| require 'digest' | |
| require 'net/http' | |
| gem_file = 'rubygems-update-2.4.8.gem' | |
| # Reference: https://rubygems.org/gems/rubygems-update/versions/2.4.8 | |
| sha256hash = "dbed858db605923d9cc77080de1a5f1ce6ac3c68924877c78665e0d85d7b3e73" | |
| ################################################## | |
| # Download the Gem from RubyGems.org (over HTTPS) | |
| ################################################## | |
| puts "Downloading #{gem_file}" | |
| if File.exists?(gem_file) | |
| File.unlink(gem_file) | |
| end | |
| puts `wget https://rubygems.org/downloads/#{gem_file}` | |
| if File.exists?(gem_file) | |
| puts "Successfully Downloaded #{gem_file}" | |
| else | |
| puts "Failed to Download #{gem_file}" | |
| puts "Aborting..." | |
| exit | |
| end | |
| ################################################## | |
| # Verify the Gem against the SHA265 Hash from RubyGems.org | |
| ################################################## | |
| puts "Verifying File against SHA256 hash" | |
| if Digest::SHA256.hexdigest(File.read(gem_file)) == sha256hash | |
| puts "#{gem_file} is Verified" | |
| else | |
| puts "#{gem_file} is Not Verified" | |
| puts "Aborting..." | |
| exit | |
| end | |
| ################################################## | |
| # Install the gem manually from downloaded file | |
| ################################################## | |
| puts `gem install #{gem_file}` |
This comment has been minimized.
This comment has been minimized.
bf4
commented
Jun 18, 2015
|
Is wget not subject to the same SRV attack as rubygems? If not, the checksum verification is really above and beyond, no? |
This comment has been minimized.
This comment has been minimized.
bf4
commented
Jun 18, 2015
|
Also, maybe add? \curl -sSL https://gist.github.com/claudijd/3763faa17b83b614cb00/download | \
tar xzvf - --include 'update.rb' -O | ruby |
This comment has been minimized.
This comment has been minimized.
|
@bf4 I'm moving today, so I whipped this up for @hazula in a pinch between boxes. To your comments... 1.) RE: gem-checksum (cool, go for it) Back to moving for me! Thanks for the comments, much appreciated! |
This comment has been minimized.
This comment has been minimized.
|
Ha, just realized @bf4 is also @hazula. Have a good day man, gotta run! |
This comment has been minimized.
This comment has been minimized.
bf4
commented
Jun 18, 2015
|
heh, that's me :) |
This comment has been minimized.
This comment has been minimized.
bf4
commented
Jun 18, 2015
|
stupiding it up with bash #!/usr/bin/env bash
echo "\n"
which ruby &> /dev/null
if [ $? -eq 0 ]; then
echo "Using $(ruby -e 'puts RUBY_DESCRIPTION')\n"
else
echo "No Ruby found"
echo "Aborting..."
exit 1
fi
set -e
version=${VERSION:-2.4.8}
# sha256hash reference: https://rubygems.org/gems/rubygems-update/versions/2.4.8
checksum=${CHECKSUM:-dbed858db605923d9cc77080de1a5f1ce6ac3c68924877c78665e0d85d7b3e73}
gem_name="rubygems-update-${version}.gem"
# USING CDN url, redirected from https://api.rubygems.org/gems/rubygems-update-2.4.8.gem
# see \curl -sSLI https://api.rubygems.org/gems/rubygems-update-2.4.8.gem
url="https://rubygems.global.ssl.fastly.net/gems/${gem_name}"
rm -f "${gem_name}*"
\curl -sSL $url -o $gem_name
if [ $? -eq 0 ]; then
echo "Successfully Downloaded ${gem_name}\n"
else
echo "Failed to Download ${gem_name}"
echo "Aborting...\n"
exit 2
fi
sha256hash=$(cat $gem_name | openssl dgst -sha256)
if [ "$checksum" = "$sha256hash" ]; then
echo "${gem_name} is Verified\n"
else
echo "${gem_name} is Not Verified"
echo "Aborting...\n"
exit 3
fi
echo "installing..\n"
gem install ${gem_name} |
This comment has been minimized.
bf4 commentedJun 18, 2015
looks like I need to update https://github.com/bf4/gem-checksum to use sha256. (I wrote this before rubygems.org add checksums to all the gems)