v0.4.0

  * [enhancement] The integrity of helper scripts `n-update` and `n-uninstall`, which are downloaded by `n-install` from
    this repo, is now verified via SHA-256 checksums embedded in `n-install`.

CHANGELOG.md

@@ -4,6 +4,10 @@ Versioning complies with [semantic versioning (semver)](http://semver.org/).
 
 <!-- NOTE: An entry template for a new version is automatically added each time `make version` is called. Fill in changes afterwards. -->
 
+* **[v0.4.0](https://github.com/mklement0/n-install/compare/v0.3.7...v0.4.0)** (2017-10-26):
+  * [enhancement] The integrity of helper scripts `n-update` and `n-uninstall`, which are downloaded by `n-install` from
+    this repo, is now verified via SHA-256 checksums embedded in `n-install`.
+
 * **[v0.3.7](https://github.com/mklement0/n-install/compare/v0.3.6...v0.3.7)** (2017-10-25):
   * [doc] Clarified that even during local execution after having manually downloaded `n-install` helper scripts are downloaded from this repo.
 

Makefile

@@ -121,7 +121,14 @@ version:
   [[ `json -f package.json version` == "$$newVer" ]] || { npm version $$newVer --no-git-tag-version >/dev/null && printf $$'\e[0;33m%s\e[0m\n' 'package.json' || exit; }; \
   [[ $$gitTagVer == '(none)' ]] && newVerMdSnippet="**v$$newVer**" || newVerMdSnippet="**[v$$newVer](`json -f package.json repository.url | sed 's/.git$$//'`/compare/v$$gitTagVer...v$$newVer)**"; \
   grep -Eq "\bv$${newVer//./\.}[^[:digit:]-]" CHANGELOG.md || { { sed -n '1,/^<!--/p' CHANGELOG.md && printf %s $$'\n* '"$$newVerMdSnippet"$$' ('"`date +'%Y-%m-%d'`"$$'):\n  * ???\n' && sed -n '1,/^<!--/d; p' CHANGELOG.md; } > CHANGELOG.tmp.md && mv CHANGELOG.tmp.md CHANGELOG.md; }; \
-  printf -- "-- Version bumped to v$$newVer in source files and package.json (only just-now updated files were printed above, if any).\n   Describe changes in CHANGELOG.md ('make release' will prompt for it).\n   To update the read-me file, run 'make update-readme' (also happens during 'make release').\n"
+  printf -- "-- Version bumped to v$$newVer in source files and package.json (only just-now updated files were printed above, if any).\n   Describe changes in CHANGELOG.md ('make release' will prompt for it).\n   To update the read-me file, run 'make update-readme' (also happens during 'make release').\n"; \
+	$(MAKE) -f $(lastword $(MAKEFILE_LIST)) update-checksums || exit
+
+# Specific to this project:
+# Update the helper-script checksums that are embedded in n-install.
+.PHONY: update-checksums
+update-checksums:
+	@util/update-checksums
 
 # make release [VER=<newVerSpec>] [NOTEST=1]
 # Increments the version number, runs tests, then commits and tags, pushes to origin, prompts to publish to the npm-registry; NOTEST=1 skips tests.

README.md

@@ -303,6 +303,10 @@ Versioning complies with [semantic versioning (semver)](http://semver.org/).
 
 <!-- NOTE: An entry template for a new version is automatically added each time `make version` is called. Fill in changes afterwards. -->
 
+* **[v0.4.0](https://github.com/mklement0/n-install/compare/v0.3.7...v0.4.0)** (2017-10-26):
+  * [enhancement] The integrity of helper scripts `n-update` and `n-uninstall`, which are downloaded by `n-install` from
+    this repo, is now verified via SHA-256 checksums embedded in `n-install`.
+
 * **[v0.3.7](https://github.com/mklement0/n-install/compare/v0.3.6...v0.3.7)** (2017-10-25):
   * [doc] Clarified that even during local execution after having manually downloaded `n-install` helper scripts are downloaded from this repo.
 

bin/n-install

@@ -28,7 +28,7 @@ kN_REPO_URL='https://github.com/tj/n' # n's GitHub repo URL
 kN_DIRNAME='n' # The name of the subdir. of the $kPREFIX_DIR that *n itself assumes* it is installed in.
 kSUBDIRS=( "$kN_DIRNAME" bin include lib share ) # (informational) all subdirs. of N_PREFIX into which files will be installed as of node 0.12
 
-## Names and download URLs for the helper scripts
+## Names, download URLs, and checksums for the helper scripts
 kUPDATE_SCRIPT='n-update' # Filename of the custom update script.
 kUNINSTALL_SCRIPT='n-uninstall' # Filename of the custom uninstall script.
 kHELPER_SCRIPTS=( 
@@ -38,6 +38,19 @@ kHELPER_SCRIPTS=(
 kHELPER_SCRIPT_URLS=( 
   "${kTHIS_REPO_URL_LONG/\/\/github.com\////raw.githubusercontent.com/}/stable/bin/$kUPDATE_SCRIPT" 
   "${kTHIS_REPO_URL_LONG/\/\/github.com\////raw.githubusercontent.com/}/stable/bin/$kUNINSTALL_SCRIPT" 
+)
+  # SHA-256 checksum for the helper scripts.
+  # !! These checksums must be updated whenever `n-update` and `n-uninstall`
+  # !! are modified, which also happens when merely the version number is
+  # !! bumped. 
+  # !! The Makefile takes care of updating after every version bump 
+  # !! (`make version`` or implicitly with `make release``), but you can do it on
+  # !! demand with `make update-checksums`.
+  # !! DO NOT MODIFY THE *FORMAT* OF THIS ARRAY LITERAL - `util/update-checksums`
+  # !! and a test rely on it.
+kSHA256_SUMS=(
+  "2c974ab30eee3aa2d3811b7794a815ad52b181a2abd87b01678af3f9da67ebcc  $kUPDATE_SCRIPT"
+  "638b4deb9e2af72e2f737dc7b53f11bbdab8240e61c36b6b68e0c95560d08e44  $kUNINSTALL_SCRIPT"
 )
 ##
 
@@ -419,7 +432,7 @@ unset CDPATH  # to prevent unpredictable `cd` behavior
 [[ -t 1 ]] || kNO_COLOR=1 # turn off colored output if stdout is not connected to a terminal
 
 # Output version number and exit, if requested. Note that the `ver='...'` statement is automatically updated by `make version VER=<newVer>` - DO keep the 'v' prefix in the variable _definition_.
-[[ $1 == '--version' ]] && { ver='v0.3.7'; echo "$kTHIS_NAME ${ver#v}"$'\nFor license information and more, visit https://git.io/n-install-repo'; exit 0; }
+[[ $1 == '--version' ]] && { ver='v0.4.0'; echo "$kTHIS_NAME ${ver#v}"$'\nFor license information and more, visit https://git.io/n-install-repo'; exit 0; }
 
 # !! AS OF n 1.3.0, n ITSELF ONLY WORKS WITH curl, NOT ALSO WITH wget.
 # !! Once n also supports wget, mention wget as an alternative in the help text.
@@ -763,29 +776,57 @@ fi
 
 if (( ! helpersCopiedLocally )); then  # Running from GitHub with `curl ... | bash`, or from a lone local copy of `n-install` without its helper scripts present.
 
+  # Find a SHA-256 checksum utility and construct a verification command.
+  shaSumVerifyCmd=
+  [[ -n $(command -v sha256sum) ]] && shaSumVerifyCmd=( 'sha256sum' '-c' '--status' ) # Linux
+  [[ -z $shaSumVerifyCmd && -n $(command -v shasum) ]] && shaSumVerifyCmd=( 'shasum' '-a' '256' '-c' '--status' ) # macOS
+
   # Download helper scripts from GitHub.
+  if [[ -z $shaSumVerifyCmd ]]; then # No SHA checksum-verification utility found - this should not happen.
 
-  cd "$nBinDir" || die
-    i=0
-    for helperScript in "${kHELPER_SCRIPTS[@]}"; do  
-      helperScriptUrl="${kHELPER_SCRIPT_URLS[i++]}"
-      # Note: The curl / wget command succeeds even if the target file doesn't exist, so we
-      #       check the resulting file's 1st line for a shebang line to determine
-      #       if a script was truly downloaded or not, and remove a download file
-      #       that's not a script.
-      [[ -n $(command -v curl) ]] &&
-        downloadCmdArgs=( curl -sS "$helperScriptUrl" -O ) ||
-        downloadCmdArgs=( wget --quiet "$helperScriptUrl" )
-      "${downloadCmdArgs[@]}" && head -n 1 "$helperScript" | grep -q '^#!' && chmod +x "$helperScript" || {
-        rm -f "$helperScript"
-        warn - <<EOF
+    warn - <<EOF
+Skipping download of the following helper scripts, because no SHA
+checksum-verification utility is available: ${kHELPER_SCRIPTS[@]} 
+EOF
+
+  else # SHA utility present, proceed with download.
+    cd "$nBinDir" || die
+      i=0
+      for helperScript in "${kHELPER_SCRIPTS[@]}"; do  
+
+        helperScriptUrl="${kHELPER_SCRIPT_URLS[i]}"
+        # Note: The curl / wget command succeeds even if the target file doesn't exist, so we
+        #       check the resulting file's 1st line for a shebang line to determine
+        #       if a script was truly downloaded or not, and remove a download file
+        #       that's not a script.
+        [[ -n $(command -v curl) ]] &&
+          downloadCmdArgs=( curl -sS "$helperScriptUrl" -O ) ||
+          downloadCmdArgs=( wget --quiet "$helperScriptUrl" )
+        "${downloadCmdArgs[@]}" && head -n 1 "$helperScript" | grep -q '^#!' && chmod +x "$helperScript" || {
+          rm -f "$helperScript" || die
+          warn - <<EOF
 Failed to download helper script '$helperScriptUrl' to
 '$nBinDir/$helperScript'.
 For manual procedures, see $kTHIS_REPO_URL.
 EOF
-      }    
-    done
-  cd - >/dev/null
+        }
+
+        # Verify the checksum
+        if [[ -f "$helperScript" ]]; then
+          echo "${kSHA256_SUMS[i]}" | "${shaSumVerifyCmd[@]}" || {
+            rm -f "$helperScript" || die
+            warn - <<EOF
+Helper script '$helperScript' was not installed, because its integrity could
+not be verified (checksum verification failed).
+EOF
+          }
+        fi
+
+        (( ++i ))
+
+      done
+    cd - >/dev/null
+  fi
 
 fi