Created
November 18, 2016 06:38
-
-
Save maplebed/24ebfdc4f0d0c0cd0cfd3667228cd0bf to your computer and use it in GitHub Desktop.
Chef recipe snippet to verify the checksum on a downloaded binary before using it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # download the binary 'foo' at a specific version to a local file that includes | |
| # the version number. The effect of this is that by changing the version number | |
| # you get a new copy of the file, and you don't need to check the remote URL to | |
| # determine if you have the right version | |
| remote_file "/usr/local/bin/foo-#{node['foo']['download']['version']}" do | |
| source "#{node['foo']['download']['URL']}/#{node['foo']['download']['version']}" | |
| owner 'ubuntu' | |
| group 'ubuntu' | |
| mode '0755' | |
| action :create | |
| not_if do | |
| # don't re-download it if we already have it | |
| File.exist?("/usr/local/bin/foo-#{node['foo']['download']['version']}") | |
| end | |
| end | |
| # symlink the versioned binary in to place as the unversioned name, but only if | |
| # the checksum is good. This validates your download was not corrupted or | |
| # subverted. | |
| link "/usr/local/bin/foo" do | |
| to "/usr/local/bin/foo-#{node['foo']['download']['version']}" | |
| not_if { | |
| require 'digest' | |
| checksum = Digest::SHA256.file("/usr/local/bin/foo-#{node['foo']['download']['version']}").hexdigest | |
| if checksum != node['foo']['download']['sha256_checksum'] | |
| raise "Downloaded foo Checksum #{checksum} does not match expected checksum #{node['foo']['download']['sha256_checksum']}" | |
| end | |
| } | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment