Merge pull request #34 from guardian/verify-artifact-hashes

Verify artifact hashes before signing

.github/workflows/reusable-release.yml

@@ -284,6 +284,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       KEY_FINGERPRINT: ${{ needs.init.outputs.key_fingerprint }}
+      ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }}
     steps:
       - id: generate-github-app-token
         uses: actions/create-github-app-token@v1
@@ -302,6 +303,19 @@ jobs:
           path: ${{ env.LOCAL_ARTIFACTS_STAGING_PATH }}
           key: unsigned-${{ env.RUN_ATTEMPT_UID }}
           fail-on-cache-miss: true
+      - name: Verify artifact hashes before signing
+        run: |
+          sudo apt-get install hashdeep -q > /dev/null
+          ARTIFACT_SHA256SUMS_FILE=$( mktemp )
+          printf "$ARTIFACT_SHA256SUMS" > $ARTIFACT_SHA256SUMS_FILE
+          
+          cd $LOCAL_ARTIFACTS_STAGING_PATH
+          echo "Checking artifact hashes..."
+          if [[ $(sha256deep -r -l -X "$ARTIFACT_SHA256SUMS_FILE" .) ]]
+          then
+            echo "::error title=Artifact hash verification failed::Artifacts for signing don't match the hash values recorded when they were generated."
+            exit 1
+          fi
       - uses: actions/setup-java@v4
         with:
           distribution: corretto
@@ -315,10 +329,9 @@ jobs:
         env:
           RELEASE_TAG: ${{ needs.push-release-commit.outputs.release_tag }}
           RELEASE_COMMIT_ID: ${{ needs.push-release-commit.outputs.release_commit_id }}
-          ARTIFACT_SHA256SUMS: ${{ needs.create-artifacts.outputs.ARTIFACT_SHA256SUMS }}
           KEY_EMAIL: ${{ needs.init.outputs.key_email }}
         run: |
-          cd repo
+          cd $GITHUB_WORKSPACE/repo
           git config user.email "$KEY_EMAIL"
           git config user.name "$COMMITTER_NAME"
           git config tag.gpgSign true