From 688090095efe8916d8a7c75f2e10cdd2cefa174c Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Feb 2026 17:49:38 +0100 Subject: [PATCH] harden curl downloads on CI (#4158) --- .github/workflows/appimage.yml | 4 ++-- .github/workflows/av-whitelist.yml | 2 +- .github/workflows/debian.yml | 4 ++-- .github/workflows/flathub.yml | 2 +- .github/workflows/mac-dmg-x64.yml | 2 +- .github/workflows/mac-dmg.yml | 2 +- .github/workflows/post-publish.yml | 2 +- .github/workflows/win-exe.yml | 6 +++--- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/appimage.yml b/.github/workflows/appimage.yml index 824f996f4..6bb406441 100644 --- a/.github/workflows/appimage.yml +++ b/.github/workflows/appimage.yml @@ -63,7 +63,7 @@ jobs: - name: Download OpenJFX jmods id: download-jmods run: | - curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip + curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip echo "${{ matrix.openjfx-sha }} openjfx-jmods.zip" | shasum -a256 --check mkdir -p openjfx-jmods unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods @@ -165,7 +165,7 @@ jobs: ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun - name: Download AppImageKit run: | - curl -L "https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-${{ matrix.arch }}.AppImage" -o appimagetool.AppImage + curl --silent --fail-with-body --proto "=https" -L "https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-${{ matrix.arch }}.AppImage" -o appimagetool.AppImage chmod +x appimagetool.AppImage ./appimagetool.AppImage --appimage-extract - name: Prepare GPG-Agent for signing with key 615D449FE6E6A235 diff --git a/.github/workflows/av-whitelist.yml b/.github/workflows/av-whitelist.yml index 4a8aba9af..1a7488fd2 100644 --- a/.github/workflows/av-whitelist.yml +++ b/.github/workflows/av-whitelist.yml @@ -49,7 +49,7 @@ jobs: url="${INPUT_URL}" echo "fileName=${url##*/}" >> $GITHUB_OUTPUT - name: Download file - run: curl "${INPUT_URL}" -L -o "${{steps.extractName.outputs.fileName}}" --fail-with-body + run: curl --silent --fail-with-body --proto "=https" -L "${INPUT_URL}" -o "${{steps.extractName.outputs.fileName}}" - name: Upload artifact uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml index 178f46441..f4e9a09a4 100644 --- a/.github/workflows/debian.yml +++ b/.github/workflows/debian.yml @@ -71,11 +71,11 @@ jobs: - name: Download OpenJFX jmods id: download-jmods run: | - curl -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip + curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip echo "${{ env.OPENJFX_JMODS_AMD64_HASH }} openjfx-amd64.zip" | shasum -a256 --check mkdir -p jmods/amd64 unzip -j openjfx-amd64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/amd64 - curl -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip + curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip echo "${{ env.OPENJFX_JMODS_AARCH64_HASH }} openjfx-aarch64.zip" | shasum -a256 --check mkdir -p jmods/aarch64 unzip -j openjfx-aarch64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/aarch64 diff --git a/.github/workflows/flathub.yml b/.github/workflows/flathub.yml index e31f4cfdc..bf22cec30 100644 --- a/.github/workflows/flathub.yml +++ b/.github/workflows/flathub.yml @@ -33,7 +33,7 @@ jobs: - name: Download source tarball and compute checksum id: sha512 run: | - curl --silent --fail-with-body -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz + curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz TARBALL_SHA512=$(sha512sum cryptomator.tar.gz | cut -d ' ' -f1) echo "sha512=${TARBALL_SHA512}" >> "$GITHUB_OUTPUT" flathub: diff --git a/.github/workflows/mac-dmg-x64.yml b/.github/workflows/mac-dmg-x64.yml index 9afc867a6..102e104c6 100644 --- a/.github/workflows/mac-dmg-x64.yml +++ b/.github/workflows/mac-dmg-x64.yml @@ -59,7 +59,7 @@ jobs: - name: Download OpenJFX jmods id: download-jmods run: | - curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip + curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check mkdir -p openjfx-jmods/ unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml index 06116d2a7..b2b962b6f 100644 --- a/.github/workflows/mac-dmg.yml +++ b/.github/workflows/mac-dmg.yml @@ -57,7 +57,7 @@ jobs: - name: Download OpenJFX jmods id: download-jmods run: | - curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip + curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check mkdir -p openjfx-jmods/ unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods diff --git a/.github/workflows/post-publish.yml b/.github/workflows/post-publish.yml index d685381c7..619f0f607 100644 --- a/.github/workflows/post-publish.yml +++ b/.github/workflows/post-publish.yml @@ -10,7 +10,7 @@ jobs: steps: - name: Download source tarball run: | - curl -L -H "Accept: application/vnd.github+json" https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz --output cryptomator-${{ github.event.release.tag_name }}.tar.gz + curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz --output cryptomator-${{ github.event.release.tag_name }}.tar.gz - name: Sign source tarball with key 615D449FE6E6A235 run: | echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml index e41d3c618..30e2f9f67 100644 --- a/.github/workflows/win-exe.yml +++ b/.github/workflows/win-exe.yml @@ -72,7 +72,7 @@ jobs: if: matrix.arch == 'x64' #In the last step we move all jmods files a dir level up because jmods are placed inside a directory in the zip run: | - curl --output openjfx-jmods.zip -L "${{ env.OPENJFX_JMODS_AMD64 }}" + curl --silent --fail-with-body --proto "=https" -L "${{ env.OPENJFX_JMODS_AMD64 }}" --output openjfx-jmods.zip if(!(Get-FileHash -Path openjfx-jmods.zip -Algorithm SHA256).Hash.ToLower().equals("${{ env.OPENJFX_JMODS_AMD64_HASH }}")) { throw "Wrong checksum of JMOD archive downloaded from ${{ env.OPENJFX_JMODS_AMD64 }}."; } @@ -338,7 +338,7 @@ jobs: shell: pwsh - name: Download WinFsp run: | - curl --output $env:WINFSP_PATH -L ${{ env.WINFSP_MSI }} + curl --silent --fail-with-body --proto "=https" -L ${{ env.WINFSP_MSI }} --output $env:WINFSP_PATH $computedHash = (Get-FileHash -Path $env:WINFSP_PATH -Algorithm SHA256).Hash.ToLower() if ($computedHash -ne "${{ env.WINFSP_MSI_HASH }}") { throw "Checksum mismatch for $env:WINFSP_PATH (expected ${{ env.WINFSP_MSI_HASH }}, got $computedHash)." @@ -348,7 +348,7 @@ jobs: shell: pwsh - name: Download Legacy-WinFsp uninstaller run: | - curl --output dist/win/bundle/resources/winfsp-uninstaller.exe -L ${{ env.WINFSP_UNINSTALLER }} + curl --silent --fail-with-body --proto "=https" -L ${{ env.WINFSP_UNINSTALLER }} --output dist/win/bundle/resources/winfsp-uninstaller.exe shell: pwsh - name: Create Wix Burn bundle working-directory: dist/win