From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yann E. MORIN Date: Sun, 2 Mar 2014 23:19:59 +0100 Subject: [Buildroot] [PATCH 11/13] pkg-infra: add possiblity to check downloaded files against known hashes In-Reply-To: References: Message-ID: <20140302221959.GB3379@free.fr> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net Samuel, All, On 2014-03-02 21:10 +0100, Samuel Martin spake thusly: > Yann, > > On Sun, Mar 2, 2014 at 6:51 PM, Yann E. MORIN wrote: > > From: "Yann E. MORIN" > > > > Some of the packages that Buildroot might build are sensitive packages, > > related to security: openssl, dropbear, ca-certificates... > > > > Some of those packages are downloaded over plain http, because there is > > no way to get them over a secure channel, such as https. > > > > In these dark times of pervasive surveillance, the potential for harm that > > a tampered-with package could generate, we may want to check the integrity > > of those sensitive packages. > > > > So, each package may now provide a list of hashes for all files that needs > > to be downloaded, and Buildroot will just fail if any downloaded file does > > not match its known hash. > > > > Hashes can be any of the sha1 or sha2 variants, and will be checked even if > > the file was pre-downloaded. > > > > Signed-off-by: "Yann E. MORIN" > > Cc: Baruch Siach > > Cc: Arnout Vandecappelle > > --- > > Note: this is not a bullet-proof solution, since Buildroot may itself be > > compromised. But since we do sign our releases, then we secure the list of > > hashes at the same time. Only random snapshots from the repository may be > > at risk of tampering, although this is highly doubtfull, given how git > > stores its data. > > --- > > package/pkg-download.mk | 27 +++++++++++------ > > support/download/check-hash | 71 +++++++++++++++++++++++++++++++++++++++++++++ > > 2 files changed, 89 insertions(+), 9 deletions(-) > > create mode 100755 support/download/check-hash > > > > diff --git a/package/pkg-download.mk b/package/pkg-download.mk > > index c94ecba..adaccef 100644 > > --- a/package/pkg-download.mk > > +++ b/package/pkg-download.mk > > @@ -58,6 +58,17 @@ domainseparator=$(if $(1),$(1),/) > > # github(user,package,version): returns site of github repository > > github = https://github.com/$(1)/$(2)/tarball/$(3) > > > > +# Helper for checking a tarball's checksum > > +# If the hash does not match, remove the incorrect file > > +# $(1): the path to the fies with the hashes > > nit: > s/fies/file/ Already spotted by Gustavo on IRC. Thanks! Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------'