#artifact #download #url #sha #hash #file #signatures

bin+lib artc

A program for downloading artifacts and verifying the sha hashes and pgp signatures

2 releases

Uses old Rust 2015

0.1.1 Sep 27, 2018
0.1.0 Sep 10, 2018

#1152 in Cryptography

Apache-2.0 and LGPL-2.1

34KB
618 lines

Artifact Configuration

A program for downloading artifacts and verifying the sha hashes and pgp signatures.

Downloading artifacts

To begin the build process, you will need to create an input file, called say urls.txt.

https://jcenter.bintray.com/com/android/tools/annotations/24.5.0/annotations-24.5.0.pom
https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.jar
https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.pom
https://maven.google.com/com/android/tools/repository/26.0.1/repository-26.0.1.pom
https://maven.google.com/com/android/tools/sdk-common/26.0.1/sdk-common-26.0.1.jar

Next run the following command

artc download --input urls.txt

This will generate files under the target directory:./target/artc

The asc.tsv file contains the fingerprint and the URL of the main artifact

3872ED7D5904493D23D78FA2C4C8CB73B1435348 	 https://jcenter.bintray.com/com/android/tools/annotations/24.5.0/annotations-24.5.0.pom
694621A7227D8D5289699830ABE9F3126BB741C1 	 https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.jar
694621A7227D8D5289699830ABE9F3126BB741C1 	 https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.pom

The keys directory contains any of the downloaded keys used in verifying signatures

-rw-r--r-- 1 shane shane  2020 Sep  7 23:11 0374CF2E8DD1BDFD
-rw-r--r-- 1 shane shane  1700 Sep  7 23:08 0DA8A5EC02D11EAD
-rw-r--r-- 1 shane shane  3136 Sep  7 23:04 16AE34E5C9C3E2BB
-rw-r--r-- 1 shane shane 12289 Sep  7 23:09 205C8673DC742C7C

Finally the pubring.kbx file is the keystore with the imported keys.

The sha.tsv file contains the sha256, followed by a gen/ver field value.

c3c99bf58182889fe86315e9a01473ee2c95540b9dedef898cec64554d925c54 	 gen 	 https://jcenter.bintray.com/com/android/tools/annotations/24.5.0/annotations-24.5.0.pom
1158e94c7de4da480873f0b4ab4a1da14c0d23d4b1902cc94a58a6f0f9ab579e 	 ver 	 https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.jar
bfadb3b40f65dd6de1666d6b29f8bb54031396c76eeef4146cf9f28255f8bf33 	 ver 	 https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.pom
a20fb26c8de5b0ff7a3069e681fcf01ebefd2f3d24b832c3af22d981d7d4376b 	 gen 	 https://maven.google.com/com/android/tools/repository/26.0.1/repository-26.0.1.pom
7e8bdca281bdcb6dad48a80854837f1c0ab46f31a0b292370e320f471f5b9cfd 	 gen 	 https://maven.google.com/com/android/tools/sdk-common/26.0.1/sdk-common-26.0.1.jar

The gen value means that the sha256 was generated by the build. There was not an associated ${url}.sha2 file to download and verify against.

For example, this URL does not exist so its field value is gen

https://maven.google.com/com/android/tools/sdk-common/26.0.1/sdk-common-26.0.1.jar.sha2

The ver field value means that the ${url}.sha2 file exists and the build verified the main artifact sha256 against this value.

RBM

This command generates Tor RBM config files.

artc rbm --keyring android.gpg

The keyring option specifies the name of the keyring that you will use for the downloaded artifacts. Say that you specify the the keyring as android.gpg. Then the pubring.kbx file will be renamed to android.gpg.

The following entries will be found in the rbm/config file. Notice that the config has a comment if the sha has not been verified. The build will only use the sha256 in if the asc file can't be used.

    #Sha not verified from original source
  - URL:  https://maven.google.com/com/android/tools/sdk-common/26.0.1/sdk-common-26.0.1.jar
    sha256Sum: 7e8bdca281bdcb6dad48a80854837f1c0ab46f31a0b292370e320f471f5b9cfd 
  - URL:  https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.jar
    sig_ext: asc
    file_gpg_id: 694621A7227D8D5289699830ABE9F3126BB741C1 
    gpg_keyring: android.gpg
  - URL:  https://jcenter.bintray.com/com/google/guava/guava/22.0/guava-22.0.pom
    sig_ext: asc
    file_gpg_id: 694621A7227D8D5289699830ABE9F3126BB741C1 
    gpg_keyring: android.gpg
  - URL:  https://jcenter.bintray.com/com/android/tools/annotations/24.5.0/annotations-24.5.0.pom
    sig_ext: asc
    file_gpg_id: 3872ED7D5904493D23D78FA2C4C8CB73B1435348 
    gpg_keyring: android.gpg
    #Sha not verified from original source
  - URL:  https://maven.google.com/com/android/tools/repository/26.0.1/repository-26.0.1.pom
    sha256Sum: a20fb26c8de5b0ff7a3069e681fcf01ebefd2f3d24b832c3af22d981d7d4376b 

Since RBM uses flat directory structure for downloads, a script is also generated that can place the artifacts in a maven repo structure. It is found in rbm/create_maven_repo.sh

# TODO: Set $M2_REPO to location of maven repository
mkdir -p $M2_REPO/com/android/tools/sdk-common/26.0.1 && cp "sdk-common-26.0.1.jar" "$_"
mkdir -p $M2_REPO/com/google/guava/guava/22.0 && cp "guava-22.0.jar" "$_"
mkdir -p $M2_REPO/com/google/guava/guava/22.0 && cp "guava-22.0.pom" "$_"
mkdir -p $M2_REPO/com/android/tools/annotations/24.5.0 && cp "annotations-24.5.0.pom" "$_"
mkdir -p $M2_REPO/com/android/tools/repository/26.0.1 && cp "repository-26.0.1.pom" "$_"

Package

As an alternative to generating RBM files you can package the artifacts into a maven repo format.

artc package

This copies the artifacts from artifacts directory to to the m2 directory and then archives the m2 directory as maven-repo.tar.gz.

It outputs the hash value to use in an RBM config (or other build).

Note that for an RBM build, this archive will need to be uploaded to some location. The URL of the archive will then need to be added to the config file.

  - URL:  https://example.com/repo/maven-repo.tar.gz
    sha256Sum: a20fb26c8de5b0ff7a3069e681fcf01ebefd2f3d24b832c3af22d981d7d4376b 

Additional info

Reproducible Build Manager - https://rbm.torproject.org/

Dependencies

~18–29MB
~521K SLoC