marsultor/email-tracker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f09560c7b17e66bb1d75fa0801e73e8496202752
email-tracker/external/duckdb/scripts/extension-upload-wasm.sh
Mars Ultor f09560c7b1 should be it
2025-10-24 19:21:19 -05:00

60 lines
2.4 KiB
Bash
Raw Blame History

#!/bin/bash
# Usage: ./extension-upload-wasm.sh <architecture> <commithash or version_tag>
set -e
# Ensure we do nothing on failed globs
shopt -s nullglob
if [[ -z "${DUCKDB_EXTENSION_SIGNING_PK}" ]]; then
# no private key provided, use the test private key (NOT SAFE)
# this is made so private.pem at the end of the block will be in
# a valid state, and the rest of the signing process can be tested
# even without providing the key
cp test/mbedtls/private.pem private.pem
else
# actual private key provided
echo "$DUCKDB_EXTENSION_SIGNING_PK" > private.pem
fi
FILES="build/to_be_deployed/$2/$1/*.duckdb_extension.wasm"
for f in $FILES
do
ext=`basename $f .duckdb_extension.wasm`
echo $ext
# calculate SHA256 hash of extension binary
cat $f > $f.append
# 0 for custom section
# 113 in hex = 275 in decimal, total length of what follows (1 + 16 + 2 + 256)
# [1(continuation) + 0010011(payload) = \x93, 0(continuation) + 10(payload) = \x02]
echo -n -e '\x00' >> $f.append
echo -n -e '\x93\x02' >> $f.append
# 10 in hex = 16 in decimal, length of name, 1 byte
echo -n -e '\x10' >> $f.append
echo -n -e 'duckdb_signature' >> $f.append
# the name of the WebAssembly custom section, 16 bytes
# 100 in hex, 256 in decimal
# [1(continuation) + 0000000(payload) = ff, 0(continuation) + 10(payload)],
# for a grand total of 2 bytes
echo -n -e '\x80\x02' >> $f.append
# the actual payload, 256 bytes, to be added later
scripts/compute-extension-hash.sh $f.append > $f.hash
# encrypt hash with extension signing private key to create signature
openssl pkeyutl -sign -in $f.hash -inkey private.pem -pkeyopt digest:sha256 -out $f.sign
# append signature to extension binary
cat $f.sign >> $f.append
# compress extension binary
brotli < $f.append > "$f.brotli"
# upload compressed extension binary to S3
if [[ -z "${AWS_SECRET_ACCESS_KEY}" ]]; then
#AWS_SECRET_ACCESS_KEY is empty -> dry run
aws s3 cp $f.brotli s3://duckdb-core-extensions/$2/$1/$ext.duckdb_extension.wasm --acl public-read --content-encoding br --content-type="application/wasm" --dryrun
else
aws s3 cp $f.brotli s3://duckdb-core-extensions/$2/$1/$ext.duckdb_extension.wasm --acl public-read --content-encoding br --content-type="application/wasm"
fi
done
# remove private key
rm private.pem
Reference in New Issue View Git Blame Copy Permalink