-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathfoundryup-init.sh
More file actions
executable file
·399 lines (339 loc) · 10.6 KB
/
foundryup-init.sh
File metadata and controls
executable file
·399 lines (339 loc) · 10.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
#!/bin/sh
# shellcheck shell=dash
# shellcheck disable=SC2039 # local is non-POSIX
# This script downloads and installs foundryup, the Foundry toolchain manager.
# It detects the platform, downloads the appropriate binary, and runs it.
# It runs on Unix shells like {a,ba,da,k,z}sh. It uses the common `local`
# extension. Note: Most shells limit `local` to 1 var per line, contra bash.
# Some versions of ksh have no `local` keyword. Alias it to `typeset`, but
# beware this makes variables global with f()-style function syntax in ksh93.
has_local() {
# shellcheck disable=SC2034 # deliberately unused
local _has_local
}
has_local 2>/dev/null || alias local=typeset
set -eu
FOUNDRYUP_REPO="foundry-rs/foundryup"
BASE_DIR="${XDG_CONFIG_HOME:-$HOME}"
FOUNDRY_DIR="${FOUNDRY_DIR:-$BASE_DIR/.foundry}"
FOUNDRYUP_BIN_DIR="$FOUNDRY_DIR/bin"
FOUNDRYUP_IGNORE_VERIFICATION="${FOUNDRYUP_IGNORE_VERIFICATION:-false}"
usage() {
cat <<EOF
foundryup-init 2.0.0
The installer for foundryup
Usage: foundryup-init.sh [OPTIONS]
Options:
-v, --verbose Enable verbose output
-q, --quiet Disable progress output
-y, --yes Skip confirmation prompt
-f, --force Skip attestation verification (INSECURE)
-h, --help Print help
-V, --version Print version
All other options are passed to foundryup after installation.
Environment variables:
FOUNDRYUP_VERSION Install a specific version of foundryup
FOUNDRYUP_IGNORE_VERIFICATION Skip attestation verification if set to "true"
EOF
}
main() {
downloader --check
need_cmd uname
need_cmd mktemp
need_cmd chmod
need_cmd mkdir
need_cmd rm
need_cmd rmdir
get_architecture || return 1
local _arch="$RETVAL"
assert_nz "$_arch" "arch"
local _passthrough_args=""
local _need_tty=yes
local _verbose=no
local _quiet=no
for arg in "$@"; do
case "$arg" in
-h|--help)
usage
exit 0
;;
-V|--version)
echo "foundryup-init 2.0.0"
exit 0
;;
-v|--verbose)
_verbose=yes
_passthrough_args="$_passthrough_args $arg"
;;
-q|--quiet)
_quiet=yes
_passthrough_args="$_passthrough_args $arg"
;;
-f|--force)
FOUNDRYUP_IGNORE_VERIFICATION=true
;;
-y|--yes)
_need_tty=no
_passthrough_args="$_passthrough_args $arg"
;;
*)
_passthrough_args="$_passthrough_args $arg"
;;
esac
done
local _url
local _attestation_url
local _base_url
local _ext
_ext=$(get_ext "$_arch")
if [ "${FOUNDRYUP_VERSION+set}" = 'set' ]; then
say "installing foundryup version $FOUNDRYUP_VERSION"
_base_url="https://github.com/${FOUNDRYUP_REPO}/releases/download/v${FOUNDRYUP_VERSION}"
_url="${_base_url}/foundryup_${_arch}${_ext}"
_attestation_url="${_base_url}/foundryup_${_arch}.attestation.txt"
else
say "installing latest foundryup"
_base_url="https://github.com/${FOUNDRYUP_REPO}/releases/latest/download"
_url="${_base_url}/foundryup_${_arch}${_ext}"
_attestation_url="${_base_url}/foundryup_${_arch}.attestation.txt"
fi
if [ "$_verbose" = "yes" ]; then
say "url: $_url"
say "arch: $_arch"
fi
local _dir
if ! _dir="$(ensure mktemp -d)"; then
exit 1
fi
local _file="${_dir}/foundryup"
local _attestation_file="${_dir}/attestation.txt"
local _expected_hash=""
# Download attestation and extract expected hash (unless skipping verification)
if [ "$FOUNDRYUP_IGNORE_VERIFICATION" = "true" ]; then
say "skipping attestation verification (--force or FOUNDRYUP_IGNORE_VERIFICATION set)"
else
say "downloading attestation..."
# Use curl/wget directly to avoid the downloader's exit-on-404 behavior
if try_download "$_attestation_url" "$_attestation_file"; then
local _attestation_artifact_link
_attestation_artifact_link="$(head -n1 "$_attestation_file" | tr -d '\r')"
if [ -n "$_attestation_artifact_link" ] && ! grep -q 'Not Found' "$_attestation_file"; then
say "verifying attestation..."
local _sigstore_file="${_dir}/attestation.sigstore.json"
if try_download "${_attestation_artifact_link}/download" "$_sigstore_file"; then
# Extract the payload from the sigstore JSON and decode it
local _payload_b64
local _payload_json
_payload_b64=$(awk '/"payload":/ {gsub(/[",]/, "", $2); print $2; exit}' "$_sigstore_file")
_payload_json=$(printf '%s' "$_payload_b64" | base64 -d 2>/dev/null || printf '%s' "$_payload_b64" | base64 -D 2>/dev/null || true)
if [ -n "$_payload_json" ]; then
# Extract SHA256 hash from the payload
_expected_hash=$(printf '%s' "$_payload_json" | grep -oE '"sha256"[[:space:]]*:[[:space:]]*"[a-fA-F0-9]{64}"' | head -1 | grep -oE '[a-fA-F0-9]{64}')
fi
rm -f "$_sigstore_file"
fi
fi
rm -f "$_attestation_file"
fi
if [ -z "$_expected_hash" ]; then
warn "no attestation found for this release, skipping verification"
fi
fi
say "downloading foundryup..."
ensure mkdir -p "$_dir"
ensure downloader "$_url" "$_file" "$_arch"
# Verify the downloaded binary against the attestation hash
if [ -n "$_expected_hash" ]; then
say "verifying binary integrity..."
local _actual_hash
_actual_hash=$(compute_sha256 "$_file")
if [ "$_actual_hash" != "$_expected_hash" ]; then
err "hash verification failed:
expected: $_expected_hash
actual: $_actual_hash
Use --force to skip verification (INSECURE)"
fi
say "binary verified ✓"
fi
ensure chmod u+x "$_file"
if [ ! -x "$_file" ]; then
err "cannot execute $_file (likely because of mounting /tmp as noexec).
please copy the file to a location where you can execute binaries and run ./foundryup"
fi
say "installing foundryup to $FOUNDRYUP_BIN_DIR..."
ensure mkdir -p "$FOUNDRYUP_BIN_DIR"
ensure cp "$_file" "$FOUNDRYUP_BIN_DIR/foundryup"
ensure chmod +x "$FOUNDRYUP_BIN_DIR/foundryup"
ignore rm "$_file"
ignore rmdir "$_dir"
post_install
}
post_install() {
say ""
say "foundryup was installed successfully!"
say ""
# Check if bin dir is in PATH
case ":$PATH:" in
*":$FOUNDRYUP_BIN_DIR:"*)
say "Run 'foundryup' to install Foundry."
;;
*)
say "To get started, add foundryup to your PATH:"
say ""
say " export PATH=\"\$PATH:$FOUNDRYUP_BIN_DIR\""
say ""
say "Then run 'foundryup' to install Foundry."
;;
esac
}
get_architecture() {
local _ostype
local _cputype
_ostype="$(uname -s)"
_cputype="$(uname -m)"
case "$_ostype" in
Linux)
if is_musl; then
_ostype="alpine"
else
_ostype="linux"
fi
;;
Darwin)
_ostype="darwin"
;;
MINGW* | MSYS* | CYGWIN* | Windows_NT)
_ostype="win32"
;;
*)
err "unsupported OS: $_ostype"
;;
esac
case "$_cputype" in
x86_64 | x64 | amd64)
# Check for Rosetta on macOS
if [ "$_ostype" = "darwin" ] && is_rosetta; then
_cputype="arm64"
else
_cputype="amd64"
fi
;;
aarch64 | arm64)
_cputype="arm64"
;;
*)
err "unsupported architecture: $_cputype"
;;
esac
RETVAL="${_ostype}_${_cputype}"
}
get_ext() {
case "$1" in
win32_*) echo ".exe" ;;
*) echo "" ;;
esac
}
is_musl() {
if [ -f /etc/os-release ]; then
grep -qi "alpine" /etc/os-release 2>/dev/null
return $?
fi
return 1
}
is_rosetta() {
if [ "$(uname -s)" = "Darwin" ]; then
if command -v sysctl >/dev/null 2>&1; then
[ "$(sysctl -n sysctl.proc_translated 2>/dev/null)" = "1" ]
return $?
fi
fi
return 1
}
say() {
printf 'foundryup-init: %s\n' "$1"
}
err() {
say "$1" >&2
exit 1
}
warn() {
say "warning: $1" >&2
}
need_cmd() {
if ! check_cmd "$1"; then
err "need '$1' (command not found)"
fi
}
check_cmd() {
command -v "$1" > /dev/null 2>&1
}
assert_nz() {
if [ -z "$1" ]; then
err "assert_nz $2"
fi
}
compute_sha256() {
if check_cmd sha256sum; then
sha256sum "$1" | cut -d' ' -f1 | sed 's/^\\//'
elif check_cmd shasum; then
shasum -a 256 "$1" | cut -d' ' -f1
else
err "need 'sha256sum' or 'shasum' for verification"
fi
}
# Download without exiting on failure (used for optional files like attestations)
try_download() {
if check_cmd curl; then
curl --proto '=https' --tlsv1.2 --silent --fail --location "$1" --output "$2" 2>/dev/null
elif check_cmd wget; then
wget --https-only --secure-protocol=TLSv1_2 -q "$1" -O "$2" 2>/dev/null
else
return 1
fi
}
ensure() {
if ! "$@"; then
err "command failed: $*"
fi
}
ignore() {
"$@"
}
downloader() {
local _dld
local _err
local _status
if check_cmd curl; then
_dld=curl
elif check_cmd wget; then
_dld=wget
else
_dld='curl or wget'
fi
if [ "$1" = --check ]; then
need_cmd "$_dld"
elif [ "$_dld" = curl ]; then
_err=$(curl --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1)
_status=$?
if [ -n "$_err" ]; then
warn "$_err"
if echo "$_err" | grep -q 404; then
err "binary for platform '$3' not found, this may be unsupported"
fi
fi
return $_status
elif [ "$_dld" = wget ]; then
_err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1)
_status=$?
if [ -n "$_err" ]; then
warn "$_err"
if echo "$_err" | grep -q '404'; then
err "binary for platform '$3' not found, this may be unsupported"
fi
fi
return $_status
else
err "unknown downloader"
fi
}
main "$@" || exit 1