guettli/sharedinbox
1
0
Fork 0
Code Issues 21 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

security: verify Hugo binary checksum after download (#162)

Browse Source 
Add SHA-256 integrity check immediately after downloading the Hugo
tarball, preventing a compromised release artifact or MITM attack
from running arbitrary code with access to the deploy SSH key.
This commit is contained in:
Thomas SharedInbox
2026-05-23 17:06:45 +02:00
parent 6e22683f5b
commit c116742ac5
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ci/main.go
+1
View File
@@ -312,6 +312,7 @@ func (m *Ci) Hugo() *dagger.Container {
From("alpine:3.21").
WithExec([]string{"apk", "--no-cache", "add", "curl", "tar", "libc6-compat", "libstdc++", "gcompat"}).
WithExec([]string{"curl", "-sL", "https://github.com/gohugoio/hugo/releases/download/v0.152.2/hugo_extended_0.152.2_linux-amd64.tar.gz", "-o", "/tmp/hugo.tar.gz"}).
WithExec([]string{"sh", "-c", "echo '416bcfbdf5f68469ec9644dbe507da50fc21b94b69a125b059d64ed2cb4d8c27 /tmp/hugo.tar.gz' | sha256sum -c -"}).
WithExec([]string{"tar", "-xzf", "/tmp/hugo.tar.gz", "-C", "/usr/local/bin", "hugo"}).
WithExec([]string{"rm", "/tmp/hugo.tar.gz"})
}