Check integrity of webrtc download in build script (#6)

We see periodic failures of zed-industries/zed CI when the `cc` builder
in the `webrtc-sys` build script fails to find some webrtc header files
that are supposed to be downloaded using this function:


https://github.com/zed-industries/livekit-rust-sdks/blob/d2eade7a6b15d6dbdb38ba12a1ff7bf07fcebba4/webrtc-sys/build/src/lib.rs#L179

This downloads a zip from the assets attached to a specific
livekit/rust-sdks release, and unpacks it under OUT_DIR. My guess is
that sometimes the download step fails and produces a corrupt downloaded
zip, without signaling the failure in a way that would stop the build.
This PR tries to fix that by having the download step check the SHA-256
digest of the downloaded zip (using a manually-computed list of good
digests; I'd like to use digests from the GitHub API but the particular
artifacts we download don't have them).

If we confirm that this is the source of the problem, I'll follow up
with a change to retry the download in the build script.

Author: cole-miller

Cargo.lock

@@ -13,3 +13,5 @@ regex = "1.0"
 scratch = "1.0"
 fs2 = "0.4"
 semver = "1.0"
+sha2 = "0.10"
+hex-literal = "1.0.0"

webrtc-sys/build/Cargo.toml

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 use std::{
+    collections::HashMap,
     env,
     error::Error,
     fs::{self, File},
@@ -22,8 +23,10 @@ use std::{
 };
 
 use fs2::FileExt;
+use hex_literal::hex;
 use regex::Regex;
 use reqwest::StatusCode;
+use sha2::{Digest as _, Sha256};
 
 pub const SCRATH_PATH: &str = "livekit_webrtc";
 pub const WEBRTC_TAG: &str = "webrtc-b99fd2c-6";
@@ -191,16 +194,56 @@ pub fn download_webrtc() -> Result<(), Box<dyn Error>> {
         return Err(format!("failed to download webrtc: {}", resp.status()).into());
     }
 
+    let digests = [
+        (
+            "linux-arm64-release",
+            hex!("363d90ed91ffc8fc70c94ad86759876a3255d526ac0792fbf9e9462cac964b81"),
+        ),
+        (
+            "linux-x64-release",
+            hex!("130b37ae8d3ffcdff8ed9347cb482a493075b586cbfaa9ebe1f0079ddb734ff1"),
+        ),
+        (
+            "mac-arm64-release",
+            hex!("b29fed70cfa8282fce1e987b3abf9a471b5d223ddcf03f64282f8d5f0cc89542"),
+        ),
+        (
+            "mac-x64-release",
+            hex!("3f24dc470977d976aa3b72add36dec6822f1da65031b493a67645af1e7aca792"),
+        ),
+        (
+            "win-arm64-release",
+            hex!("69bafa396c4032b06468c396da6a05a431761631f47a1e5d1e8a2cc6c3dd6fe9"),
+        ),
+        (
+            "win-x64-release",
+            hex!("eb7dcc30bc7c3f331acd8648495b420e7f2445f5d8d49ddb755026b2b572495d"),
+        ),
+    ]
+    .into_iter()
+    .collect::<HashMap<_, _>>();
+
     let tmp_path = env::var("OUT_DIR").unwrap() + "/webrtc.zip";
     let tmp_path = path::Path::new(&tmp_path);
-    let mut file = fs::File::options().write(true).read(true).create(true).open(tmp_path)?;
+    let mut file =
+        fs::File::options().write(true).read(true).create(true).truncate(true).open(tmp_path)?;
     resp.copy_to(&mut file)?;
+    let content = std::fs::read(tmp_path)?;
+    let digest = Sha256::digest(&content);
+    if digest.as_slice() != digests[webrtc_triple().as_str()].as_slice() {
+        return Err("corrupt webrtc download".to_owned().into());
+    }
 
-    let mut archive = zip::ZipArchive::new(file)?;
-    archive.extract(webrtc_dir.parent().unwrap())?;
-    drop(archive);
+    let result = (|| {
+        let mut archive = zip::ZipArchive::new(file)?;
+        archive.extract(webrtc_dir.parent().unwrap())?;
+        Ok::<_, Box<dyn Error>>(())
+    })();
+    if result.is_err() {
+        std::fs::remove_dir_all(webrtc_dir).ok();
+    }
+    result?;
 
-    fs::remove_file(tmp_path)?;
     Ok(())
 }