Swift SDK installation script improvements (#3429)

Swift SDK installation script improvements
  
  ### Motivation:
  
The SDK installation scripts had a few rough edges and didn't verify the
  artefacts they downloaded.
  
  ### Modifications:
  
  * Change naming to the more accurate "Swift SDK" where we can without
    breaking downstream adopters.
  * Separate Android NDK installation into its own script.
  * Avoid using `cd` when setting up Android NDK.
  * Verify checksums for SDKs and signatures for toolchains.
  * Specify/control the SDK directory.
  
  ### Result:
  
  * More accurate naming.
  * More maintainable scripts.
  * More secure downloads.

An example of this working
https://github.com/apple/swift-nio/actions/runs/18944235613/job/54090944716?pr=3429

Author: rnro

.github/workflows/android_sdk.yml renamed to .github/workflows/android_swift_sdk.yml

@@ -1,4 +1,4 @@
-name: Android SDK
+name: Android Swift SDK
 
 permissions:
   contents: read
@@ -12,12 +12,12 @@ on:
         default: "{}"
       additional_command_arguments:
         type: string
-        description: "Additional arguments passed to swift build (the Android SDK will be specified). Defaults to empty."
+        description: "Additional arguments passed to swift build (the Android Swift SDK will be specified). Defaults to empty."
         default: ""
 
 jobs:
   construct-matrix:
-    name: Construct Android SDK matrix
+    name: Construct Android Swift SDK matrix
     runs-on: ubuntu-latest
     outputs:
       android-sdk-matrix: '${{ steps.generate-matrix.outputs.android-sdk-matrix }}'
@@ -47,7 +47,7 @@ jobs:
                 "platform":"Linux",
                 "runner":"ubuntu-latest",
                 "image":"ubuntu:jammy",
-                "setup_command":"apt update -q && apt install -y -q curl jq tar && curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/install_swift_prerequisites.sh | bash && curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/install_swift_sdk.sh | INSTALL_SWIFT_BRANCH=main INSTALL_SWIFT_ARCH=x86_64 INSTALL_SWIFT_SDK=android-sdk bash && hash -r",
+                "setup_command":"apt update -q && apt install -y -q curl jq tar && curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/install_swift_prerequisites.sh | bash && curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/install_swift_sdk.sh | INSTALL_SWIFT_BRANCH=main INSTALL_SWIFT_ARCH=x86_64 INSTALL_SWIFT_SDK=android-sdk bash && curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/install_android_ndk.sh | bash && hash -r",
                 "command":"curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/swift-build-with-android-sdk.sh | bash -s --",
                 "command_arguments":"${{ inputs.additional_command_arguments }}",
                 "env":'"$env_vars_json"'
@@ -56,11 +56,11 @@ jobs:
           }' | jq -c)
           EOM
 
-  android-sdk:
-    name: Android SDK
+  android-swift-sdk:
+    name: Android Swift SDK
     needs: construct-matrix
     # Workaround https://github.com/nektos/act/issues/1875
     uses: apple/swift-nio/.github/workflows/swift_test_matrix.yml@main
     with:
-      name: "Android SDK"
+      name: "Android Swift SDK"
       matrix_string: '${{ needs.construct-matrix.outputs.android-sdk-matrix }}'

.github/workflows/main.yml

@@ -74,7 +74,7 @@ jobs:
   android-sdk:
     name: Android Swift SDK
     # Workaround https://github.com/nektos/act/issues/1875
-    uses: apple/swift-nio/.github/workflows/android_sdk.yml@main
+    uses: apple/swift-nio/.github/workflows/android_swift_sdk.yml@main
 
   macos-tests:
     name: macOS tests

.github/workflows/pull_request.yml

@@ -108,7 +108,7 @@ jobs:
   android-sdk:
     name: Android Swift SDK
     # Workaround https://github.com/nektos/act/issues/1875
-    uses: apple/swift-nio/.github/workflows/android_sdk.yml@main
+    uses: apple/swift-nio/.github/workflows/android_swift_sdk.yml@main
 
   release-builds:
     name: Release builds

.github/workflows/static_sdk.yml

@@ -49,7 +49,7 @@ jobs:
                 "image":"ubuntu:jammy",
                 "setup_command":"apt update -q && apt install -y -q curl jq tar && curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/install_swift_prerequisites.sh | bash && curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/install_swift_sdk.sh | INSTALL_SWIFT_VERSION=latest INSTALL_SWIFT_ARCH=x86_64 bash && hash -r",
                 "command":"swift build",
-                "command_arguments":"${{ inputs.command_arguments }}",
+                "command_arguments":"--swift-sdks-path /tmp/swiftsdks ${{ inputs.command_arguments }}",
                 "env":'"$env_vars_json"'
               },
               {
@@ -60,7 +60,7 @@ jobs:
                 "image":"ubuntu:jammy",
                 "setup_command":"apt update -q && apt install -y -q curl jq tar && curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/install_swift_prerequisites.sh | bash && curl -s --retry 3 https://raw.githubusercontent.com/apple/swift-nio/main/scripts/install_swift_sdk.sh | INSTALL_SWIFT_BRANCH=main INSTALL_SWIFT_ARCH=x86_64 bash && hash -r",
                 "command":"swift build",
-                "command_arguments":"${{ inputs.command_arguments }}",
+                "command_arguments":"--swift-sdks-path /tmp/swiftsdks ${{ inputs.command_arguments }}",
                 "env":'"$env_vars_json"'
               }
             ]

scripts/install_android_ndk.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+##===----------------------------------------------------------------------===##
+##
+## This source file is part of the SwiftNIO open source project
+##
+## Copyright (c) 2024 Apple Inc. and the SwiftNIO project authors
+## Licensed under Apache License v2.0
+##
+## See LICENSE.txt for license information
+## See CONTRIBUTORS.txt for the list of SwiftNIO project authors
+##
+## SPDX-License-Identifier: Apache-2.0
+##
+##===----------------------------------------------------------------------===##
+
+set -uo pipefail
+
+log() { printf -- "** %s\n" "$*" >&2; }
+error() { printf -- "** ERROR: %s\n" "$*" >&2; }
+fatal() { error "$@"; exit 1; }
+
+# Parameter environment variables
+# see https://developer.android.com/ndk/downloads for releases and shasums
+android_ndk_version="${INSTALL_ANDROID_NDK:-"r27d"}"
+android_ndk_sha1="${ANDROID_NDK_SHA1:-"22105e410cf29afcf163760cc95522b9fb981121"}"
+swift_sdk_directory="${SWIFT_SDK_DIRECTORY:-"/tmp/swiftsdks"}"
+
+CURL_BIN="${CURL_BIN:-$(which curl 2> /dev/null)}"; test -n "$CURL_BIN" || fatal "CURL_BIN unset and no curl on PATH"
+UNZIP_BIN="${UNZIP_BIN:-$(which unzip 2> /dev/null)}"; test -n "$UNZIP_BIN" || fatal "UNZIP_BIN unset and no unzip on PATH"
+SHASUM_BIN="${SHASUM_BIN:-$(which shasum 2> /dev/null)}"; test -n "$SHASUM_BIN" || fatal "SHASUM_BIN unset and no shasum on PATH"
+
+# download and link the NDK
+android_ndk_url="https://dl.google.com/android/repository/android-ndk-${android_ndk_version}-$(uname -s).zip"
+
+log "Android Native Development Kit URL: $android_ndk_url"
+"$CURL_BIN" -fsSL -o android_ndk.zip --retry 3 "$android_ndk_url"
+
+# Verify checksum
+log "Verifying Android NDK checksum..."
+actual_sha1="$("$SHASUM_BIN" -a 1 android_ndk.zip | cut -d' ' -f1)"
+test "$actual_sha1" = "$android_ndk_sha1" || fatal "Android NDK checksum mismatch: expected $android_ndk_sha1, got $actual_sha1"
+
+"$UNZIP_BIN" -d "$swift_sdk_directory" -q android_ndk.zip
+bundledir="$(find "$swift_sdk_directory"  -maxdepth 2 -type d -name '*android*.artifactbundle' | head -n 1)"
+test -n "$bundledir" || fatal "Could not find Android artifact bundle directory (expected '*android*.artifactbundle')"
+
+export ANDROID_NDK_HOME="${swift_sdk_directory}/android-ndk-${android_ndk_version}"
+"${bundledir}/swift-android/scripts/setup-android-sdk.sh"

scripts/install_swift_prerequisites.sh

@@ -28,7 +28,7 @@ else
   fatal "Cannot find either 'apt' or 'yum'"
 fi
 
-log "Installing standard Swift pre-requisites"  # pre-reqs list taken from swift.org
+log "Installing standard Swift prerequisites"  # pre-reqs list taken from swift.org
 DEBIAN_FRONTEND=noninteractive "$PACKAGE_MANAGER_BIN" install -y\
     binutils\
     git\

scripts/install_swift_sdk.sh

@@ -20,12 +20,12 @@ error() { printf -- "** ERROR: %s\n" "$*" >&2; }
 fatal() { error "$@"; exit 1; }
 
 # Parameter environment variables
-branch="${INSTALL_SWIFT_BRANCH:=""}"
-version="${INSTALL_SWIFT_VERSION:=""}"
-arch="${INSTALL_SWIFT_ARCH:="aarch64"}"
-os_image="${INSTALL_SWIFT_OS_IMAGE:="ubuntu22.04"}"
-sdk="${INSTALL_SWIFT_SDK:="static-sdk"}"
-android_ndk_version="${INSTALL_ANDROID_NDK:="r27d"}"
+branch="${INSTALL_SWIFT_BRANCH:-""}"
+version="${INSTALL_SWIFT_VERSION:-""}"
+arch="${INSTALL_SWIFT_ARCH:-"aarch64"}"
+os_image="${INSTALL_SWIFT_OS_IMAGE:-"ubuntu22.04"}"
+sdk="${INSTALL_SWIFT_SDK:-"static-sdk"}"
+swift_sdk_directory="${SWIFT_SDK_DIRECTORY:-"/tmp/swiftsdks"}"
 
 if [[ ! ( -n "$branch" && -z "$version" ) && ! ( -z "$branch" && -n "$version") ]]; then
   fatal "Exactly one of build or version must be defined."
@@ -35,6 +35,9 @@ CURL_BIN="${CURL_BIN:-$(which curl 2> /dev/null)}"; test -n "$CURL_BIN" || fatal
 TAR_BIN="${TAR_BIN:-$(which tar 2> /dev/null)}"; test -n "$TAR_BIN" || fatal "TAR_BIN unset and no tar on PATH"
 JQ_BIN="${JQ_BIN:-$(which jq 2> /dev/null)}"; test -n "$JQ_BIN" || fatal "JQ_BIN unset and no jq on PATH"
 SED_BIN="${SED_BIN:-$(which sed 2> /dev/null)}"; test -n "$SED_BIN" || fatal "SED_BIN unset and no sed on PATH"
+SHASUM_BIN="${SHASUM_BIN:-$(which shasum 2> /dev/null)}"; test -n "$SHASUM_BIN" || fatal "SHASUM_BIN unset and no shasum on PATH"
+GPG_BIN="${GPG_BIN:-$(which gpg 2> /dev/null)}"; test -n "$GPG_BIN" || fatal "GPG_BIN unset and no gpg on PATH"
+ZCAT_BIN="${ZCAT_BIN:-$(which zcat 2> /dev/null)}"; test -n "$ZCAT_BIN" || fatal "ZCAT_BIN unset and no zcat on PATH"
 
 case "$arch" in
   "aarch64")
@@ -65,6 +68,25 @@ esac
 
 os_image_sanitized="${os_image//./}"
 
+# Function to extract checksum from release info
+extract_checksum() {
+  local release_info="$1"
+  if [[ -z "$release_info" ]]; then
+    log "Warning: No release information available"
+    return
+  fi
+
+  local checksum
+  # shellcheck disable=SC2016  # Our use of JQ_BIN means that shellcheck can't tell this is a `jq` invocation
+  checksum=$(echo "$release_info" | "$JQ_BIN" -r --arg platform "$sdk" '.platforms[] | select(.platform == $platform) | .checksum // empty')
+  if [[ -n "$checksum" ]]; then
+    log "Found checksum for $sdk: $checksum"
+    echo "$checksum"
+  else
+    log "Warning: No checksum available for $sdk platform"
+  fi
+}
+
 if [[ -n "$branch" ]]; then
   # Some snapshots may not have all the artefacts we require
   log "Discovering branch snapshot for branch $branch"
@@ -95,13 +117,27 @@ if [[ -n "$branch" ]]; then
 elif [[ -n "$version" ]]; then
   if [[ "$version" == "latest" ]]; then
     log "Discovering latest version"
-    version=$("$CURL_BIN" -s https://www.swift.org/api/v1/install/releases.json | "$JQ_BIN" -r '.[-1].tag' | "$SED_BIN" -E 's/swift-([0-9]+\.[0-9]+\.?[0-9]*)-RELEASE/\1/')
+    release_info=$("$CURL_BIN" -s https://www.swift.org/api/v1/install/releases.json | "$JQ_BIN" -r '.[-1]')
+    if [[ -z "$release_info" ]]; then
+      log "Warning: Could not find release information for version $version"
+    fi
+    version=$(echo "$release_info" | "$JQ_BIN" -r '.tag' | "$SED_BIN" -E 's/swift-([0-9]+\.[0-9]+\.?[0-9]*)-RELEASE/\1/')
     if [[ -z "$version" ]]; then
       fatal "Failed to discover latest Swift version"
     fi
     log "Discovered latest Swift version: $version"
+
+  else
+    # For specific versions, we need to fetch the release info
+    log "Getting release information for version $version"
+    # shellcheck disable=SC2016  # Our use of JQ_BIN means that shellcheck can't tell this is a `jq` invocation
+    release_info=$("$CURL_BIN" -s https://www.swift.org/api/v1/install/releases.json | "$JQ_BIN" -r --arg ver "swift-$version-RELEASE" '.[] | select(.tag == $ver)')
+    if [[ -z "$release_info" ]]; then
+      log "Warning: Could not find release information for version $version"
+    fi
   fi
 
+  expected_checksum=$(extract_checksum "$release_info")
   snapshot_url="https://download.swift.org/swift-${version}-release/${os_image_sanitized}${arch_suffix}/swift-${version}-RELEASE/swift-${version}-RELEASE-${os_image}${arch_suffix}.tar.gz"
   sdk_url="https://download.swift.org/swift-${version}-release/${sdk_dir}/swift-${version}-RELEASE/swift-${version}-RELEASE${sdk_suffix}.artifactbundle.tar.gz"
 fi
@@ -111,6 +147,28 @@ log "Snapshot URL: $snapshot_url"
 snapshot_path="/tmp/$(basename "$snapshot_url")"
 "$CURL_BIN" -sfL "$snapshot_url" -o "$snapshot_path" || fatal "Failed to download Swift toolchain"
 
+# Import Swift's public key for GPG verification
+
+keys_url="https://swift.org/keys/all-keys.asc"
+keys_path="/tmp/all-keys.asc"
+"$CURL_BIN" -sL "$keys_url" -o "$keys_path" || fatal "Failed to download Swift's public keys"
+"$ZCAT_BIN" -f "$keys_path" | "$GPG_BIN" --import - || fatal "Failed to import Swift's public keys"
+
+# Verify GPG signature for all Swift toolchain downloads
+signature_url="${snapshot_url}.sig"
+signature_path="${snapshot_path}.sig"
+
+log "Downloading signature from: $signature_url"
+echo "$CURL_BIN" -sfL "$signature_url" -o "$signature_path"
+"$CURL_BIN" -sfL "$signature_url" -o "$signature_path" || fatal "Failed to download Swift toolchain signature"
+
+# Verify the signature
+log "Verifying Swift toolchain GPG signature..."
+"$GPG_BIN" --verify "$signature_path" "$snapshot_path" || fatal "Swift toolchain GPG signature verification failed"
+
+# Clean up signature file
+rm -f "$signature_path"
+
 log "Installing Swift toolchain"
 mkdir -p /tmp/snapshot
 "$TAR_BIN" xfz "$snapshot_path" --strip-components 1 -C /
@@ -120,28 +178,26 @@ log "Swift SDK URL: $sdk_url"
 sdk_path="/tmp/$(basename "$sdk_url")"
 "$CURL_BIN" -sfL "$sdk_url" -o "$sdk_path" || fatal "Failed to download Swift SDK"
 
+# Verify SDK checksum if available
+if [[ -n "${expected_checksum:-}" ]]; then
+  log "Verifying Swift SDK checksum..."
+  actual_checksum=$("$SHASUM_BIN" -a 256 "$sdk_path" | cut -d' ' -f1)
+  if [[ "$actual_checksum" = "$expected_checksum" ]]; then
+    log "Swift SDK checksum verified successfully"
+  else
+    fatal "Swift SDK checksum mismatch: expected $expected_checksum, got $actual_checksum"
+  fi
+else
+  log "Skipping checksum verification (no checksum available)"
+fi
+
 log "Looking for swift"
 which swift || fatal "Failed to locate installed Swift"
 
 log "Checking swift"
 swift --version
 
 log "Installing Swift SDK"
-swift sdk install "$sdk_path"
-
-log "Swift SDK Post-install"
-if [[ "$sdk" == "android-sdk" ]]; then
-    # guess some common places where the swift-sdks folder lives
-    cd ~/Library/org.swift.swiftpm || cd ~/.config/swiftpm || cd ~/.local/swiftpm || cd ~/.swiftpm || cd /root/.swiftpm || fatal "Cannot locate swiftpm config directory"
-
-    # download and link the NDK
-    android_ndk_url="https://dl.google.com/android/repository/android-ndk-${android_ndk_version}-$(uname -s).zip"
-    log "Android Native Development Kit URL: ${android_ndk_url}"
-    "$CURL_BIN" -fsSL -o ndk.zip --retry 3 "${android_ndk_url}"
-    unzip -q ndk.zip
-    rm ndk.zip
-    export ANDROID_NDK_HOME="${PWD}/android-ndk-${android_ndk_version}"
-    bundledir=$(find . -type d -maxdepth 2 -name '*android*.artifactbundle' | head -n 1)
-    "${bundledir}"/swift-android/scripts/setup-android-sdk.sh
-    cd - || fatal "Cannot cd back to previous directory"
-fi
+log "Using Swift SDK directory: $swift_sdk_directory"
+mkdir -p "$swift_sdk_directory/swift-sdks"
+swift sdk install --swift-sdks-path "$swift_sdk_directory" "$sdk_path"

scripts/swift-build-with-android-sdk.sh

@@ -15,12 +15,20 @@
 
 set -uo pipefail
 
+log() { printf -- "** %s\n" "$*" >&2; }
+error() { printf -- "** ERROR: %s\n" "$*" >&2; }
+fatal() { error "$@"; exit 1; }
+
+# Parameter environment variables
+swift_sdk_directory="${SWIFT_SDK_DIRECTORY:-"/tmp/swiftsdks"}"
+
+log "Using Swift SDK directory: $swift_sdk_directory"
+
 # Select the Swift SDK for Android
-SWIFT_SDK="$(swift sdk list | grep android | head -n1)"
+SWIFT_SDK="$(swift sdk list --swift-sdks-path "$swift_sdk_directory" | grep android | head -n1)"
 if [[ -z "$SWIFT_SDK" ]]; then
-  echo "No Android Swift SDK found. Please ensure you have the Android Swift SDK installed."
-  exit 1
+  fatal "No Android Swift SDK found. Please ensure you have the Android Swift SDK installed."
 fi
 
-echo "Using Swift SDK: $SWIFT_SDK"
-swift build --swift-sdk "$SWIFT_SDK" "${@}"
+log "Building using Swift SDK: $SWIFT_SDK"
+swift build --swift-sdk "$SWIFT_SDK" --swift-sdks-path "$swift_sdk_directory" "${@}"

scripts/swift-build-with-wasm-sdk.sh

@@ -15,12 +15,20 @@
 
 set -uo pipefail
 
+log() { printf -- "** %s\n" "$*" >&2; }
+error() { printf -- "** ERROR: %s\n" "$*" >&2; }
+fatal() { error "$@"; exit 1; }
+
+# Parameter environment variables
+swift_sdk_directory="${SWIFT_SDK_DIRECTORY:-"/tmp/swiftsdks"}"
+
+log "Using Swift SDK directory: $swift_sdk_directory"
+
 # Select the Swift SDK for WebAssembly, not the Embedded one
-SWIFT_SDK="$(swift sdk list | grep _wasm | grep -v -embedded | head -n1)"
+SWIFT_SDK="$(swift sdk list --swift-sdks-path "$swift_sdk_directory" | grep _wasm | grep -v -embedded | head -n1)"
 if [[ -z "$SWIFT_SDK" ]]; then
-  echo "No WebAssembly Swift SDK found. Please ensure you have the WebAssembly Swift SDK installed following https://www.swift.org/documentation/articles/wasm-getting-started.html."
-  exit 1
+  fatal "No WebAssembly Swift SDK found. Please ensure you have the WebAssembly Swift SDK installed following https://www.swift.org/documentation/articles/wasm-getting-started.html."
 fi
 
-echo "Using Swift SDK: $SWIFT_SDK"
-swift build --swift-sdk "$SWIFT_SDK" "${@}"
+log "Building using Swift SDK: $SWIFT_SDK"
+swift build --swift-sdk "$SWIFT_SDK" --swift-sdks-path "$swift_sdk_directory" "${@}"