Add optional verification of prebuilt artifacts

Signed-off-by: Jonathan Schwender <[email protected]> f Signed-off-by: Jonathan Schwender <[email protected]>
servo · Sep 25, 2024 · e87091e · e87091e
1 parent 5fe5854
commit e87091e
Showing 1 changed file with 42 additions and 0 deletions.
diff --git a/mozjs-sys/build.rs b/mozjs-sys/build.rs
@@ -13,6 +13,7 @@ use std::fs::File;
 use std::path::{Path, PathBuf};
 use std::process::Command;
 use std::str;
+use std::time::Instant;
 use tar::Archive;
 use walkdir::WalkDir;
 
@@ -910,6 +911,8 @@ fn download_archive(base: Option<&str>) -> Result<PathBuf, std::io::Error> {
     let target = env::var("TARGET").unwrap();
     let archive_path = PathBuf::from(env::var_os("OUT_DIR").unwrap()).join("libmozjs.tar.gz");
     if !archive_path.exists() {
+        eprintln!("Trying to download prebuilt mozjs static library from Github Releases");
+        let curl_start = Instant::now();
         if !Command::new("curl")
             .arg("-L")
             .arg("-f")
@@ -924,6 +927,45 @@ fn download_archive(base: Option<&str>) -> Result<PathBuf, std::io::Error> {
         {
             return Err(std::io::Error::from(std::io::ErrorKind::NotFound));
         }
+        eprintln!(
+            "Successfully downloaded mozjs archive in {} ms",
+            curl_start.elapsed().as_millis()
+        );
+
+        if env::var_os("MOZJS_ATTESTATION").is_some() {
+            let start = Instant::now();
+            if !Command::new("gh")
+                .arg("attestation")
+                .arg("--help")
+                .output()
+                .is_ok_and(|output| output.status.success())
+            {
+                eprintln!(
+                    "Couldn't find `gh` or `gh` version too old. Skipping verification of artifact."
+                );
+            } else {
+                let mut attestation_cmd = Command::new("gh");
+                attestation_cmd
+                    .arg("attestation")
+                    .arg("verify")
+                    .arg(&archive_path)
+                    .arg("-R")
+                    .arg("servo/mozjs");
+                if let Err(output) = attestation_cmd.output() {
+                    eprintln!("Failed to verify the artifact downloaded from CI: {output:?}");
+                    // Remove the file so the build-script will redownload next time.
+                    let _ = fs::remove_file(&archive_path).inspect_err(|e| {
+                        eprintln!("Failed to delete archive: {e}");
+                    });
+                    return Err(std::io::Error::from(std::io::ErrorKind::InvalidData));
+                }
+            }
+            let attestation_duration = start.elapsed();
+            eprintln!(
+                "Artifact evaluation took {} ms",
+                attestation_duration.as_millis()
+            );
+        }
     }
 
     Ok(archive_path)