highperfocused/lnd
1
0
Fork 0
mirror of https://github.com/lightningnetwork/lnd.git synced 2025-05-04 17:00:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

scripts: make sure signature files have unique names

Browse Source 
To fix a simple attack where the same file would be uploaded multiple
times under the same name, we make sure we only count unique file names.
This commit is contained in:
Oliver Gugger 2021-09-27 11:03:11 +02:00
parent c8987ec2c5
commit 0984638a74
No known key found for this signature in database
GPG Key ID: 8E4256593F177720
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
scripts/verify-install.sh
View File

@ -103,6 +103,11 @@ function verify_signatures() {
MANIFEST=$(echo $ASSETS | jq -r "$MANIFEST_SELECTOR") MANIFEST=$(echo $ASSETS | jq -r "$MANIFEST_SELECTOR")
SIGNATURES=$(echo $ASSETS | jq -r "$SIGNATURE_SELECTOR") SIGNATURES=$(echo $ASSETS | jq -r "$SIGNATURE_SELECTOR")
# We need to make sure we have unique signature file names. Otherwise someone
# could just upload the same signature multiple times (if GH allows it for
# some reason).
SIGNATURES=$(echo $ASSETS | jq -r "$SIGNATURE_SELECTOR" | sort | uniq)
# Download the main "manifest-*.txt" and all "manifest-*.sig" files containing # Download the main "manifest-*.txt" and all "manifest-*.sig" files containing
# the detached signatures. # the detached signatures.
echo "Downloading $MANIFEST" echo "Downloading $MANIFEST"