From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] support/download: print dl hash if not provided
Date: Sun, 10 Sep 2017 11:29:55 +0200 [thread overview]
Message-ID: <20170910092955.GD3536@scaer> (raw)
In-Reply-To: <20170720031836.977-1-gael.portay@savoirfairelinux.com>
Ga?l, All,
On 2017-07-19 23:18 -0400, Ga?l PORTAY spake thusly:
> When a hash file exists but the hash is not provided, the script exits
> without any information about the hash of the downloaded file.
>
> ERROR: No hash found for rpi-userland-771a9aa7155442615bbe4cd6cf87b29b90cd228a.tar.gz
>
> Now, the script hashes the downloaded file and suggests its sha256 to
> the user.
>
> $ make
> ...
> >>> rpi-userland 771a9aa7155442615bbe4cd6cf87b29b90cd228a Downloading
> --2017-07-19 21:38:39-- https://github.com/raspberrypi/userland/archive/771a9aa7155442615bbe4cd6cf87b29b90cd228a/rpi-userland-771a9aa7155442615bbe4cd6cf87b29b90cd228a.tar.gz
> ...
> ERROR: No hash found for rpi-userland-771a9aa7155442615bbe4cd6cf87b29b90cd228a.tar.gz
> ERROR: If the source is trusted, consider adding these lines to package/rpi-userland//rpi-userland.hash
> # Locally calculated from download
> sha256 771fb1be53414b00a9213f24bd9c88059cf76b72c5e21ac613b267d3e58d3715 rpi-userland-771a9aa7155442615bbe4cd6cf87b29b90cd228a.tar.gz
> ...
>
> It also fixes check_one_hash description. check_one_hash() takes three
> arguments:
> - algo hash
> - known hash
> - file to hash
>
> Signed-off-by: Ga?l PORTAY <gael.portay@savoirfairelinux.com>
NAK from me.
The reason we do not want this is that we instead want the user to go
fetch the hash(es) as provided by upstream, like in an announcement
email, or in an on-the-side hash file.
Having the download infra print the locally computed hash defeats the
very purpose of hashes: check that we get what upstream provides.
We only accept local calculations of hashes for the cases where upstream
does not provide any (or too weak) hash.
As an aside, this patch does two things: fix the comment for
check_one_hash() and print the hash. It should be split.
Regards,
Yann E. MORIN.
> ---
> support/download/check-hash | 29 +++++++++++++++++++++++------
> 1 file changed, 23 insertions(+), 6 deletions(-)
>
> diff --git a/support/download/check-hash b/support/download/check-hash
> index c1ff53c02..b18447f86 100755
> --- a/support/download/check-hash
> +++ b/support/download/check-hash
> @@ -41,13 +41,12 @@ if [ ! -f "${h_file}" ]; then
> exit 0
> fi
>
> -# Check one hash for a file
> -# $1: known hash
> +# Compute hash for a file
> +# $1: algo hash
> # $2: file (full path)
> -check_one_hash() {
> +compute_hash() {
> _h="${1}"
> - _known="${2}"
> - _file="${3}"
> + _file="${2}"
>
> # Note: md5 is supported, but undocumented on purpose.
> # Note: sha3 is not supported, since there is currently no implementation
> @@ -66,8 +65,20 @@ check_one_hash() {
> ;;
> esac
>
> + ${_h}sum "${_file}" |cut -d ' ' -f 1
> +}
> +
> +# Check one hash for a file
> +# $1: algo hash
> +# $2: known hash
> +# $3: file (full path)
> +check_one_hash() {
> + _h="${1}"
> + _known="${2}"
> + _file="${3}"
> +
> # Do the hashes match?
> - _hash=$( ${_h}sum "${_file}" |cut -d ' ' -f 1 )
> + _hash=$( compute_hash "${_h}" "${_file}" )
> if [ "${_hash}" = "${_known}" ]; then
> printf "%s: OK (%s: %s)\n" "${base}" "${_h}" "${_hash}"
> return 0
> @@ -105,6 +116,12 @@ if [ ${nb_checks} -eq 0 ]; then
> exit 0
> ;;
> esac
> +
> + h="sha256"
> + hash=$( compute_hash "${h}" "${file}" )
> printf "ERROR: No hash found for %s\n" "${base}" >&2
> + printf "ERROR: If the source is trusted, consider adding these lines to ${h_file}\n" >&2
> + printf "# Locally calculated from download\n" >&2
> + printf "${h} ${hash} ${base}\n" >&2
> exit 3
> fi
> --
> 2.13.2
>
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2017-09-10 9:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-20 3:18 [Buildroot] [PATCH] support/download: print dl hash if not provided Gaël PORTAY
2017-09-10 9:29 ` Yann E. MORIN [this message]
2017-09-11 19:12 ` Gaël PORTAY
2017-10-23 9:10 ` Arnout Vandecappelle
2017-10-23 12:47 ` Gaël PORTAY
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170910092955.GD3536@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox