fix: fail fast and validate SHA-512 checksum on phar download#41
Merged
Conversation
Fixes #3316
Previously, the install script used wget without --fail, meaning
HTTP errors (4xx/5xx) would write an error page to disk as the
phar binary, mark it executable, and exit 0 — silently leaving
behind a broken EasyEngine installation with no error reported.
This was exacerbated by GitHub outages and is a potential supply
chain risk (no integrity check on the downloaded binary).
Changes:
- functions: Rewrite download_and_install_easyengine()
- Use wget --fail so HTTP errors cause a non-zero exit
- Download phar to a mktemp file, not directly to EE4_BINARY
- Download the corresponding easyengine.phar.sha512 checksum
from the same builds repo
- Validate SHA-512 checksum; abort with a clear error on mismatch
- Only mv + chmod +x on success; temp files cleaned up on failure
- Guard against empty file (second layer of defence)
- setup.sh: Harden bootstrap() and add set -euo pipefail
- Add set -euo pipefail so any unhandled error kills the script
- Replace curl -so (silent, ignores HTTP errors) with
curl --fail --silent --show-error so network failures are caught
- Guard against an empty helper-functions file after download
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the EasyEngine installer by making network downloads fail fast and by adding integrity verification for the downloaded easyengine.phar, preventing silent installs of error pages or tampered binaries.
Changes:
- Enable stricter shell error handling in
setup.shand improve bootstrap download robustness (HTTP-fail + empty-file guard). - Rework
download_and_install_easyengine()to download to temp files, validate a SHA-512 checksum, and only install on success. - Add cleanup and clearer failure messaging around download/verification steps.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
setup.sh |
Enables strict mode and makes bootstrap download fail loudly on HTTP errors/empty content. |
functions |
Downloads phar + checksum to temp files, validates SHA-512, and installs only after successful verification. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wget's --fail flag is not available in all versions (e.g. wget 1.21.2 on Ubuntu 22.04 does not support it). curl's --fail flag is universally supported and already required by the bootstrap() function. Switch both the phar and checksum downloads in download_and_install_easyengine() to use: curl --fail --location --silent --show-error --output <file> <url> - --fail: exits non-zero on HTTP 4xx/5xx errors - --location: follows redirects - --silent --show-error: suppresses progress but still shows errors Tested in ubuntu:22.04 container — all 6 scenarios pass: - Happy path: real download + SHA-512 checksum validation - Checksum mismatch: aborts, binary not created - Empty phar: rejected before checksum step - Phar download failure: propagated correctly - Checksum file download failure: propagated correctly - Temp file cleanup: no files left behind on failure
- setup.sh: define TMP_WORK_DIR with mktemp -d and register a trap
EXIT to clean it up; this avoids 'unbound variable' errors from
set -u and ensures the temp directory is always removed.
- setup.sh: move lsb_release detection inside do_install() (after log
setup) with '|| true' so a missing lsb_release doesn't abort the
script before any dependencies are installed.
- setup.sh: remove 'rm /helper-functions' (stale hardcoded path);
the helper-functions file is now inside TMP_WORK_DIR and cleaned
up by the trap EXIT automatically.
- functions: add 'trap _ee_download_cleanup RETURN' immediately after
defining the cleanup helper so it runs unconditionally on any exit
from the function (normal return, set -e error, or explicit exit).
Remove the now-redundant explicit _ee_download_cleanup calls on
individual error and success paths.
- functions: replace 'tr -d [:space:]' for expected_hash with
awk '{print }' so checksum parsing works with both a plain
hex-only hash file and the standard sha512sum output format
('<hash> <filename>').
- functions: add an empty/invalid checksum file guard before
comparison to give a clearer error message.
trap RETURN does not fire when a function calls exit 1 (only on a normal return or when set -e causes an implicit return). Since ee_log_fail calls exit 1, the RETURN trap was not running on any of the explicit error paths, leaving temp files behind. Restore _ee_download_cleanup() calls explicitly before every ee_log_fail invocation in download_and_install_easyengine(): - phar download failure - empty phar guard - checksum download failure - empty checksum file guard (new) - checksum mismatch Keep 'trap RETURN' as a belt-and-suspenders catch for any unexpected early exits triggered by set -e (e.g. mktemp, mv, or sha512sum failing). Update function comment to explain why both mechanisms are needed. Verified in ubuntu:22.04 container — all 7 tests pass: 1. Happy path: real download + SHA-512 validation 2. Checksum mismatch: aborts, binary not created 3. Empty phar: rejected before checksum step 4. Phar download failure: propagated correctly 5. Checksum download failure: propagated correctly 6. Empty checksum file: rejected with clear error (new guard) 7. Temp file cleanup: no files left behind on failure
set -euo pipefail (added in the parent commit) makes bash treat any
reference to an unset variable as a fatal error. The functions file
checks $EE_QUIET_OUTPUT in eight _quiet logging helpers via
[[ -z "$EE_QUIET_OUTPUT" ]]. If those helpers are called while
set -u is active and EE_QUIET_OUTPUT has never been set, the script
aborts with "unbound variable".
Fix: export EE_QUIET_OUTPUT="${EE_QUIET_OUTPUT:-}" in setup.sh
before functions is sourced. This preserves any value already set by
the caller (e.g. --quiet flag) while guaranteeing the variable is
always defined.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The install script was using
wgetwithout--fail, meaning HTTP errors (4xx/5xx, e.g. during a GitHub outage) would write an error HTML page to disk as theeasyengine.pharbinary, mark it executable, and exit0— silently leaving behind a broken EasyEngine installation with no error reported to the user.There was also no integrity check on the downloaded binary, making this a potential supply chain risk.
Changes
functionsdownload_and_install_easyengine():wget --failso HTTP errors cause a non-zero exitmktemptemp file (not directly to$EE4_BINARY)easyengine.phar.sha512checksum from the same builds repomv+chmod +xon success; temp files always cleaned upsetup.shset -euo pipefailso any unhandled error kills the scriptcurl -so(silent, ignores HTTP errors) withcurl --fail --silent --show-errorinbootstrap()helper-functionsfileTesting
bash -nsyntax check passes on both files.sha512checksum files exist at the expected URL:https://raw.githubusercontent.com/EasyEngine/easyengine-builds/master/phar/easyengine.phar.sha512