1.1--- a/tools/deps.sh Tue Jun 06 18:55:17 2023 -0400
1.2+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
1.3@@ -1,309 +0,0 @@
1.4-#!/usr/bin/sh
1.5-# install demo build dependencies
1.6-set -u
1.7-PKG_URL_ROOT="${PKG_URL_ROOT:-https://rwest.io/otom8/packy/bundle}"
1.8-PKG_NAME="demo_build_deps"
1.9-say() {printf 'babel-installer: %s\n' "$1"}
1.10-err() {say "$1" >&2; exit 1}
1.11-need_cmd() {
1.12- if ! check_cmd "$1"; then
1.13- err "need '$1' (command not found)"
1.14- fi}
1.15-check_cmd() {command -v "$1" > /dev/null 2>&1}
1.16-ensure() {if ! "$@"; then err "command failed: $*"; fi}
1.17-ignore() {"$@"}
1.18-
1.19-main () {
1.20- need_cmd chmod
1.21- need_cmd mkdir
1.22- need_cmd rm
1.23-
1.24- get_architecture || return 1
1.25- local _arch="$RETVAL"
1.26- assert_nz "$_arch" "arch"
1.27-
1.28- # no extension unless on windows
1.29- local _ext=""
1.30- case "$_arch" in
1.31- *windows*)
1.32- _ext=".exe"
1.33- ;;
1.34- esac
1.35-
1.36- local _url="${PKG_URL_ROOT}/bin/dist/${_arch}/${PKG_NAME}${_ext}"
1.37-
1.38- local _dir
1.39- _dir="$(ensure mktemp -d)"
1.40- local _file="${_dir}/${PKG_NAME}${_ext}"
1.41-
1.42- local _ansi_escapes_are_valid=false
1.43- if [ -t 2 ]; then
1.44- if [ "${TERM+set}" = 'set' ]; then
1.45- case "$TERM" in
1.46- xterm*|rxvt*|urxvt*|linux*|vt*)
1.47- _ansi_escapes_are_valid=true
1.48- ;;
1.49- esac
1.50- fi
1.51- fi
1.52-
1.53- # check if we have to use /dev/tty to prompt the user
1.54- local need_tty=yes
1.55- for arg in "$@"; do
1.56- case "$arg" in
1.57- q)
1.58- # user wants to skip the prompt --
1.59- # we don't need /dev/tty
1.60- need_tty=no
1.61- ;;
1.62- *)
1.63- ;;
1.64- esac
1.65- done
1.66-
1.67- if $_ansi_escapes_are_valid; then
1.68- printf "\33[1minfo:\33[0m downloading $PKG_NAME\n" 1>&2
1.69- else
1.70- printf '%s\n' 'info: downloading $PKG_NAME' 1>&2
1.71- fi
1.72-
1.73- ensure mkdir -p "$_dir"
1.74- ensure downloader "$_url" "$_file" "$_arch"
1.75- ensure chmod u+x "$_file"
1.76- if [ ! -x "$_file" ]; then
1.77- printf '%s\n' "Cannot execute $_file (likely because of mounting /tmp as noexec)." 1>&2
1.78- printf '%s\n' "Please copy the file to a location where you can execute binaries and run ./${PKG_NAME}${_ext}." 1>&2
1.79- exit 1
1.80- fi
1.81-
1.82- if [ "$need_tty" = "yes" ]; then
1.83- # The installer is going to want to ask for confirmation by
1.84- # reading stdin. This script was piped into `sh` though and
1.85- # doesn't have stdin to pass to its children. Instead we're going
1.86- # to explicitly connect /dev/tty to the installer's stdin.
1.87- if [ ! -t 1 ]; then
1.88- err "Unable to run interactively. Run with -y to accept defaults"
1.89- fi
1.90-
1.91- ignore "$_file" "$@" < /dev/tty
1.92- else
1.93- ignore "$_file" "$@"
1.94- fi
1.95-
1.96- local _retval=$?
1.97-
1.98- ignore rm "$_file"
1.99- ignore rmdir "$_dir"
1.100-
1.101- return "$_retval"
1.102-}
1.103-
1.104-dl() { # curl || wget
1.105- local _dld
1.106- local _ciphersuites
1.107- local _err
1.108- local _status
1.109- if check_cmd curl; then
1.110- _dld=curl
1.111- elif check_cmd wget; then
1.112- _dld=wget
1.113- else
1.114- _dld='curl or wget' # to be used in error message of need_cmd
1.115- fi
1.116-
1.117- if [ "$1" = --check ]; then
1.118- need_cmd "$_dld"
1.119- elif [ "$_dld" = curl ]; then
1.120- get_ciphersuites_for_curl
1.121- _ciphersuites="$RETVAL"
1.122- if [ -n "$_ciphersuites" ]; then
1.123- _err=$(curl --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1)
1.124- _status=$?
1.125- else
1.126- echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
1.127- if ! check_help_for "$3" curl --proto --tlsv1.2; then
1.128- echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
1.129- _err=$(curl --silent --show-error --fail --location "$1" --output "$2" 2>&1)
1.130- _status=$?
1.131- else
1.132- _err=$(curl --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1)
1.133- _status=$?
1.134- fi
1.135- fi
1.136- if [ -n "$_err" ]; then
1.137- echo "$_err" >&2
1.138- if echo "$_err" | grep -q 404$; then
1.139- err "installer for platform '$3' not found 8^C - ask ellis to support your platform"
1.140- fi
1.141- fi
1.142- return $_status
1.143- elif [ "$_dld" = wget ]; then
1.144- get_ciphersuites_for_wget
1.145- _ciphersuites="$RETVAL"
1.146- if [ -n "$_ciphersuites" ]; then
1.147- _err=$(wget --https-only --secure-protocol=TLSv1_2 --ciphers "$_ciphersuites" "$1" -O "$2" 2>&1)
1.148- _status=$?
1.149- else
1.150- echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
1.151- if ! check_help_for "$3" wget --https-only --secure-protocol; then
1.152- echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
1.153- _err=$(wget "$1" -O "$2" 2>&1)
1.154- _status=$?
1.155- else
1.156- _err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1)
1.157- _status=$?
1.158- fi
1.159- fi
1.160- if [ -n "$_err" ]; then
1.161- echo "$_err" >&2
1.162- if echo "$_err" | grep -q ' 404 Not Found$'; then
1.163- err "installer for platform '$3' not found!"
1.164- fi
1.165- fi
1.166- return $_status
1.167- else
1.168- err "Unknown downloader" # should not reach here
1.169- fi
1.170-}
1.171-
1.172-check_help_for() {
1.173- local _arch
1.174- local _cmd
1.175- local _arg
1.176- _arch="$1"
1.177- shift
1.178- _cmd="$1"
1.179- shift
1.180-
1.181- local _category
1.182- if "$_cmd" --help | grep -q 'For all options use the manual or "--help all".'; then
1.183- _category="all"
1.184- else
1.185- _category=""
1.186- fi
1.187-
1.188- case "$_arch" in
1.189-
1.190- *darwin*)
1.191- if check_cmd sw_vers; then
1.192- case $(sw_vers -productVersion) in
1.193- 10.*)
1.194- # If we're running on macOS, older than 10.13, then we always
1.195- # fail to find these options to force fallback
1.196- if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then
1.197- # Older than 10.13
1.198- echo "Warning: Detected macOS platform older than 10.13"
1.199- return 1
1.200- fi
1.201- ;;
1.202- 11.*)
1.203- # We assume Big Sur will be OK for now
1.204- ;;
1.205- *)
1.206- # Unknown product version, warn and continue
1.207- echo "Warning: Detected unknown macOS major version: $(sw_vers -productVersion)"
1.208- echo "Warning TLS capabilities detection may fail"
1.209- ;;
1.210- esac
1.211- fi
1.212- ;;
1.213-
1.214- esac
1.215-
1.216- for _arg in "$@"; do
1.217- if ! "$_cmd" --help $_category | grep -q -- "$_arg"; then
1.218- return 1
1.219- fi
1.220- done
1.221-
1.222- true # not strictly needed
1.223-}
1.224-
1.225-# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites
1.226-# if support by local tools is detected. Detection currently supports these curl backends:
1.227-# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty.
1.228-get_ciphersuites_for_curl() {
1.229- if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then
1.230- # user specified custom cipher suites, assume they know what they're doing
1.231- RETVAL="$BABEL_TLS_CIPHERSUITES"
1.232- return
1.233- fi
1.234-
1.235- local _openssl_syntax="no"
1.236- local _gnutls_syntax="no"
1.237- local _backend_supported="yes"
1.238- if curl -V | grep -q ' OpenSSL/'; then
1.239- _openssl_syntax="yes"
1.240- elif curl -V | grep -iq ' LibreSSL/'; then
1.241- _openssl_syntax="yes"
1.242- elif curl -V | grep -iq ' BoringSSL/'; then
1.243- _openssl_syntax="yes"
1.244- elif curl -V | grep -iq ' GnuTLS/'; then
1.245- _gnutls_syntax="yes"
1.246- else
1.247- _backend_supported="no"
1.248- fi
1.249-
1.250- local _args_supported="no"
1.251- if [ "$_backend_supported" = "yes" ]; then
1.252- # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
1.253- if check_help_for "notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then
1.254- _args_supported="yes"
1.255- fi
1.256- fi
1.257-
1.258- local _cs=""
1.259- if [ "$_args_supported" = "yes" ]; then
1.260- if [ "$_openssl_syntax" = "yes" ]; then
1.261- _cs=$(get_strong_ciphersuites_for "openssl")
1.262- elif [ "$_gnutls_syntax" = "yes" ]; then
1.263- _cs=$(get_strong_ciphersuites_for "gnutls")
1.264- fi
1.265- fi
1.266-
1.267- RETVAL="$_cs"
1.268-}
1.269-
1.270-# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites
1.271-# if support by local tools is detected. Detection currently supports these wget backends:
1.272-# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty.
1.273-get_ciphersuites_for_wget() {
1.274- if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then
1.275- # user specified custom cipher suites, assume they know what they're doing
1.276- RETVAL="$BABEL_TLS_CIPHERSUITES"
1.277- return
1.278- fi
1.279-
1.280- local _cs=""
1.281- if wget -V | grep -q '\-DHAVE_LIBSSL'; then
1.282- # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
1.283- if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then
1.284- _cs=$(get_strong_ciphersuites_for "openssl")
1.285- fi
1.286- elif wget -V | grep -q '\-DHAVE_LIBGNUTLS'; then
1.287- # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
1.288- if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then
1.289- _cs=$(get_strong_ciphersuites_for "gnutls")
1.290- fi
1.291- fi
1.292-
1.293- RETVAL="$_cs"
1.294-}
1.295-
1.296-# Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2
1.297-# excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad
1.298-# DH params often found on servers (see RFC 7919). Sequence matches or is
1.299-# similar to Firefox 68 ESR with weak cipher suites disabled via about:config.
1.300-# $1 must be openssl or gnutls.
1.301-get_strong_ciphersuites_for() {
1.302- if [ "$1" = "openssl" ]; then
1.303- # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet.
1.304- echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
1.305- elif [ "$1" = "gnutls" ]; then
1.306- # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't.
1.307- # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order.
1.308- echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM"
1.309- fi
1.310-}
1.311-
1.312-main "$@" || exit 1