diff --git a/build_trond.sh b/build_trond.sh index 6f8fae8e..183e3405 100755 --- a/build_trond.sh +++ b/build_trond.sh @@ -6,15 +6,30 @@ ARCH=$(uname -m) # Set Go version to 1.23.6 GO_VERSION="1.23.6" +GO_SHA256="" + +calculate_sha256() { + local file="$1" + if command -v sha256sum &> /dev/null; then + sha256sum "$file" | awk '{print $1}' + elif command -v shasum &> /dev/null; then + shasum -a 256 "$file" | awk '{print $1}' + else + echo "No SHA-256 checksum tool found (sha256sum or shasum)." + exit 1 + fi +} # Determine download URL and archive filename based on OS and ARCH if [[ "$OS" == "Linux" ]]; then if [[ "$ARCH" == "x86_64" ]]; then GO_ARCHIVE="go$GO_VERSION.linux-amd64.tar.gz" GO_URL="https://go.dev/dl/$GO_ARCHIVE" + GO_SHA256="9379441ea310de000f33a4dc767bd966e72ab2826270e038e78b2c53c2e7802d" elif [[ "$ARCH" == "arm64" || "$ARCH" == "aarch64" ]]; then GO_ARCHIVE="go$GO_VERSION.linux-arm64.tar.gz" GO_URL="https://go.dev/dl/$GO_ARCHIVE" + GO_SHA256="561c780e8f4a8955d32bf72e46af0b5ee5e0debe1e4633df9a03781878219202" else echo "Unsupported architecture: $ARCH" exit 1 @@ -23,9 +38,11 @@ elif [[ "$OS" == "Darwin" ]]; then if [[ "$ARCH" == "x86_64" ]]; then GO_ARCHIVE="go$GO_VERSION.darwin-amd64.tar.gz" GO_URL="https://go.dev/dl/$GO_ARCHIVE" + GO_SHA256="782da50ce8ec5e98fac2cd3cdc6a1d7130d093294fc310038f651444232a3fb0" elif [[ "$ARCH" == "arm64" ]]; then GO_ARCHIVE="go$GO_VERSION.darwin-arm64.tar.gz" GO_URL="https://go.dev/dl/$GO_ARCHIVE" + GO_SHA256="5cae2450a1708aeb0333237a155640d5562abaf195defebc4306054565536221" else echo "Unsupported architecture: $ARCH" exit 1 @@ -106,8 +123,20 @@ if [[ "$SYSTEM_GO" == false ]]; then echo "go/$GO_ARCHIVE already exists. Skipping download." else echo "Downloading Go from $GO_URL..." - curl -Lo "go/$GO_ARCHIVE" "$GO_URL" + curl -fL -o "go/$GO_ARCHIVE" "$GO_URL" + fi + + # Verify the downloaded archive checksum + echo "Verifying SHA-256 for go/$GO_ARCHIVE..." + ACTUAL_SHA256="$(calculate_sha256 "go/$GO_ARCHIVE")" + if [[ "$ACTUAL_SHA256" != "$GO_SHA256" ]]; then + echo "SHA-256 mismatch for go/$GO_ARCHIVE" + echo "Expected: $GO_SHA256" + echo "Actual: $ACTUAL_SHA256" + rm -f "go/$GO_ARCHIVE" + exit 1 fi + echo "SHA-256 verification passed." # Extract Golang to the go directory if [[ -d "go/bin" ]]; then diff --git a/download_trond.sh b/download_trond.sh deleted file mode 100755 index e5f15058..00000000 --- a/download_trond.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -set -euo pipefail - -# Configuration -REPO_OWNER="tronprotocol" -REPO_NAME="tron-docker" -RELEASE_TAG="v0.1.1" -CHECKSUM_FILE="checksums.txt" -RACKAGE_PREFIX="trond" - -# Determine the OS and architecture, then set the ASSET_NAME -OS=$(uname -s) -ARCH=$(uname -m) -case "$OS" in - Linux*) - case "$ARCH" in - x86_64) ASSET_NAME="${RACKAGE_PREFIX}_${RELEASE_TAG}_Linux_x86_64.tar.gz";; - arm64) ASSET_NAME="${RACKAGE_PREFIX}_${RELEASE_TAG}_Linux_arm64.tar.gz";; - *) echo "Unsupported architecture: $ARCH"; exit 1;; - esac - ;; - Darwin*) - case "$ARCH" in - x86_64) ASSET_NAME="${RACKAGE_PREFIX}_${RELEASE_TAG}_Darwin_x86_64.tar.gz";; - arm64) ASSET_NAME="${RACKAGE_PREFIX}_${RELEASE_TAG}_Darwin_arm64.tar.gz";; - *) echo "Unsupported architecture: $ARCH"; exit 1;; - esac - ;; - *) echo "Unsupported OS: $OS"; exit 1;; -esac - -# Download URLs -DOWNLOAD_URL="https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download/${RELEASE_TAG}/${ASSET_NAME}" -CHECKSUM_URL="https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download/${RELEASE_TAG}/${CHECKSUM_FILE}" - -# Download files -echo "Downloading ${ASSET_NAME}..." -echo ${DOWNLOAD_URL} -curl -L -O "${DOWNLOAD_URL}" --fail --progress-bar - -echo "Downloading checksum file..." -echo ${DOWNLOAD_URL} -curl -L -O "${CHECKSUM_URL}" --fail --progress-bar - -# Verify checksum -echo "Verifying checksum..." -if ! sha256sum --check --ignore-missing "${CHECKSUM_FILE}"; then - echo "Checksum validation failed!" - exit 1 -fi - -echo "✅ Success! ${ASSET_NAME} is valid." - -tar -xvzf ${ASSET_NAME} - -echo "Download completed successfully." diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile index 9cc5f947..8fde6122 100644 --- a/tools/docker/Dockerfile +++ b/tools/docker/Dockerfile @@ -5,14 +5,14 @@ ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true ENV TMP_DIR="/tron-build" ENV JDK_TAR="jdk-8u202-linux-x64.tar.gz" ENV JDK_DIR="jdk1.8.0_202" -ENV JDK_MD5="0029351f7a946f6c05b582100c7d45b7" +ENV JDK_SHA256="9a5c32411a6a06e22b69c495b7975034409fa1652d03aeb8eb5b6f59fd4594e0" ENV BASE_DIR="/java-tron" # Update and install dependencies without using any cache RUN apt-get update $NO_PROXY_CACHE && \ apt-get --quiet --yes install git wget 7zip curl jq libtcmalloc-minimal4 && \ wget -P /usr/local https://github.com/frekele/oracle-java/releases/download/8u202-b08/$JDK_TAR \ - && echo "$JDK_MD5 /usr/local/$JDK_TAR" | md5sum -c \ + && echo "$JDK_SHA256 /usr/local/$JDK_TAR" | sha256sum -c \ && tar -zxf /usr/local/$JDK_TAR -C /usr/local\ && rm /usr/local/$JDK_TAR \ && export JAVA_HOME=/usr/local/$JDK_DIR \ @@ -32,8 +32,7 @@ RUN apt-get update $NO_PROXY_CACHE && \ && rm -rf ~/.gradle \ && mv /usr/local/$JDK_DIR/jre /usr/local \ && rm -rf /usr/local/$JDK_DIR \ - && wget -P $BASE_DIR/config https://raw.githubusercontent.com/tronprotocol/tron-deployment/master/main_net_config.conf \ - && mv $BASE_DIR/config/main_net_config.conf $BASE_DIR/config.conf \ + && wget -O $BASE_DIR/config.conf https://raw.githubusercontent.com/tronprotocol/tron-deployment/master/main_net_config.conf \ # Clean apt cache && apt-get clean \ && rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/* \ diff --git a/tools/docker/Dockerfile.arm64 b/tools/docker/Dockerfile.arm64 index 5ae9aee4..280af0d6 100644 --- a/tools/docker/Dockerfile.arm64 +++ b/tools/docker/Dockerfile.arm64 @@ -20,8 +20,7 @@ RUN apt-get update $NO_PROXY_CACHE \ && mv java-tron-1.0.0 $BASE_DIR \ && rm -rf $TMP_DIR \ && rm -rf ~/.gradle \ - && wget -4 -P $BASE_DIR/config https://raw.githubusercontent.com/tronprotocol/tron-deployment/master/main_net_config.conf \ - && mv $BASE_DIR/config/main_net_config.conf $BASE_DIR/config.conf \ + && wget -4 -O $BASE_DIR/config.conf https://raw.githubusercontent.com/tronprotocol/tron-deployment/master/main_net_config.conf \ # Clean apt cache && apt-get clean \ && rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/* \ diff --git a/tools/docker/Dockerfile.nile b/tools/docker/Dockerfile.nile index d3512283..fe3383aa 100644 --- a/tools/docker/Dockerfile.nile +++ b/tools/docker/Dockerfile.nile @@ -5,14 +5,14 @@ ENV NO_PROXY_CACHE="-o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true ENV TMP_DIR="/tron-build" ENV JDK_TAR="jdk-8u202-linux-x64.tar.gz" ENV JDK_DIR="jdk1.8.0_202" -ENV JDK_MD5="0029351f7a946f6c05b582100c7d45b7" +ENV JDK_SHA256="9a5c32411a6a06e22b69c495b7975034409fa1652d03aeb8eb5b6f59fd4594e0" ENV BASE_DIR="/java-tron" # Update and install dependencies without using any cache RUN apt-get update $NO_PROXY_CACHE && \ apt-get --quiet --yes install git wget 7zip curl jq libtcmalloc-minimal4 && \ wget -P /usr/local https://github.com/frekele/oracle-java/releases/download/8u202-b08/$JDK_TAR \ - && echo "$JDK_MD5 /usr/local/$JDK_TAR" | md5sum -c \ + && echo "$JDK_SHA256 /usr/local/$JDK_TAR" | sha256sum -c \ && tar -zxf /usr/local/$JDK_TAR -C /usr/local\ && rm /usr/local/$JDK_TAR \ && export JAVA_HOME=/usr/local/$JDK_DIR \ @@ -32,8 +32,7 @@ RUN apt-get update $NO_PROXY_CACHE && \ && rm -rf ~/.gradle \ && mv /usr/local/$JDK_DIR/jre /usr/local \ && rm -rf /usr/local/$JDK_DIR \ - && wget -P $BASE_DIR/config https://raw.githubusercontent.com/tronprotocol/tron-deployment/master/test_net_config.conf \ - && mv $BASE_DIR/config/test_net_config.conf $BASE_DIR/config.conf \ + && wget -O $BASE_DIR/config.conf https://raw.githubusercontent.com/tronprotocol/tron-deployment/master/test_net_config.conf \ # Clean apt cache && apt-get clean \ && rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/* \ diff --git a/tools/docker/Dockerfile.nile.arm64 b/tools/docker/Dockerfile.nile.arm64 index e807a97a..7940c4de 100644 --- a/tools/docker/Dockerfile.nile.arm64 +++ b/tools/docker/Dockerfile.nile.arm64 @@ -20,8 +20,7 @@ RUN apt-get update $NO_PROXY_CACHE \ && mv java-tron-1.0.0 $BASE_DIR \ && rm -rf $TMP_DIR \ && rm -rf ~/.gradle \ - && wget -4 -P $BASE_DIR/config https://raw.githubusercontent.com/tronprotocol/tron-deployment/master/test_net_config.conf \ - && mv $BASE_DIR/config/test_net_config.conf $BASE_DIR/config.conf \ + && wget -4 -O $BASE_DIR/config.conf https://raw.githubusercontent.com/tronprotocol/tron-deployment/master/test_net_config.conf \ # Clean apt cache && apt-get clean \ && rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/* \ diff --git a/tools/docker/README.md b/tools/docker/README.md index 16319b4d..1f129115 100644 --- a/tools/docker/README.md +++ b/tools/docker/README.md @@ -86,14 +86,14 @@ Building for default linux/amd64 platform #3 transferring context: 2B done #3 DONE 0.0s -#4 [1/5] FROM docker.io/library/ubuntu:24.04@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab +#4 [1/5] FROM docker.io/library/ubuntu:24.04 #4 DONE 0.0s #5 [internal] load build context #5 transferring context: 160B done #5 DONE 0.0s -#6 [2/5] RUN apt-get update -o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0 && apt-get --quiet --yes install git wget 7zip curl jq && wget -P /usr/local https://github.com/frekele/oracle-java/releases/download/8u202-b08/jdk-8u202-linux-x64.tar.gz && echo "0029351f7a946f6c05b582100c7d45b7 /usr/local/jdk-8u202-linux-x64.tar.gz" | md5sum -c && tar -zxf /usr/local/jdk-8u202-linux-x64.tar.gz -C /usr/local && rm /usr/local/jdk-8u202-linux-x64.tar.gz && export JAVA_HOME=/usr/local/jdk1.8.0_202 && export CLASSPATH=$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar && export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$JAVA_HOME/bin && echo "git clone" && mkdir -p /tron-build && cd /tron-build && git clone https://github.com/tronprotocol/java-tron.git && cd java-tron && git checkout master && ./gradlew build -x test && cd build/distributions && 7z x -y java-tron-1.0.0.zip && mv java-tron-1.0.0 /java-tron && rm -rf /tron-build && rm -rf ~/.gradle && mv /usr/local/jdk1.8.0_202/jre /usr/local && rm -rf /usr/local/jdk1.8.0_202 apt-get clean && rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/* && rm -rf /var/lib/apt/lists/* +#6 [2/5] RUN apt-get update -o Acquire::BrokenProxy=true -o Acquire::http::No-Cache=true -o Acquire::http::Pipeline-Depth=0 && apt-get --quiet --yes install git wget 7zip curl jq && wget -P /usr/local https://github.com/frekele/oracle-java/releases/download/8u202-b08/jdk-8u202-linux-x64.tar.gz && echo "9a5c32411a6a06e22b69c495b7975034409fa1652d03aeb8eb5b6f59fd4594e0 /usr/local/jdk-8u202-linux-x64.tar.gz" | sha256sum -c && tar -zxf /usr/local/jdk-8u202-linux-x64.tar.gz -C /usr/local && rm /usr/local/jdk-8u202-linux-x64.tar.gz && export JAVA_HOME=/usr/local/jdk1.8.0_202 && export CLASSPATH=$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar && export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$JAVA_HOME/bin && echo "git clone" && mkdir -p /tron-build && cd /tron-build && git clone https://github.com/tronprotocol/java-tron.git && cd java-tron && git checkout master && ./gradlew build -x test && cd build/distributions && 7z x -y java-tron-1.0.0.zip && mv java-tron-1.0.0 /java-tron && rm -rf /tron-build && rm -rf ~/.gradle && mv /usr/local/jdk1.8.0_202/jre /usr/local && rm -rf /usr/local/jdk1.8.0_202 apt-get clean && rm -rf /var/cache/apt/archives/* /var/cache/apt/archives/partial/* && rm -rf /var/lib/apt/lists/* #6 CACHED #7 [3/5] RUN wget -P /java-tron/config https://raw.githubusercontent.com/tronprotocol/tron-deployment/master/main_net_config.conf diff --git a/tools/docker/docker_env/check-install-docker.sh b/tools/docker/docker_env/check-install-docker.sh index 9352aa3f..376f3fda 100755 --- a/tools/docker/docker_env/check-install-docker.sh +++ b/tools/docker/docker_env/check-install-docker.sh @@ -31,8 +31,42 @@ check_docker_compose() { exit 1 elif [[ "$OSTYPE" == "linux-gnu"* ]]; then # Linux - sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - sudo chmod +x /usr/local/bin/docker-compose + compose_os="$(uname -s | tr '[:upper:]' '[:lower:]')" + compose_arch="$(uname -m)" + compose_binary="docker-compose-${compose_os}-${compose_arch}" + compose_version="$(curl -fsSLI https://github.com/docker/compose/releases/latest \ + | awk -F'/' '/^location:/ {gsub(/\r/,"",$NF); print $NF}')" + + if [[ -z "$compose_version" ]]; then + echo "Failed to determine latest Docker Compose version" + exit 1 + fi + + tmp_dir="$(mktemp -d)" + compose_url="https://github.com/docker/compose/releases/download/${compose_version}/${compose_binary}" + checksums_url="https://github.com/docker/compose/releases/download/${compose_version}/checksums.txt" + + if ! curl -fsSL "$compose_url" -o "${tmp_dir}/${compose_binary}"; then + rm -rf "$tmp_dir" + echo "Failed to download Docker Compose binary: ${compose_url}" + exit 1 + fi + + if ! curl -fsSL "$checksums_url" -o "${tmp_dir}/checksums.txt"; then + rm -rf "$tmp_dir" + echo "Failed to download Docker Compose checksums: ${checksums_url}" + exit 1 + fi + + if ! grep -E "[[:space:]]\\*${compose_binary}$" "${tmp_dir}/checksums.txt" \ + | (cd "$tmp_dir" && sha256sum -c -); then + rm -rf "$tmp_dir" + echo "Docker Compose checksum verification failed" + exit 1 + fi + + sudo install -m 0755 "${tmp_dir}/${compose_binary}" /usr/local/bin/docker-compose + rm -rf "$tmp_dir" fi fi } diff --git a/tools/trond/cmd/docker/build.go b/tools/trond/cmd/docker/build.go index 3605e877..92cc2e73 100644 --- a/tools/trond/cmd/docker/build.go +++ b/tools/trond/cmd/docker/build.go @@ -2,11 +2,9 @@ package docker import ( "fmt" - "strings" "github.com/MakeNowJust/heredoc/v2" "github.com/spf13/cobra" - "github.com/tronprotocol/tron-docker/utils" ) // buildCmd represents the snapshot source command @@ -59,15 +57,7 @@ var buildCmd = &cobra.Command{ fmt.Println("The default result will be: tronprotocol/java-tron:latest") fmt.Println("Start building...") - cmd1 := fmt.Sprintf("./gradlew --no-daemon sourceDocker -PdockerOrgName=%s -PdockerArtifactName=%s -Prelease.releaseVersion=%s", org, artifact, version) - if len(network) > 0 { - cmd1 = fmt.Sprintf("./gradlew --no-daemon sourceDocker -PdockerOrgName=%s -PdockerArtifactName=%s -Prelease.releaseVersion=%s -Pnetwork=%s", org, artifact, version, network) - } - if len(platform) > 0 { - cmd1 = fmt.Sprintf("%s -Pplatform=%s", cmd1, platform) - } - cmds := []string{cmd1} - if err := utils.RunMultipleCommands(strings.Join(cmds, " && "), "./tools/gradlew"); err != nil { + if err := runGradleDockerTask("sourceDocker", org, artifact, version, network, platform); err != nil { fmt.Println("Error: ", err) return } diff --git a/tools/trond/cmd/docker/gradle.go b/tools/trond/cmd/docker/gradle.go new file mode 100644 index 00000000..5c21dba0 --- /dev/null +++ b/tools/trond/cmd/docker/gradle.go @@ -0,0 +1,63 @@ +package docker + +import ( + "fmt" + "os" + "os/exec" + "regexp" +) + +var ( + dockerNamePattern = regexp.MustCompile(`^[a-z0-9]+(?:[._-][a-z0-9]+)*$`) + versionTagPattern = regexp.MustCompile(`^[A-Za-z0-9_][A-Za-z0-9_.-]{0,127}$`) +) + +func validateDockerGradleFlags(org, artifact, version, network, platform string) error { + if !dockerNamePattern.MatchString(org) { + return fmt.Errorf("invalid org %q: only lowercase letters, digits, '.', '_' and '-' are allowed", org) + } + if !dockerNamePattern.MatchString(artifact) { + return fmt.Errorf("invalid artifact %q: only lowercase letters, digits, '.', '_' and '-' are allowed", artifact) + } + if !versionTagPattern.MatchString(version) { + return fmt.Errorf("invalid version %q: must match Docker tag format", version) + } + if network != "mainnet" && network != "nile" && network != "" { + return fmt.Errorf("invalid network %q: allowed values are mainnet or nile", network) + } + if platform != "linux/amd64" && platform != "linux/arm64" && platform != "" { + return fmt.Errorf("invalid platform %q: allowed values are linux/amd64 or linux/arm64", platform) + } + return nil +} + +func runGradleDockerTask(task, org, artifact, version, network, platform string) error { + if err := validateDockerGradleFlags(org, artifact, version, network, platform); err != nil { + return err + } + + args := []string{ + "--no-daemon", + task, + fmt.Sprintf("-PdockerOrgName=%s", org), + fmt.Sprintf("-PdockerArtifactName=%s", artifact), + fmt.Sprintf("-Prelease.releaseVersion=%s", version), + } + + if network != "" { + args = append(args, fmt.Sprintf("-Pnetwork=%s", network)) + } + if platform != "" { + args = append(args, fmt.Sprintf("-Pplatform=%s", platform)) + } + + cmd := exec.Command("./gradlew", args...) + cmd.Dir = "./tools/gradlew" + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + + if err := cmd.Run(); err != nil { + return fmt.Errorf("gradle task %s failed: %w", task, err) + } + return nil +} diff --git a/tools/trond/cmd/docker/test.go b/tools/trond/cmd/docker/test.go index 3d4efd88..56b1b1e5 100644 --- a/tools/trond/cmd/docker/test.go +++ b/tools/trond/cmd/docker/test.go @@ -2,11 +2,9 @@ package docker import ( "fmt" - "strings" "github.com/MakeNowJust/heredoc/v2" "github.com/spf13/cobra" - "github.com/tronprotocol/tron-docker/utils" ) // testCmd represents the snapshot source command @@ -54,15 +52,7 @@ var testCmd = &cobra.Command{ fmt.Println("The default result will be: tronprotocol/java-tron:latest") fmt.Println("Start testing...") - cmd1 := fmt.Sprintf("./gradlew --no-daemon testDocker -PdockerOrgName=%s -PdockerArtifactName=%s -Prelease.releaseVersion=%s", org, artifact, version) - if len(network) > 0 { - cmd1 = fmt.Sprintf("./gradlew --no-daemon testDocker -PdockerOrgName=%s -PdockerArtifactName=%s -Prelease.releaseVersion=%s -Pnetwork=%s", org, artifact, version, network) - } - if len(platform) > 0 { - cmd1 = fmt.Sprintf("%s -Pplatform=%s", cmd1, platform) - } - cmds := []string{cmd1} - if err := utils.RunMultipleCommands(strings.Join(cmds, " && "), "./tools/gradlew"); err != nil { + if err := runGradleDockerTask("testDocker", org, artifact, version, network, platform); err != nil { fmt.Println("Error: ", err) } },