[Buildroot] [RFC PATCH 1/1] support/download: allow to use part of file in checksum checking

[Herve Codina via buildroot <buildroot@buildroot.org>]

The checksum checking is done on whole files only using the <pkg>.hash
checksum references.
Among the files checked, files related to licenses are checked.

Some packages do not contain any specific license files and, for
them, some source files are used. These source files contain license
information (usually comments at the beginning of the file).

Using the whole source file for checksum checking in this case can lead
to issues if a br2-external is present and applies some patches to this
source file.
Indeed, patching a package from a br2-external is allowed but in that
case the whole file checksum change and all checksum verification done
on that file fails. In particular 'make legal-info' fails.

Using only the license related part of a source file for checksum
checking solve this issue.
'make legal-info' will fail only if the license part is modify.

Introduce the possibility to have a lines range in <pkg>.hash and, if
present, compute checksum on the part defined by this lines range.

For instance, in <pkg>.hash:
sha256  xxxxxx  foo.c        <-- sha256 on the whole foo.c file
sha256  xxxxxx  foo.c  1,15  <-- sha256 on extraction from line 1 to 15

Signed-off-by: Herve Codina <herve.codina@bootlin.com>
---
 support/download/check-hash | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/support/download/check-hash b/support/download/check-hash
index 5a47f49bc3..a90c9ca58a 100755
--- a/support/download/check-hash
+++ b/support/download/check-hash
@@ -45,10 +45,20 @@ fi
 # $1: algo hash
 # $2: known hash
 # $3: file (full path)
+# $4: lines ranges in the form s,e. If present, the checksum is compute on the
+#     file extracted part from line number s to line number e included.
+#     The first line in the file is the line number 1.
+#     If not present, the whole file is used.
 check_one_hash() {
     _h="${1}"
     _known="${2}"
     _file="${3}"
+    _r="${4}"
+
+    base_with_range=${base}
+    if [ ${_r} ]; then
+        base_with_range="${base_with_range}:${_r}"
+    fi
 
     # Note: md5 is supported, but undocumented on purpose.
     # Note: sha3 is not supported, since there is currently no implementation
@@ -64,13 +74,17 @@ check_one_hash() {
     esac
 
     # Do the hashes match?
-    _hash=$( ${_h}sum "${_file}" |cut -d ' ' -f 1 )
+    if [ ${_r} ]; then
+        _hash=$( sed -n "${r} p" ${file} | ${_h}sum |cut -d ' ' -f 1 )
+    else
+        _hash=$( ${_h}sum "${_file}" |cut -d ' ' -f 1 )
+    fi
     if [ "${_hash}" = "${_known}" ]; then
-        printf "%s: OK (%s: %s)\n" "${base}" "${_h}" "${_hash}"
+        printf "%s: OK (%s: %s)\n" "${base_with_range}" "${_h}" "${_hash}"
         return 0
     fi
 
-    printf "ERROR: %s has wrong %s hash:\n" "${base}" "${_h}" >&2
+    printf "ERROR: %s has wrong %s hash:\n" "${base_with_range}" "${_h}" >&2
     printf "ERROR: expected: %s\n" "${_known}" >&2
     printf "ERROR: got     : %s\n" "${_hash}" >&2
     printf "ERROR: Incomplete download, or man-in-the-middle (MITM) attack\n" >&2
@@ -80,7 +94,7 @@ check_one_hash() {
 
 # Do we know one or more hashes for that file?
 nb_checks=0
-while read t h f; do
+while read t h f r; do
     case "${t}" in
         ''|'#'*)
             # Skip comments and empty lines
@@ -88,7 +102,7 @@ while read t h f; do
             ;;
         *)
             if [ "${f}" = "${base}" ]; then
-                check_one_hash "${t}" "${h}" "${file}"
+                check_one_hash "${t}" "${h}" "${file}" "${r}"
                 : $((nb_checks++))
             fi
             ;;
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot