Verify checksums (#49)

Co-authored-by: Derk-Jan Karrenbeld <derk-jan+github@karrenbeld.info>

lib/installer.js

@@ -18,6 +18,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
 const exec = __importStar(require("@actions/exec"));
 const tc = __importStar(require("@actions/tool-cache"));
+const crypto = __importStar(require("crypto"));
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@@ -35,6 +36,24 @@ const archMap = {
 // Store information about the environment
 const osPlat = os.platform(); // possible values: win32 (Windows), linux (Linux), darwin (macOS)
 core.debug(`platform: ${osPlat}`);
+/**
+ * @returns The SHA256 checksum of a given file.
+ */
+function calculateChecksum(file) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const hash = crypto.createHash('sha256');
+        const input = fs.createReadStream(file);
+        return new Promise((resolve, reject) => {
+            input.on('data', (chunk) => {
+                hash.update(chunk);
+            });
+            input.on('end', () => {
+                const digest = hash.digest('hex');
+                digest ? resolve(digest) : reject(new Error(`Could not calculate checksum of file ${file}: digest was empty.`));
+            });
+        });
+    });
+}
 /**
  * @returns The content of the downloaded versions.json file as object.
  */
@@ -99,27 +118,45 @@ function getNightlyFileName(arch) {
     }
     return `julia-latest${versionExt}.${ext}`;
 }
-function getDownloadURL(versionInfo, version, arch) {
+function getFileInfo(versionInfo, version, arch) {
+    if (version == 'nightly') {
+        return null;
+    }
+    for (let file of versionInfo[version].files) {
+        if (file.os == osMap[osPlat] && file.arch == archMap[arch]) {
+            return file;
+        }
+    }
+    throw `Could not find ${archMap[arch]}/${version} binaries`;
+}
+exports.getFileInfo = getFileInfo;
+function getDownloadURL(fileInfo, version, arch) {
     // nightlies
     if (version == 'nightly') {
         const baseURL = 'https://julialangnightlies-s3.julialang.org/bin';
         return `${baseURL}/${osMap[osPlat]}/${arch}/${getNightlyFileName(arch)}`;
     }
-    for (let file of versionInfo[version].files) {
-        if (file.os == osMap[osPlat] && file.arch == archMap[arch]) {
-            core.debug(file);
-            return file.url;
-        }
-    }
-    throw `Could not find ${archMap[arch]}/${version} binaries`;
+    return fileInfo.url;
 }
 exports.getDownloadURL = getDownloadURL;
 function installJulia(versionInfo, version, arch) {
     return __awaiter(this, void 0, void 0, function* () {
         // Download Julia
-        const downloadURL = getDownloadURL(versionInfo, version, arch);
+        const fileInfo = getFileInfo(versionInfo, version, arch);
+        const downloadURL = getDownloadURL(fileInfo, version, arch);
         core.debug(`downloading Julia from ${downloadURL}`);
         const juliaDownloadPath = yield tc.downloadTool(downloadURL);
+        // Verify checksum
+        if (version != 'nightly') {
+            const checkSum = yield calculateChecksum(juliaDownloadPath);
+            if (fileInfo.sha256 != checkSum) {
+                throw new Error(`Checksum of downloaded file does not match the expected checksum from versions.json.\nExpected: ${fileInfo.sha256}\nGot: ${checkSum}`);
+            }
+            core.debug(`Checksum of downloaded file matches expected checksum: ${checkSum}`);
+        }
+        else {
+            core.debug('Skipping checksum check for nightly binaries.');
+        }
         const tempInstallDir = fs.mkdtempSync(`julia-${arch}-${version}-`);
         // Install it
         switch (osPlat) {