diff options
| author | Mohammad Akhlaghi <mohammad@akhlaghi.org> | 2019-07-29 20:43:20 +0100 |
|---|---|---|
| committer | Mohammad Akhlaghi <mohammad@akhlaghi.org> | 2019-07-29 20:52:06 +0100 |
| commit | 2baf058dcf323aa07f6d5dd3214982e7fccac3da (patch) | |
| tree | b522e835217d8083a529893a9ce05a42cf2172a6 /reproduce/software/bash | |
| parent | 41dbf93ea0173f82b552402aa9d6636e1f1e2972 (diff) | |
Checking software tarball checksums before building software
Until now, there was no check on the integrity of the contents of the
downloaded/copied software tarballs, we only relied on the tarball
name. This could be bad for reproducibility and security, for example on
one server the name of a tarball may be the same but with different
content.
With this commit, the SHA512 checksums of all the software are stored in
the newly created `checksums.mk' (similar to how the versions are stored in
the `versions.mk'). The resulting variable is then defined for each
software and after downloading/copying the file we check to see if the new
tarball has the same checksum as the stored value. If it doesn't the script
will crash with an error, informing the user of the problem.
The only limitation now is a bootstrapping problem: if the host system
doesn't already an `sha512sum' executable, we will not do any checksum
verification until we install our `sha512sum' (as part of GNU
Coreutils). All the tarballs downloaded after GNU Coreutils are built will
have their checksums validated. By default almost all GNU/Linux systems
will have a usable `sha512sum' (its part of GNU Coreutils after all for a
long time: from the Coreutils Changelog file atleast since 2013).
This completes task #15347.
Diffstat (limited to 'reproduce/software/bash')
| -rwxr-xr-x | reproduce/software/bash/configure.sh | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/reproduce/software/bash/configure.sh b/reproduce/software/bash/configure.sh index d03b444..b100226 100755 --- a/reproduce/software/bash/configure.sh +++ b/reproduce/software/bash/configure.sh @@ -42,6 +42,7 @@ pconf=$sbdir/LOCAL.mk ptconf=$sbdir/LOCAL_tmp.mk poconf=$sbdir/LOCAL_old.mk depverfile=$cdir/installation/versions.mk +depshafile=$cdir/installation/checksums.mk # --------- Delete for no Gnuastro --------- glconf=$cdir/gnuastro/gnuastro-local.conf # ------------------------------------------ @@ -817,16 +818,19 @@ fi # The reason that `flock' is sepecial is that we need it to serialize the # download process of the software tarballs. flockversion=$(awk '/flock-version/{print $3}' $depverfile) +flockchecksum=$(awk '/flock-checksum/{print $3}' $depshafile) flocktar=flock-$flockversion.tar.gz flockurl=http://github.com/discoteq/flock/releases/download/v$flockversion/ # Prepare/download the tarball. if ! [ -f $tardir/$flocktar ]; then + flocktarname=$tardir/$flocktar + ucname=$flocktarname.unchecked if [ -f $ddir/$flocktar ]; then - cp $ddir/$flocktar $tardir/$flocktar + cp $ddir/$flocktar $ucname else - if ! $downloader $tardir/$flocktar $flockurl/$flocktar; then - rm -f $tardir/$flocktar; + if ! $downloader $ucname $flockurl/$flocktar; then + rm -f $ucname; echo echo "DOWNLOAD ERROR: Couldn't download the 'flock' tarball:" echo " $flockurl" @@ -835,6 +839,15 @@ if ! [ -f $tardir/$flocktar ]; then exit 1 fi fi + + # Make sure this is the correct tarball. + if type sha512sum > /dev/null 2>/dev/null; then + checksum=$(sha512sum "$ucname" | awk '{print $1}') + if [ x$checksum = x$flockchecksum ]; then mv "$ucname" "$flocktarname" + else echo "ERROR: Non-matching checksum for '$flocktar'."; exit 1 + fi; + else mv "$ucname" "$flocktarname" + fi fi # If the tarball is newer than the (possibly existing) program (the version |