Merge pull request #313 from apigee/issue312

feat: adds support to verify signature when downloading #312
apigee · Oct 10, 2023 · 593f5f5 · 593f5f5
2 parents 8e33e2f + 43fdaef
commit 593f5f5
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/downloadLatest.sh b/downloadLatest.sh
@@ -66,6 +66,8 @@ NAME="apigeecli_$APIGEECLI_VERSION"
 
 cd "$tmp" || exit
 URL="https://github.com/apigee/apigeecli/releases/download/${APIGEECLI_VERSION}/apigeecli_${APIGEECLI_VERSION}_${OSEXT}_${APIGEECLI_ARCH}.zip"
+SIG_URL="https://github.com/apigee/apigeecli/releases/download/${APIGEECLI_VERSION}/apigeecli_${APIGEECLI_VERSION}_${OSEXT}_${APIGEECLI_ARCH}.zip.sig"
+COSIGN_PUBLIC_KEY="https://raw.githubusercontent.com/apigee/apigeecli/main/cosign.pub"
 
 download_cli() {
   printf "\nDownloading %s from %s ...\n" "$NAME" "$URL"
@@ -75,6 +77,25 @@ download_cli() {
   fi
   curl -fsLO "$URL"
   filename="apigeecli_${APIGEECLI_VERSION}_${OSEXT}_${APIGEECLI_ARCH}.zip"
+  # Check if cosign is installed
+  set +e # disable exit on error
+  cosign version 2>&1 >/dev/null
+  RESULT=$?
+  set -e # re-enable exit on error
+  if [ $RESULT -eq 0 ]; then
+    echo "Verifying the signature of the binary " "$filename"
+    echo "Downloading the cosign public key"
+    curl -fsLO -H 'Cache-Control: no-cache, no-store' "$COSIGN_PUBLIC_KEY"
+    echo "Downloading the signature file " "$SIG_URL"
+    curl -fsLO -H 'Cache-Control: no-cache, no-store' "$SIG_URL"
+    sig_filename="apigeecli_${OSEXT}_${APIGEECLI_ARCH}.zip.sig"
+    echo "Verifying the signature"
+    cosign verify-blob --key cosign.pub --signature "$sig_filename" "$filename"
+    rm "$sig_filename"
+    rm cosign.pub
+  else
+    echo "cosign is not installed, skipping signature verification"
+  fi
   unzip "${filename}"
   rm "${filename}"
 }