2023-09-25 19:48:23 +00:00
#!/bin/sh
set -o errexit
usage( ) {
this = $1
cat <<EOF
$this : download go binaries for trufflesecurity/trufflehog
Usage: $this [ -b] bindir [ -d] [ tag]
-b sets bindir or installation directory, Defaults to ./bin
-d turns on debug logging
2024-01-11 19:56:21 +00:00
-v verify checksum signature. Require cosign binary to be installed.
2023-09-25 19:48:23 +00:00
[ tag] is a tag from
https://github.com/trufflesecurity/trufflehog/releases
If tag is missing, then the latest will be used.
EOF
exit 2
}
parse_args( ) {
#BINDIR is ./bin unless set be ENV
# over-ridden by flag below
BINDIR = ${ BINDIR :- ./bin }
2024-01-11 19:56:21 +00:00
while getopts "b:dvh?x" arg; do
2023-09-25 19:48:23 +00:00
case " $arg " in
b) BINDIR = " $OPTARG " ; ;
d) log_set_priority 10 ; ;
2024-01-11 19:56:21 +00:00
v) VERIFY_SIGN = true; ;
2023-09-25 19:48:23 +00:00
h | \? ) usage " $0 " ; ;
x) set -x ; ;
esac
done
shift $(( OPTIND - 1 ))
TAG = $1
}
# this function wraps all the destructive operations
# if a curl|bash cuts off the end of the script due to
# network, either nothing will happen or will syntax error
# out preventing half-done work
execute( ) {
tmpdir = $( mktemp -d)
log_debug " downloading files into ${ tmpdir } "
http_download " ${ tmpdir } / ${ CHECKSUM } " " ${ CHECKSUM_URL } "
2024-01-11 19:56:21 +00:00
if [ " $VERIFY_SIGN " = true ] ; then
http_download " ${ tmpdir } / ${ CHECKSUM } . ${ CERT_FORMAT } " " ${ CHECKSUM_URL } . ${ CERT_FORMAT } "
http_download " ${ tmpdir } / ${ CHECKSUM } . ${ SIG_FORMAT } " " ${ CHECKSUM_URL } . ${ SIG_FORMAT } "
verify_sign " ${ tmpdir } / ${ CHECKSUM } " " ${ tmpdir } / ${ CHECKSUM } . ${ CERT_FORMAT } " " ${ tmpdir } / ${ CHECKSUM } . ${ SIG_FORMAT } "
fi
http_download " ${ tmpdir } / ${ TARBALL } " " ${ TARBALL_URL } "
2023-09-25 19:48:23 +00:00
hash_sha256_verify " ${ tmpdir } / ${ TARBALL } " " ${ tmpdir } / ${ CHECKSUM } "
srcdir = " ${ tmpdir } "
( cd " ${ tmpdir } " && untar " ${ TARBALL } " )
mkdir -p " ${ BINDIR } "
binexe = ${ BINARY }
if [ " $OS " = "windows" ] ; then
binexe = " ${ binexe } .exe "
fi
install " ${ srcdir } / ${ binexe } " " ${ BINDIR } / "
log_info " installed ${ BINDIR } / ${ binexe } "
rm -rf " ${ tmpdir } "
}
get_binary( ) {
case " $PLATFORM " in
darwin/amd64) BINARY = "trufflehog" ; ;
darwin/arm64) BINARY = "trufflehog" ; ;
linux/amd64) BINARY = "trufflehog" ; ;
linux/arm64) BINARY = "trufflehog" ; ;
windows/amd64) BINARY = "trufflehog" ; ;
windows/arm64) BINARY = "trufflehog" ; ;
*)
log_crit " platform $PLATFORM is not supported. Make sure this script is up-to-date and file request at https://github.com/ ${ PREFIX } /issues/new "
exit 1
; ;
esac
}
tag_to_version( ) {
if [ -z " ${ TAG } " ] ; then
log_info "checking GitHub for latest tag"
else
log_info " checking GitHub for tag ' ${ TAG } ' "
fi
REALTAG = $( github_release " $OWNER / $REPO " " ${ TAG } " ) || true
if test -z " $REALTAG " ; then
log_crit " unable to find ' ${ TAG } ' - use 'latest' or see https://github.com/ ${ PREFIX } /releases for details "
exit 1
fi
# if version starts with 'v', remove it
TAG = " $REALTAG "
VERSION = ${ TAG #v }
}
cat /dev/null <<EOF
------------------------------------------------------------------------
https://github.com/client9/shlib - portable posix shell functions
Public domain - http://unlicense.org
https://github.com/client9/shlib/blob/master/LICENSE.md
but credit ( and pull requests) appreciated.
------------------------------------------------------------------------
EOF
is_command( ) {
command -v " $1 " >/dev/null
}
echoerr( ) {
echo " $@ " 1>& 2
}
_logp = 6
log_set_priority( ) {
_logp = " $1 "
}
log_priority( ) {
if test -z " $1 " ; then
echo " $_logp "
return
fi
[ " $1 " -le " $_logp " ]
}
log_tag( ) {
case $1 in
0) echo "emerg" ; ;
1) echo "alert" ; ;
2) echo "crit" ; ;
3) echo "err" ; ;
4) echo "warning" ; ;
5) echo "notice" ; ;
6) echo "info" ; ;
7) echo "debug" ; ;
*) echo " $1 " ; ;
esac
}
log_debug( ) {
log_priority 7 || return 0
echo " $( log_prefix) " " $( log_tag 7) " " $@ "
}
log_info( ) {
log_priority 6 || return 0
echo " $( log_prefix) " " $( log_tag 6) " " $@ "
}
log_err( ) {
log_priority 3 || return 0
echoerr " $( log_prefix) " " $( log_tag 3) " " $@ "
}
log_crit( ) {
log_priority 2 || return 0
echoerr " $( log_prefix) " " $( log_tag 2) " " $@ "
}
uname_os( ) {
os = $( uname -s | tr '[:upper:]' '[:lower:]' )
case " $os " in
cygwin_nt*) os = "windows" ; ;
mingw*) os = "windows" ; ;
msys_nt*) os = "windows" ; ;
esac
echo " $os "
}
uname_arch( ) {
arch = $( uname -m)
case $arch in
x86_64) arch = "amd64" ; ;
aarch64) arch = "arm64" ; ;
esac
echo ${ arch }
}
uname_os_check( ) (
os = $1
case " $os " in
darwin) return 0 ; ;
dragonfly) return 0 ; ;
freebsd) return 0 ; ;
linux) return 0 ; ;
android) return 0 ; ;
nacl) return 0 ; ;
netbsd) return 0 ; ;
openbsd) return 0 ; ;
plan9) return 0 ; ;
solaris) return 0 ; ;
windows) return 0 ; ;
esac
log_crit " uname_os_check ' $( uname -s) ' got converted to ' $os ' which is not a GOOS value. Please file bug at https://github.com/client9/shlib "
return 1
)
uname_arch_check( ) (
arch = $1
case " $arch " in
386) return 0 ; ;
amd64) return 0 ; ;
arm64) return 0 ; ;
armv5) return 0 ; ;
armv6) return 0 ; ;
armv7) return 0 ; ;
ppc64) return 0 ; ;
ppc64le) return 0 ; ;
mips) return 0 ; ;
mipsle) return 0 ; ;
mips64) return 0 ; ;
mips64le) return 0 ; ;
s390x) return 0 ; ;
amd64p32) return 0 ; ;
esac
log_crit " uname_arch_check ' $( uname -m) ' got converted to ' $arch ' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib "
return 1
)
untar( ) {
tarball = $1
case " ${ tarball } " in
*.tar.gz | *.tgz) tar --no-same-owner -xzf " ${ tarball } " ; ;
*.tar) tar --no-same-owner -xf " ${ tarball } " ; ;
*.zip) unzip " ${ tarball } " ; ;
*)
log_err " untar unknown archive format for ${ tarball } "
return 1
; ;
esac
}
http_download_curl( ) {
local_file = $1
source_url = $2
header = $3
if [ -z " $header " ] ; then
code = $( curl -w '%{http_code}' -sL -o " $local_file " " $source_url " )
else
code = $( curl -w '%{http_code}' -sL -H " $header " -o " $local_file " " $source_url " )
fi
if [ " $code " != "200" ] ; then
log_err " http_download_curl received HTTP status $code "
return 1
fi
return 0
}
http_download_wget( ) {
local_file = $1
source_url = $2
header = $3
if [ -z " $header " ] ; then
wget -q -O " $local_file " " $source_url "
else
wget -q --header " $header " -O " $local_file " " $source_url "
fi
}
http_download( ) {
log_debug " http_download $2 "
if is_command curl; then
http_download_curl " $@ "
return
elif is_command wget; then
http_download_wget " $@ "
return
fi
log_crit "http_download unable to find wget or curl"
return 1
}
http_copy( ) {
tmp = $( mktemp)
http_download " ${ tmp } " " $1 " " $2 " || return 1
body = $( cat " $tmp " )
rm -f " ${ tmp } "
echo " $body "
}
github_release( ) {
owner_repo = $1
version = $2
test -z " $version " && version = "latest"
giturl = " https://github.com/ ${ owner_repo } /releases/ ${ version } "
json = $( http_copy " $giturl " "Accept:application/json" )
test -z " $json " && return 1
version = $( echo " $json " | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//' )
test -z " $version " && return 1
echo " $version "
}
hash_sha256( ) {
TARGET = ${ 1 :- /dev/stdin }
if is_command gsha256sum; then
hash = $( gsha256sum " $TARGET " ) || return 1
echo " $hash " | cut -d ' ' -f 1
elif is_command sha256sum; then
hash = $( sha256sum " $TARGET " ) || return 1
echo " $hash " | cut -d ' ' -f 1
elif is_command shasum; then
hash = $( shasum -a 256 " $TARGET " 2>/dev/null) || return 1
echo " $hash " | cut -d ' ' -f 1
elif is_command openssl; then
hash = $( openssl -dst openssl dgst -sha256 " $TARGET " ) || return 1
echo " $hash " | cut -d ' ' -f a
else
log_crit "hash_sha256 unable to find command to compute sha-256 hash"
return 1
fi
}
hash_sha256_verify( ) {
TARGET = $1
checksums = $2
if [ -z " $checksums " ] ; then
log_err "hash_sha256_verify checksum file not specified in arg2"
return 1
fi
BASENAME = ${ TARGET ##*/ }
want = $( grep " ${ BASENAME } " " ${ checksums } " 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
if [ -z " $want " ] ; then
log_err " hash_sha256_verify unable to find checksum for ' ${ TARGET } ' in ' ${ checksums } ' "
return 1
fi
got = $( hash_sha256 " $TARGET " )
if [ " $want " != " $got " ] ; then
log_err " hash_sha256_verify checksum for ' $TARGET ' did not verify ${ want } vs $got "
return 1
fi
}
2024-01-11 19:56:21 +00:00
check_cosign_bin( ) {
if [ " $VERIFY_SIGN " = true ] ; then
if [ ! -x " $( command -v " $COSIGN_BINARY " ) " ] ; then
log_err "Cosign binary is not installed. Follow steps from https://docs.sigstore.dev/system_config/installation/ to install it."
return 1
fi
fi
}
verify_sign( ) {
log_debug " Verifying artifact $1 "
${ COSIGN_BINARY } verify-blob " $1 " \
--certificate " $2 " \
--signature " $3 " \
--certificate-identity-regexp " https://github\.com/ ${ OWNER } / ${ REPO } /\.github/workflows/.+ " \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
}
2023-09-25 19:48:23 +00:00
cat /dev/null <<EOF
------------------------------------------------------------------------
End of functions from https://github.com/client9/shlib
------------------------------------------------------------------------
EOF
PROJECT_NAME = "trufflehog"
OWNER = trufflesecurity
REPO = "trufflehog"
FORMAT = tar.gz
OS = $( uname_os)
ARCH = $( uname_arch)
PREFIX = " $OWNER / $REPO "
PLATFORM = " ${ OS } / ${ ARCH } "
GITHUB_DOWNLOAD = https://github.com/${ OWNER } /${ REPO } /releases/download
2024-01-11 19:56:21 +00:00
COSIGN_BINARY = cosign
VERIFY_SIGN = false
CERT_FORMAT = pem
SIG_FORMAT = sig
2023-09-25 19:48:23 +00:00
# use in logging routines
log_prefix( ) {
echo " $PREFIX "
}
uname_os_check " $OS "
uname_arch_check " $ARCH "
parse_args " $@ "
2024-01-11 19:56:21 +00:00
check_cosign_bin
2023-09-25 19:48:23 +00:00
get_binary
tag_to_version
log_info " found version: ${ VERSION } for ${ TAG } / ${ OS } / ${ ARCH } "
NAME = ${ PROJECT_NAME } _${ VERSION } _${ OS } _${ ARCH }
TARBALL = ${ NAME } .${ FORMAT }
TARBALL_URL = ${ GITHUB_DOWNLOAD } /${ TAG } /${ TARBALL }
CHECKSUM = ${ PROJECT_NAME } _${ VERSION } _checksums.txt
CHECKSUM_URL = ${ GITHUB_DOWNLOAD } /${ TAG } /${ CHECKSUM }
execute