From a2f3ff7a353a3e9266b79f45a403fff3f43669c3 Mon Sep 17 00:00:00 2001
From: Casey Faist <caseylfaist@gmail.com>
Date: Wed, 11 Sep 2019 16:36:48 -0700
Subject: [PATCH] update get-pip to look for sha

---
 bin/steps/python | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/bin/steps/python b/bin/steps/python
index a924c63..fa96c42 100755
--- a/bin/steps/python
+++ b/bin/steps/python
@@ -101,10 +101,17 @@ fi
 # https://github.com/pypa/get-pip
 GETPIP="https://lang-python.s3.amazonaws.com/etc/get-pip.py"
 
-if ! curl "${GETPIP}" -o "$ROOT_DIR/get-pip.py"; then
-    mcount "failure.python.get-pip"
-    echo "Failed to pull down get-pip"
-    exit 1
+# Grab SHA from get-pip
+CHECK_SHA="$(curl -s "$GETPIP" | sha256sum | cut -d ' ' -f 1)"
+
+# validate the sha is the same one we want
+if [ ! "$CHECK_SHA" == "$GETPIP_SHA" ]; then
+  mcount "failure.python.get-pip.wrong-sha"
+  echo "Incorrect SHA found"
+  exit 1
+else
+  curl "$GETPIP" -o "$ROOT_DIR/get-pip.py"
+  mcount "python.get-pip.install"
 fi
 
 # If Pip isn't up to date:
@@ -116,7 +123,7 @@ if [ "$FRESH_PYTHON" ] || [[ ! $(pip --version) == *$PIP_UPDATE* ]]; then
   rm -fr /app/.heroku/python/lib/python*/site-packages/pip-*
   rm -fr /app/.heroku/python/lib/python*/site-packages/setuptools-*
 
-  /app/.heroku/python/bin/python "$ROOT_DIR/get-pip.py" pip=="$PIP_UPDATE" &> /dev/null
+  /app/.heroku/python/bin/python "$ROOT_DIR/get-pip.py" pip=="$PIP_UPDATE" #&> /dev/null
   /app/.heroku/python/bin/pip install "$ROOT_DIR/vendor/setuptools-39.0.1-py2.py3-none-any.whl" &> /dev/null
 fi