From 0984638a74e533e834711be42a783d74b064f9af Mon Sep 17 00:00:00 2001
From: Oliver Gugger <gugger@gmail.com>
Date: Mon, 27 Sep 2021 11:03:11 +0200
Subject: [PATCH] scripts: make sure signature files have unique names

To fix a simple attack where the same file would be uploaded multiple
times under the same name, we make sure we only count unique file names.
---
 scripts/verify-install.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh
index e347a4005..6527b464d 100755
--- a/scripts/verify-install.sh
+++ b/scripts/verify-install.sh
@@ -103,6 +103,11 @@ function verify_signatures() {
   MANIFEST=$(echo $ASSETS | jq -r "$MANIFEST_SELECTOR")
   SIGNATURES=$(echo $ASSETS | jq -r "$SIGNATURE_SELECTOR")
 
+  # We need to make sure we have unique signature file names. Otherwise someone
+  # could just upload the same signature multiple times (if GH allows it for
+  # some reason).
+  SIGNATURES=$(echo $ASSETS | jq -r "$SIGNATURE_SELECTOR" | sort | uniq)
+
   # Download the main "manifest-*.txt" and all "manifest-*.sig" files containing
   # the detached signatures.
   echo "Downloading $MANIFEST"