSION to specify a specific release version. 
 #   Example: USE_PRYSM_VERSION=v0.3.3 ./prysm.sh beacon-chain

+readonly PRYLABS_SIGNING_KEY=0AE0051D647BA3C1A917AF4072E33E4DF1A5036E 
+
 function color() {
      # Usage: color "31;5" "string"
      # Some valid values for color:
@ -62,7 +64,7 @@ function get_realpath() {
 # Complain if no arguments were provided.
 if [ "$#" -lt 1 ]; then
    color "31" "Usage: ./prysm.sh PROCESS FLAGS."
-    color "31" "PROCESS can be beacon-chain or validator."
+    color "31" "PROCESS can be beacon-chain, validator, or slasher."
    exit 1
 fi

@ -81,7 +83,7 @@ case "$OSTYPE" in
  cygwin*)  system="windows" ;;
  *)        exit 1 ;;
 esac
-
+readonly system

 if [ "$system" == "windows" ]; then
 	arch="amd64.exe"
@ -103,25 +105,58 @@ function get_prysm_version() {
  fi
 }

+function verify() {
+  file=$1
+
+  hash shasum 2>/dev/null || { echo >&2 "shasum is not available. Not verifying integrity of downloaded binary."; return failed_verification; }
+  hash gpg 2>/dev/null || { echo >&2 "gpg is not available. Not verifying integrity of downloaded binary."; return failed_verification; }
+
+  color "37" "Verifying binary integrity."
+
+  gpg --list-keys $PRYLABS_SIGNING_KEY >/dev/null 2>&1 || curl --silent https://prysmaticlabs.com/releases/pgp_keys.asc | gpg --import
+  (cd $wrapper_dir; shasum -a 256 -c "${file}.sha256" || failed_verification)
+  (cd $wrapper_dir; gpg -u $PRYLABS_SIGNING_KEY --verify "${file}.sig" $file || failed_verification)
+
+  color "32;1" "Verified ${file} has been signed by Prysmatic Labs."
+}
+
+function failed_verification() {
+  skip=${PRYSM_ALLOW_UNVERIFIED_BINARIES-0}
+  if [[ $skip == 1 ]]; then
+    return 0
+  fi
+  color "31" "Failed to verify Prysm binary. Please erase downloads in the \
+dist directory and run this script again. Alternatively, you can use a \
+A prior version by specifying environment variable USE_PRYSM_VERSION \
+with the specific version, as desired. Example: USE_PRYSM_VERSION=v1.0.0-alpha.5 \
+If you must wish to continue running an unverified binary, specific the \
+environment variable PRYSM_ALLOW_UNVERIFIED_BINARIES=1"
+  exit 1
+}
+
 get_prysm_version

 color "37" "Latest Prysm version is $prysm_version."

 BEACON_CHAIN_REAL="${wrapper_dir}/beacon-chain-${prysm_version}-${system}-${arch}"
 VALIDATOR_REAL="${wrapper_dir}/validator-${prysm_version}-${system}-${arch}"
+SLASHER_REAL="${wrapper_dir}/slasher-${prysm_version}-${system}-${arch}"

-if [[ ! -x $BEACON_CHAIN_REAL ]]; then 
+if [[ $1 == beacon-chain ]]; then 
+  if [[ ! -x $BEACON_CHAIN_REAL ]]; then 
      color "34" "Downloading beacon chain@${prysm_version} to ${BEACON_CHAIN_REAL} (${reason})"
      file=beacon-chain-${prysm_version}-${system}-${arch}
      curl -L "https://prysmaticlabs.com/releases/${file}" -o $BEACON_CHAIN_REAL
      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
      chmod +x $BEACON_CHAIN_REAL
-else
+  else
      color "37" "Beacon chain is up to date."
+  fi
 fi

-if [[ ! -x $VALIDATOR_REAL ]]; then 
+if  [[ $1 == validator ]]; then 
+  if [[ ! -x $VALIDATOR_REAL ]]; then 
      color "34" "Downloading validator@${prysm_version} to ${VALIDATOR_REAL} (${reason})"

      file=validator-${prysm_version}-${system}-${arch}
@ -129,8 +164,23 @@ if [[ ! -x $VALIDATOR_REAL ]]; then
      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
      chmod +x $VALIDATOR_REAL
-else
+  else
      color "37" "Validator is up to date."
+  fi
+fi
+
+if [[ $1 == slasher ]]; then
+  if [[ ! -x $SLASHER_REAL ]]; then 
+      color "34" "Downloading slasher@${prysm_version} to ${SLASHER_REAL} (${reason})"
+
+      file=slasher-${prysm_version}-${system}-${arch}
+      curl -L "https://prysmaticlabs.com/releases/${file}" -o $SLASHER_REAL
+      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sha256" -o "${wrapper_dir}/${file}.sha256"
+      curl --silent -L "https://prysmaticlabs.com/releases/${file}.sig" -o "${wrapper_dir}/${file}.sig"
+      chmod +x $SLASHER_REAL
+  else
+      color "37" "Slasher is up to date."
+  fi
 fi

 case $1 in
@ -142,11 +192,17 @@ case $1 in
    readonly process=$VALIDATOR_REAL
    ;;

+  slasher)
+    readonly process=$SLASHER_REAL
+    ;;
+
  *)
    color "31" "Usage: ./prysm.sh PROCESS FLAGS."
-    color "31" "PROCESS can be beacon-chain or validator."
+    color "31" "PROCESS can be beacon-chain, validator, or slasher."
    ;;
 esac

+verify $process
+
 color "36" "Starting Prysm $1 ${@:2}"
 exec -a "$0" "${process}" "${@:2}"