Checking software tarball checksums before building software

Until now, there was no check on the integrity of the contents of the
downloaded/copied software tarballs, we only relied on the tarball
name. This could be bad for reproducibility and security, for example on
one server the name of a tarball may be the same but with different
content.

With this commit, the SHA512 checksums of all the software are stored in
the newly created `checksums.mk' (similar to how the versions are stored in
the `versions.mk'). The resulting variable is then defined for each
software and after downloading/copying the file we check to see if the new
tarball has the same checksum as the stored value. If it doesn't the script
will crash with an error, informing the user of the problem.

The only limitation now is a bootstrapping problem: if the host system
doesn't already an `sha512sum' executable, we will not do any checksum
verification until we install our `sha512sum' (as part of GNU
Coreutils). All the tarballs downloaded after GNU Coreutils are built will
have their checksums validated. By default almost all GNU/Linux systems
will have a usable `sha512sum' (its part of GNU Coreutils after all for a
long time: from the Coreutils Changelog file atleast since 2013).

This completes task #15347.

6 files changed, 472 insertions, 245 deletions

diff --git a/reproduce/software/bash/configure.sh b/reproduce/software/bash/configure.sh
index d03b444..b100226 100755
--- a/reproduce/software/bash/configure.sh
+++ b/reproduce/software/bash/configure.sh
@@ -42,6 +42,7 @@ pconf=$sbdir/LOCAL.mk
 ptconf=$sbdir/LOCAL_tmp.mk
 poconf=$sbdir/LOCAL_old.mk
 depverfile=$cdir/installation/versions.mk
+depshafile=$cdir/installation/checksums.mk
 # --------- Delete for no Gnuastro ---------
 glconf=$cdir/gnuastro/gnuastro-local.conf
 # ------------------------------------------
@@ -817,16 +818,19 @@ fi
 # The reason that `flock' is sepecial is that we need it to serialize the
 # download process of the software tarballs.
 flockversion=$(awk '/flock-version/{print $3}' $depverfile)
+flockchecksum=$(awk '/flock-checksum/{print $3}' $depshafile)
 flocktar=flock-$flockversion.tar.gz
 flockurl=http://github.com/discoteq/flock/releases/download/v$flockversion/
 
 # Prepare/download the tarball.
 if ! [ -f $tardir/$flocktar ]; then
+    flocktarname=$tardir/$flocktar
+    ucname=$flocktarname.unchecked
     if [ -f $ddir/$flocktar ]; then
-        cp $ddir/$flocktar $tardir/$flocktar
+        cp $ddir/$flocktar $ucname
     else
-        if ! $downloader $tardir/$flocktar $flockurl/$flocktar; then
-            rm -f $tardir/$flocktar;
+        if ! $downloader $ucname $flockurl/$flocktar; then
+            rm -f $ucname;
             echo
             echo "DOWNLOAD ERROR: Couldn't download the 'flock' tarball:"
             echo "  $flockurl"
@@ -835,6 +839,15 @@ if ! [ -f $tardir/$flocktar ]; then
             exit 1
         fi
     fi
+
+    # Make sure this is the correct tarball.
+    if type sha512sum > /dev/null 2>/dev/null; then
+        checksum=$(sha512sum "$ucname" | awk '{print $1}')
+        if [ x$checksum = x$flockchecksum ]; then mv "$ucname" "$flocktarname"
+        else echo "ERROR: Non-matching checksum for '$flocktar'."; exit 1
+        fi;
+    else mv "$ucname" "$flocktarname"
+    fi
 fi
 
 # If the tarball is newer than the (possibly existing) program (the version
diff --git a/reproduce/software/config/installation/checksums.mk b/reproduce/software/config/installation/checksums.mk
new file mode 100644
index 0000000..880c11b
--- /dev/null
+++ b/reproduce/software/config/installation/checksums.mk
@@ -0,0 +1,161 @@
+# sha512 checksums of all the necessary software tarballs.
+#
+# Copyright (C) 2018-2019 Mohammad Akhlaghi <mohammad@akhlaghi.org>
+#
+# This Makefile is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This Makefile is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.
+#
+# A copy of the GNU General Public License is available at
+# <http://www.gnu.org/licenses/>.
+
+
+
+
+
+# Basic/low-level programs and libraires (installed in any case)
+# --------------------------------------------------------------
+bash-checksum = 2c026e479e77bf24309350b57ec7a7755dd4199ce0c34e333efc66ecaf6b82aac8badf5dd407f4a8af00830e084ba4be333ae708476494ef2150f3ba6871d54d
+binutils-checksum = a5e1f77e985d7d66e3ec6ed62a51a61c82ed0964a5108a1f318bf717f3f2af4dcd018ec3a66c10d6dc7525bad801b118f468eca07b2502c836895f4091bbeed4
+bzip2-checksum = 00ace5438cfa0c577e5f578d8a808613187eff5217c35164ffe044fbafdfec9e98f4192c02a7d67e01e5a5ccced630583ad1003c37697219b0f147343a3fdd12
+cert-checksum = a81dfa59c70788126a395c576e54cb8f61c1ea34da69b5cd42e2d83ee6426c2a26941360c7302793774ea98ca16846deb6e683144cc7fb6da6ef87b70447e4c8
+coreutils-checksum = ef8941dae845bbf5ae5838bc49e44554a766302930601aada6fa594e8088f0fbad74e481ee392ff89633e68b99e4da3f761fcb5d31ee3b233d540fe2a2d4e1af
+curl-checksum = 0a4b81d115f579df8301859f7d06d00bd9820cbf2fb6b63c6a49418aa174ab32bcbc8942f032f2ea924d208f147de8a30f02f6b922f627d3d9d4afc60df8a39f
+diffutils-checksum = 7b12cf8aea1b9844773748f72272d9c6a38adae9c3c3a8c62048f91fb56c60b76035fa5f51665dceaf2cfbf1d1f4a3efdcc24bf47a5a16ff4350543314b12c9c
+file-checksum = 3ec5e51ffb7a82defa74845a90fbc983f6e169fc116606049bc01ff6e720d340c8abf6eb7a08b9ac1099162a5c02deac3633b07b039d486344c8abd9052ca751
+findutils-checksum = 74bc6b1b9bb5b994e6de5bff83bf15fc4275203d0e7f9ba5ad563c3bc4e4804251a0fb7ddd4eb904ab2f6071b5f342f198f03aca753312e4711b3b32167ee32b
+flock-checksum = 2fe663839b5fd03a08e8b3d0596ce1b4216d8f19a1c4da4fa3db8b409aa4aa292358cc671be857e0f308315458bb2e10288f9d2152dce9940085d33cb7e4a24b
+gawk-checksum = 47cf7b87ec175f50fcb27c38d6b628dd808bbd9523e0e5e1f9626567de945cb995560f18257145ac7ce2088dacbbcf9861d63ef372c8c5d02aac071af45e3335
+gcc-checksum = b6134df027e734cee5395afd739fcfa4ea319a6017d662e54e89df927dea19d3fff7a6e35d676685383034e3db01c9d0b653f63574c274eeb15a2cb0bc7a1f28
+git-checksum = 75b3dcac36f80281effcd099944de34050a35f3599ce42f86ce60455b6c952039fb0f6438d296e0cc9c0651d4a17f467780dc475669227d3c98ddefe91723d42
+gmp-checksum = 8aea94f867174eacac44f395ceb9212530c208e8de69d0bb53056f52360317230fc84ac177fd3ffc9fdb19a07c7549305dcc34c83c34821ccfab9dc63a16e67e
+grep-checksum = e4805dbddf7cd0f0faf412557d408509650c1ccf703bc450f10a3f727c690dbfaa1235aa81939a0e4b7ac6190f88c15ea1fcc562b343d4b4c7550f967aeb15db
+gzip-checksum = 7939043e74554ced0c1c05d354ab4eb36cd6dce89ad79d02ccdc5ed6b7ee390759689b2d47c07227b9b44a62851afe7c76c4cae9f92527d999f3f1b4df1cccff
+isl-checksum = 85d0b40f4dbf14cb99d17aa07048cdcab2dc3eb527d2fbb1e84c41b2de5f351025370e57448b63b2b8a8cf8a0843a089c3263f9baee1542d5c2e1cb37ed39d94
+libbsd-checksum = 435822b8f2495a5e2705e5ab5c834a4f0f3a177b3e5c46a7c6162924507ca984e957e94a512b5ebd0067ecb413bac458fade357709ef199e9b75edf0315de91c
+libiconv-checksum = 365dac0b34b4255a0066e8033a8b3db4bdb94b9b57a9dca17ebf2d779139fe935caf51a465d17fd8ae229ec4b926f3f7025264f37243432075e5583925bb77b7
+libtool-checksum = a6eef35f3cbccf2c9e2667f44a476ebc80ab888725eb768e91a3a6c33b8c931afc46eb23efaee76c8696d3e4eed74ab1c71157bcb924f38ee912c8a90a6521a4
+lzip-checksum= 0349b4c6c0b41e601b7ee381c3254d741397beb3ef9354c08162f346f131f4f48f6613ee0a610cdc6d827530df634f884ecfeee35215b10045a40fee76f8e938
+m4-checksum = a92cad4441b3fd7c033837389ca3499494523d364a5fda043d92c517051510f1758b3b837f0477f42d2258a179ab79a4993e5d1694ef2673db6d96d1faff84fe
+make-checksum = cd29b3ea426c80fa89f533a3e3832f597dbbd080b02b32901563c7b0622fd84a9a22ac1e29e02d97e7f9ccdd01e55bd33ecd236c15f9166c368bfb88984dd87b
+metastore-checksum = b2a5fdde9de5ddc1e6c368d5da1b2e97e4fdbaa138a7be281ccb40a81dd4a9bb1849d36b2d5d3f01205079bace60441f82a7002097ff3a7037340a35b0f1574a
+mpc-checksum = 72d657958b07c7812dc9c7cbae093118ce0e454c68a585bfb0e2fa559f1bf7c5f49b93906f580ab3f1073e5b595d23c6494d4d76b765d16dde857a18dd239628
+mpfr-checksum = d583555d08863bf36c89b289ae26bae353d9a31f08ee3894520992d2c26e5683c4c9c193d7ad139632f71c0a476d85ea76182702a98bf08dde7b6f65a54f8b88
+ncurses-checksum = e308af43f8b7e01e98a55f4f6c4ee4d1c39ce09d95399fa555b3f0cdf5fd0db0f4c4d820b4af78a63f6cf6d8627587114a40af48cfc066134b600520808a77ee
+openssl-checksum = 1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34
+patchelf-checksum = 39745662651cf0a9915685b2767a611ceab4286f8fa57eace342b3f44248431616e8563d4ac6709c97d8534229c73c05470239e462b7e74b36bf629a876dfbad
+pkgconfig-checksum = 4861ec6428fead416f5cbbbb0bbad10b9152967e481d4b0ff2eb396a9f297f552984c9bb72f6864a37dcd8fca1d9ccceda3ef18d8f121938dbe4fdf2b870fe75
+readline-checksum = 41759d27bc3a258fefd7f4ff3277fa6ab9c21abb7b160e1a75aa8eba547bd90b288514e76264bd94fb0172da8a4faa54aab2c07b68a0356918ecf7f1969e866f
+sed-checksum = e0be5db4cdf8226b34aaa9071bc5ae0eafde1c52227cee3512eea7fe2520d6c5cebf15266aa5c4adffbb51bf125c140a15644e28d57759893c12823ea9bbf4fb
+tar-checksum = 4be18afeac54aec4af074cf2358cfade5aaebe2041c5075c5764a81114df4d002e90b28f4444bd1430783e7d6bed82abd0440ef5cb244695f2e56a9a41b42fbc
+texinfo-checksum = 96e0764d0808152d3662e65c3287fb0f86ed918912cdc036380637dbadaacd6a489b516543c07b08105686575e8d495a945f73e23ff0909d5a0f12026e4131e0
+unzip-checksum = 0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d
+wget-checksum = 95fb064f0d79b0a3178a83322f58a85a3a036fb300ed759eb67a538f0bbacdd552f6cbeb60d63b4f0113e8467d923a5ce7ac5570b7a4ce1733b3dfd559bb33b2
+which-checksum = d2f04a5c5291f2d7d1226982da7cf999d36cfe24d3f7bda145508efcfb359511251d3c68b860c0ddcedd66b15a0587b648a35ab6d1f173707565305c506dfc61
+xz-checksum = e5bf6eb88365d2dbdc774db49261fb9fae0544ed297891fc20f1ed223f4072cb0357cbd98146ac35b6d29410a12b6739bbd111cd57d4a225bef255ed46988578
+zip-checksum = c1c3d62bf1426476c0f9919b568013d6d7b03514912035f09ee283226d94c978791ad2af5310021e96c4c2bf320bfc9d0b8f4045c48e4667e034d98197e1a9b3
+zlib-checksum = 73fd3fff4adeccd4894084c15ddac89890cd10ef105dd5e1835e1e9bbb6a49ff229713bd197d203edfa17c2727700fce65a2a235f07568212d820dca88b528ae
+
+
+
+
+
+# Optional/high-level programs and libraries
+# ------------------------------------------
+#
+# These are programs and libraries that are optional, The ones in
+# `reproduce/software/config/installation/TARGETS.mk' will be built as part
+# of a project. To specify a software there, just remove the `-checksum'
+# suffix from the list below.
+astrometrynet-checksum = 35c268bf0a7068e01323b9bfccdf255c993df83c24b2e6026a00084c4ab87d031f1024205d0ed3aecc7e2a495d4bc0b0e67270d66679020b7cc2e4b2f30f5c4a
+atlas-checksum = bf17306f09f2aa973cb776e2c9eacfb2409ad4d95d19802e1c4e0597d0a099fccdb5eaafe273c2682a41e41a3c6fabc8bbba4ce03180cffea40ede5df1d1f56e
+cairo-checksum = 9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f
+cdsclient-checksum = 2d7abf0079189b9dd19cb8919061445fd19ea9f7dfd54e8ceee26b743218cf62ab00eba0147abe82d9294223927f04b4cc3328620dfc9184a7049f8d515b29e4
+cfitsio-checksum = c0502699e266928dd25abe57730dc4b357ccc9023789fe745324ae01aa688516aceaf37321ee578f0430111d9718f0fec0dc5b54c07f935529560f00b32ce1e3
+cmake-checksum = b47dfa3c825cd520a5a92d8092f39595d2c89992c94b7fc5f7a5cc6d009dc6f9164c31f1801188862e58e943da3f84167571c2253697eace7a819a4ba43bcc42
+fftw-checksum = ab918b742a7c7dcb56390a0a0014f517a6dff9a2e4b4591060deeb2c652bf3c6868aa74559a422a276b853289b4b701bdcbd3d4d8c08943acf29167a7be81a38
+freetype-checksum = 02f0f4211f9cee5b5e46ebe61190482fca5b41bc26be06fcf0d2d717e9fb119229308398c420eeea476fa2511ca2d52948f1a3242efad30ca82ed0b07cd50e3a
+ghostscript-checksum = 670159c23618ffafa85c671642bf182a107a82c053a1fd8c3f45f73f203524077be1b212d2ddbabae7892c7713922877e03b020f78bd2aab1ae582c4fc7d820a
+gnuastro-checksum = 44668641b4dea809b23f1265cd1586ce17d32ea0f58b55fff79438e5893a20ff2b727f90c479f196df37dbb81969e53e8fdf6774dd9f65d34ac69e6813985910
+gsl-checksum = 5b4c5c023f9029ce220f4e09aa4d0234fed94d42ac224d58fda095fe0532d54237a7c33278f8b5d0ba051f6004486edb38d0adb4fcb49337a8c1d8a18cf4a24a
+hdf5-checksum = f828ee9d63533effe1ad358230e5ce7b64c5016e49291d9533575f713cbfba496290fc0151fd9617898bdf36785984ddb38a9207f529d7702d4e23838fe050d8
+imagemagick-checksum = 32177f8a899c6a6b64740c3afbcea584da2573823324ca0bdd5a6d70692ca7a689944eac0b3a07bcc827c5c426fdb9e4b8714448fff7e50e26c7bd4587f2f43b
+imfit-checksum = 15edd2349232c1c8e611b31d3a46b0700112d274515f54d0a0085bb4bfa6d3d5f8a15cd926516e043a29ce841accf3534ae58dbfb952d858dc9445199c957096
+lapack-checksum = 17786cb7306fccdc9b4a242de7f64fc261ebe6a10b6ec55f519deb4cb673cb137e8742aa5698fd2dc52f1cd56d3bd116af3f593a01dcf6770c4dcc86c50b2a7f
+libffi-checksum = 980ca30a8d76f963fca722432b1fe5af77d7a4e4d2eac5144fbc5374d4c596609a293440573f4294207e1bdd9fda80ad1e1cafb2ffb543df5a275bc3bd546483
+libgit2-checksum = 0879c162e2e1dc00eadfbda22cd1f9d3a95b4ec2b653c108983f37c2f695140882de4d50d7cbc04ced247125a4e9fe6df16130e1267891aecdb2411d920db5c6
+libjpeg-checksum = 74ea5af3545657d4ac03f8f7933913112cc2d982f0e379d0e5647f1acac21931468e53806297c30ebe180c7bcf84919a0ac20a4195afb03db03060d57904ef6c
+libpng-checksum = 59e8c1059013497ae616a14c3abbe239322d3873c6ded0912403fc62fb260561768230b6ab997e2cccc3b868c09f539fd13635616b9fa0dd6279a3f63ec7e074
+libtiff-checksum = d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8
+libxml2-checksum = cb7784ba4e72e942614e12e4f83f4ceb275f3d738b30e3b5c1f25edf8e9fa6789e854685974eed95b362049dbf6c8e7357e0327d64c681ed390534ac154e6810
+netpbm-checksum = 064720f8a9d0a502488e1af4daecdbf3936910996507ca6f311073a0ad842346692a148eb1ddf7b717f7b108f60500246cb4b83f4d3665f5fc285a84ae1d63d6
+openblas-checksum = 91b3074eb922453bf843158b4281cde65db9e8bbdd7590e75e9e6cdcb486157f7973f2936f327bb3eb4f1702ce0ba51ae6729d8d4baf2d986c50771e8f696df0
+openmpi-checksum = 760716974cb6b25ad820184622e1ee7926bc6fda87db6b574f76792bc1ca99522e52195866c14b7cb2df5a4981efdaf9f71d2c5533cc0e8e45c2c4b3b74cbacc
+pixman-checksum = 1b0205dbe9d9185c68813ce577a889f3c83e83fbd9955c3a72d411c3b476e6be93fc246b5b6ef4ee17e2bb8eb6fb5559e01dff7feb6a6c4c6314f980e960d690
+python-checksum = c87be001f3de677f7838cc7767beefe5781d3d5e4ba39abb8dba1d77ce4a334660e27ed2dfd26bc90afcdb94b5b8a3a7aea329852557404d1c85cb2c268651db
+scamp-checksum = 35034a367d2cd09dc51e727e0f23ef6234edc0d978fd71cda1e80391d86af160138cb57281f7f7f9047e35b1246a0de6b235414086a62524413ed423f498583f
+scons-checksum = 0477038b014674049f12899b64584d44a85283d521b2422561e42020a5ae296a5af005684087c3ff410ed3fcbdcc5ff61998bc429eb29513f2a864138ffc4945
+sextractor-checksum = 4035710f9b8a20a0bb1a3913dab2dadd8444c179bf6dee425e0e8bb66a772944ea189bfce89fd791d316a790fc4b2cb15a62633b19d1d5331b1803dec2e70af7
+swarp-checksum = 80f4ade59738df3d4c9b47bda04148b53c6ba995d523fa8d1e02fb5d952b6078a53cc7d273849a033505de127a4f318b95adf2bf5a2dc38e8cc9bdaf5658487a
+swig-checksum = 5eaa2e06d8e4197fd02194051db1e518325dbb074a4c55a91099ad9c55193874f577764afc9029409a41bd520a95154095f26e33ef5add5c102bb2c1d98d33eb
+tides-checksum = c3360ff0d023b43749ba09a33302ca059f017a157b3ce7cdcf4f1a1578e90d3e7fa420077043adbee6b1ebf94bd698c8d6b279012f36d2a05b4de5351e30e108
+wcslib-checksum = fb438c8f9f7540a4cec8d7468f009f8f185c34524b862b6bd412bb5c9154e12c8e660eed91fb55a4d42f64da143672e7cda58f746749f87f6ff7c7f47b644ef8
+yaml-checksum = 13d2197135946204323dbfccafa0ac7b3d05437e920545a56f46811fd7319c01419a58083090ce85fccd4d6901a620ceb9f1190078cc0830bc0ce769bb024f51
+
+
+
+
+
+# Python packages
+# ---------------
+#
+# Similar to optional programs and libraries above.
+#
+# IMPORTANT: If you intend to change the version of any of the Python
+# modules/libraries below, please fix the hash strings of the respective
+# URL in `reproduce/software/make/python.mk'.
+asn1crypto-checksum = 44d442a6ddfa971e31e24712fe084368356deb5e1c4c3b3e813e0910931860215bc1c4f9eb2c4bd4fdef607c324086c096e9357068646efd28c97f2d4f85c62f
+astropy-checksum = f075502beb0d6336e9c3bb6839b2121262d3d5147f099bc60656805849f11564b06ed67dd7d257245e1925a98dca15bb874b33b4840c58a0173eef3c03711e98
+astroquery-checksum = 0da57f687ac0aa7611cd97085771d79c99e9ac8c11f0828fcbc7390faf24e1e87d86812020e0ae8be1749f5f2ae9cb3733e5922d38a897a9e212247175c28e52
+beautifulsoup4-checksum = 7aa77bc6008bbcbbbe91b0a850007ab237d2832b63a787fbd94b7cbf47d4276b185e0c61c134df73221406458edff2b75b6b8c2b53b543aa3bb1b0e2202dac5a
+certifi-checksum = 6a6bf1ff98caefcdbf78a8c83e11e155368bacdd806f0ae0c6afa8f513667df6598e594b3584de61acdca3d6049f4a776937f2aa8672b602bd6db7b737f6074e
+cffi-checksum = af4fe47cf5d6f1126222898365cfa21e9f11d0e71b87d869014dbb37af30dca9ddf50c989030d0f610f50e8099e8dfd08a688d8c3629abbcc4f0294f5f91b817
+chardet-checksum = 61a03b23447a2bfe52ceed4dd1b9afdb5784da1933a623776883ee9f297e341f633e27f0ce0230bd5fdc5fdb5382105ab42736a74a417ddeb9f83af57455dba5
+cryptography-checksum = f14319e24d9dca52e74548cada5b78a6235f089ef875dbff4799e862f94da8b087f1b6e03e84dcef9fc7d7693c4a349c5f0cd54b8535806da777420ce8757d39
+cycler-checksum = b7d2ba19861ffaf4dea0444bfe68b5a6264a022d7b3f02c9ff5e5859e3901de12a90f8dc7469e995e09c418515b3df55dbf05a0cfe5368d40790a2c878a74819
+cython-checksum = bb8095b438a7d2567b8b831628fbb32c02299c866e41113da62fb5a5d4982dc0df947a9f723a82c52086806435d8f3518e78a803166149d476f81e042a12494e
+entrypoints-checksum = aa1274362d3a4b00266103319ca51aa266605b4999c89a9d0673eb61bfae9e646cb0ec6b86c95544493f6fe048385a2c7641d64adca8f45815546fb1e663c858
+h5py-checksum = 73b1f59e3e2b3eceebf7b97e49bd8f5199afafd7ef29917af05ff8415c2f2129a5c59db9658944370c9bcf8fc04ab26948ee27fc6fd948a22d19cace1ce8c853
+html5lib-checksum = 35939b4450893864da04e735ee5e0addacf1dd34bae6a6909c76572abf6bfded446a78a713dfde91c1485ba45867d7abeb6a45cf0545c16ea968707be7de5dd2
+idna-checksum = 8ca5cfe6350c51250bafdac7c6e4ddd54c4a5d6bf7acbcef896760a759868c8e9df1fdf550121d8512fa3eb316dcf031ec6058e03b4f66eadee21b63e2187d33
+jeepney-checksum = 43083994a7c6af84a5a68d3ff8f6dc4d9129ce9fa55517838fb62d9f62bb78bdf52067649d0b95d08d689b7d7475cb9b2a956662e265a776ad42dcf4ccc0ab63
+keyring-checksum = 3863f2cd89131d7e927e55691b4eb4b7c2599af189525293d0948aef5215efbbbd74d45db3cd4885ba5b18a79f0fa0b0edc3783a020a6702f6a6fb7ed86b2cf2
+kiwisolver-checksum = 80ed3d7429a2ed4944aa09766bebac2709a3a0e0a184ff414f04bf3c7ec3034ea7d0f70dff319922b870dedaf13d64fc87eff86a82e720ec93a2510885ad738d
+matplotlib-checksum = 00ff7b389b29cb1609822baca2c7ff8bdf4381f42210c037190fe4a1fc1fdb6002a4bdd353d18df91f6730a9b007b1313253b01f73db73a6d65276414fe6a4b9
+mpi4py-checksum = 8a9c2adc573fcb85e0f0ac9b3cd810017dafbc91ff3b2cfca6046ec4fd188bc99a29bebed5b8cd050babfa9dba4aa5b03ac6650bf92a2f9d8ca73c4fea3440be
+mpmath-checksum = 58c69a801f65d73cc0eeb0d2c79277ed638568c656e7213d06ab4709c218aac908b2752377139010bed0e91bbfff01d129c60835ff0a928ba1185aded6de7c0a
+numpy-checksum = 5edd460c0948f424d8deb72f44a33db8ac6a973859b25c824533330dccb4f844197a437e945cd382760bbb6983fd120b08c949ac437973a915246024a8ebc911
+pip-checksum = c6e13da3a57462371d32982c80575c5181592f5c6a8e70d60ec879e689442f4ad468e7aef97eb58c9da50a5a770385aa35e701eefd713a8e9fafeb12e11d956b
+pycparser-checksum = 7f830e1c9066ee2d297a55e2bf6db4bf6447b6d9da0145d11a88c3bb98505755fb7986eafa6e06ae0b7680838f5e5d6a6d188245ca5ad45c2a727587bac93ab5
+pyparsing-checksum = fc8342780c38fd08c07d0b885c4d6c77d59f38098aa13c3abd05a790ee6caf2065a0bdab33bc290a6e2da123f4ac7e38c049e389b740546499dc48eba7ae431f
+pypkgconfig-checksum = 1fd9aa973bd20a8fab864722598f1d19b94c23c7f2b522556b3182b19fe016bda7aa2be5e48a1b8fefa70a069611007d6d790e24defcb462e4594a382de85b00
+python-dateutil-checksum = ec7da86203572582f883a4686acf8a732a2de4f396d809057eb51b2c60dbca5623a7fa90c2c0618c281a2282c60841739bd837731a51cc876f4ff369297f2f81
+pyyaml-checksum = 8f27f92bdfa310a99dd6d83947332cc033fa18f0011998bb585ad5c4340a2da20d8c20bfdb53beaae15651198d1240c986818379b0a05b230f74d1f30f53e7fd
+requests-checksum = 385e1d80993a21c09e7c4682500ca8c24155962ba41ecd8e73612722b2ff6618b736e827fc48ad1683b0d2bc7a420cfe680f5107860aca52656ef777f1d60104
+scipy-checksum = 80caf9af93046c0d58829a61eb90d824aabe8a53f3e7d8a72efc44accaa3299d1e22adbb4852ed192cee6e47aafbb4ebea3115233ed11f1ef05dd373866b0243
+secretstorage-checksum = 295e0f75c772edf153480730dc20051f06e60e040a18f169620cb4aaa37b8c1a254a496464d3794a38cf49fa884a7b561fe364816f0d12a5b2622c77259f03cf
+setuptools-checksum = f14976a76bff74b7494d44fcfffa511de0d142b4d308fcbf87b34c31c51491102e152acc11a383c5f6b693d1b18eb119c5186ca23deb12b2bbf186794b062868
+setuptools_scm-checksum = 1995754654f8bf509ec7f2186857ba0005dbaea0b1c734f521becb9d022c127e7b36f21da8defd5ec9883de5d0d4afe006f9d152c4cefe6beadf8b878e949eb2
+sip_tpv-checksum = 5e03279cb3650dd506332dfcb31aa4a20f23f55b8a29fd18da5c6d422d1b7dc49e12362ceae2ff7417c874401b5e87a73ca1ac0f3c8747c8984e4269cad56c3f
+six-checksum = 937728372edf1e0ac13bbd706723d0de35e015c30d0ae41f789c5ed2e3669bb0db70cdc6e036ec2d437a6c4aa0d5d1e727b6d09ac34cca7e4e92e5d3b4775151
+soupsieve-checksum = abdcbb6a13563e7afadd3056141587fdc3d7d644e346f789bca0a16242d860219e462491b0c624b287300af960fb8e3f85c79f5137580939a9fc8c3d6961478c
+sympy-checksum = 6ae09be7260b1624b4f92d39c68d5cdf54e6e33010d9215f46d62d989c04cdbee6f9f9c8b11ebeda53257d154954fb926b3ab7335b738e33ad248764875b6ddb
+urllib3-checksum = 4c12d08076b0f260727d5aac780f5e9a24e0164755ff05b02a1f5a697876741ff13ba278fdd6e46ef678e8e1146bc39de1fc49ee10ee839229a70540a9424a99
+virtualenv-checksum = 3306f59bbcb48ceec225c07083e0b6831379b3e632e4a23c376849559449de1a04db66e0e7ceabb40ddcd3ae984a2a18dfdc4f1c38777d4bc04537f85a0137ac
+webencodings-checksum = b727b01bac6ec79bca517960d27b4c0668b295f25559471b9641c2c33dab55db6dac9c990952177964c6418382c22831b14d57df5e632d51d7abf97b61f24326
diff --git a/reproduce/software/config/installation/versions.mk b/reproduce/software/config/installation/versions.mk
index 14c43d1..bfeaf7c 100644
--- a/reproduce/software/config/installation/versions.mk
+++ b/reproduce/software/config/installation/versions.mk
@@ -43,8 +43,8 @@ lzip-version= 1.20
 m4-version = 1.4.18
 make-version = 4.2.90
 metastore-version = 1.1.2-23-fa9170b
-mpfr-version = 4.0.2
 mpc-version = 1.1.0
+mpfr-version = 4.0.2
 ncurses-version = 6.1
 openssl-version = 1.1.1a
 patchelf-version = 0.10
@@ -116,8 +116,8 @@ yaml-version = 0.2.2
 # modules/libraries below, please fix the hash strings of the respective
 # URL in `reproduce/software/make/python.mk'.
 asn1crypto-version = 0.24.0
-astroquery-version = 0.3.9
 astropy-version = 3.1.1
+astroquery-version = 0.3.9
 beautifulsoup4-version = 4.7.1
 certifi-version = 2018.11.29
 cffi-version = 1.12.2
@@ -130,8 +130,8 @@ h5py-version = 2.9.0
 html5lib-version = 1.0.1
 idna-version = 2.8
 jeepney-version = 0.4
-kiwisolver-version = 1.0.1
 keyring-version = 18.0.0
+kiwisolver-version = 1.0.1
 matplotlib-version = 3.0.2
 mpi4py-version = 3.0.1
 mpmath-version = 1.1.0
diff --git a/reproduce/software/make/basic.mk b/reproduce/software/make/basic.mk
index e4ab55a..98aea0d 100644
--- a/reproduce/software/make/basic.mk
+++ b/reproduce/software/make/basic.mk
@@ -36,6 +36,7 @@
 include reproduce/software/make/build-rules.mk
 include reproduce/software/config/installation/LOCAL.mk
 include reproduce/software/config/installation/versions.mk
+include reproduce/software/config/installation/checksums.mk
 
 lockdir = $(BDIR)/locks
 tdir    = $(BDIR)/software/tarballs
@@ -137,66 +138,71 @@ tarballs = $(foreach t, bash-$(bash-version).tar.lz \
                         zlib-$(zlib-version).tar.gz \
                       , $(tdir)/$(t) )
 $(tarballs): $(tdir)/%: | $(lockdir)
+
+	n=$$(echo $* | sed -e's/[0-9\-]/ /g' \
+	                   -e's/\./ /g' \
+	             | awk '{print $$1}' ); \
+	                                    \
+	mergenames=1; \
+	if   [ $$n = bash      ]; then c=$(bash-checksum); w=http://akhlaghi.org/src; \
+	elif [ $$n = binutils  ]; then c=$(binutils-checksum); w=http://ftp.gnu.org/gnu/binutils; \
+	elif [ $$n = bzip      ]; then c=$(bzip2-checksum); w=http://akhlaghi.org/src; \
+	elif [ $$n = cert      ]; then c=$(cert-checksum); w=http://akhlaghi.org/src; \
+	elif [ $$n = coreutils ]; then c=$(coreutils-checksum); w=http://ftp.gnu.org/gnu/coreutils;\
+	elif [ $$n = curl      ]; then c=$(curl-checksum); w=https://curl.haxx.se/download; \
+	elif [ $$n = diffutils ]; then c=$(diffutils-checksum); w=http://ftp.gnu.org/gnu/diffutils;\
+	elif [ $$n = file      ]; then c=$(file-checksum); w=ftp://ftp.astron.com/pub/file; \
+	elif [ $$n = findutils ]; then c=$(findutils-checksum); w=http://akhlaghi.org/src; \
+	elif [ $$n = gawk      ]; then c=$(gawk-checksum); w=http://ftp.gnu.org/gnu/gawk; \
+	elif [ $$n = gcc       ]; then c=$(gcc-checksum); w=http://ftp.gnu.org/gnu/gcc/gcc-$(gcc-version); \
+	elif [ $$n = git       ]; then c=$(git-checksum); w=http://mirrors.edge.kernel.org/pub/software/scm/git; \
+	elif [ $$n = gmp       ]; then c=$(gmp-checksum); w=https://gmplib.org/download/gmp; \
+	elif [ $$n = grep      ]; then c=$(grep-checksum); w=http://ftp.gnu.org/gnu/grep; \
+	elif [ $$n = gzip      ]; then c=$(gzip-checksum); w=http://ftp.gnu.org/gnu/gzip; \
+	elif [ $$n = isl       ]; then c=$(isl-checksum); w=ftp://gcc.gnu.org/pub/gcc/infrastructure; \
+	elif [ $$n = libbsd    ]; then c=$(libbsd-checksum); w=http://libbsd.freedesktop.org/releases; \
+	elif [ $$n = libiconv  ]; then c=$(libiconv-checksum); w=https://ftp.gnu.org/pub/gnu/libiconv; \
+	elif [ $$n = libtool   ]; then c=$(libtool-checksum); w=http://ftp.gnu.org/gnu/libtool; \
+	elif [ $$n = lzip      ]; then c=$(lzip-checksum); w=http://download.savannah.gnu.org/releases/lzip; \
+	elif [ $$n = m         ]; then \
+	  mergenames=0; \
+	  c=$(m4-checksum); \
+	  w=http://akhlaghi.org/src/m4-1.4.18-patched.tar.gz; \
+	elif [ $$n = make      ]; then c=$(make-checksum); w=http://akhlaghi.org/src; \
+	elif [ $$n = metastore ]; then c=$(metastore-checksum); w=http://akhlaghi.org/src; \
+	elif [ $$n = mpc       ]; then c=$(mpc-checksum); w=http://ftp.gnu.org/gnu/mpc; \
+	elif [ $$n = mpfr      ]; then c=$(mpfr-checksum); w=http://www.mpfr.org/mpfr-current;\
+	elif [ $$n = ncurses   ]; then c=$(ncurses-checksum); w=http://ftp.gnu.org/gnu/ncurses; \
+	elif [ $$n = openssl   ]; then c=$(openssl-checksum); w=http://www.openssl.org/source; \
+	elif [ $$n = patchelf  ]; then c=$(patchelf-checksum); w=http://nixos.org/releases/patchelf/patchelf-$(patchelf-version); \
+	elif [ $$n = pkg       ]; then c=$(pkgconfig-checksum); w=http://pkg-config.freedesktop.org/releases; \
+	elif [ $$n = readline  ]; then c=$(readline-checksum); w=http://ftp.gnu.org/gnu/readline; \
+	elif [ $$n = sed       ]; then c=$(sed-checksum); w=http://ftp.gnu.org/gnu/sed; \
+	elif [ $$n = tar       ]; then c=$(tar-checksum); w=http://ftp.gnu.org/gnu/tar; \
+	elif [ $$n = texinfo   ]; then c=$(texinfo-checksum); w=http://ftp.gnu.org/gnu/texinfo; \
+	elif [ $$n = unzip     ]; then \
+	  c=$(unzip-checksum); \
+	  mergenames=0; v=$$(echo $(unzip-version) | sed -e's/\.//'); \
+	  w=ftp://ftp.info-zip.org/pub/infozip/src/unzip$$v.tgz; \
+	elif [ $$n = wget      ]; then c=$(wget-checksum); w=http://ftp.gnu.org/gnu/wget; \
+	elif [ $$n = which     ]; then c=$(which-checksum); w=http://ftp.gnu.org/gnu/which; \
+	elif [ $$n = xz        ]; then c=$(xz-checksum); w=http://tukaani.org/xz; \
+	elif [ $$n = zip       ]; then \
+	  c=$(zip-checksum); \
+	  mergenames=0; v=$$(echo $(zip-version) | sed -e's/\.//'); \
+	  w=ftp://ftp.info-zip.org/pub/infozip/src/zip$$v.tgz; \
+	elif [ $$n = zlib      ]; then c=$(zlib-checksum); w=http://www.zlib.net; \
+	else \
+	  echo; echo; echo; \
+	  echo "'$$n' not recognized as a software tarball name to download."; \
+	  echo; echo; echo; \
+	  exit 1; \
+	fi; \
+	                                       \
+	                                       \
 	if [ -f $(DEPENDENCIES-DIR)/$* ]; then \
-	  cp $(DEPENDENCIES-DIR)/$* $@; \
+	  cp $(DEPENDENCIES-DIR)/$* "$@.unchecked"; \
 	else \
-	  n=$$(echo $* | sed -e's/[0-9\-]/ /g' \
-	                     -e's/\./ /g' \
-	               | awk '{print $$1}' ); \
-	                                      \
-	  mergenames=1; \
-	  if   [ $$n = bash      ]; then w=http://akhlaghi.org/src; \
-	  elif [ $$n = binutils  ]; then w=http://ftp.gnu.org/gnu/binutils; \
-	  elif [ $$n = bzip      ]; then w=http://akhlaghi.org/src; \
-	  elif [ $$n = cert      ]; then w=http://akhlaghi.org/src; \
-	  elif [ $$n = coreutils ]; then w=http://ftp.gnu.org/gnu/coreutils;\
-	  elif [ $$n = curl      ]; then w=https://curl.haxx.se/download; \
-	  elif [ $$n = diffutils ]; then w=http://ftp.gnu.org/gnu/diffutils;\
-	  elif [ $$n = file      ]; then w=ftp://ftp.astron.com/pub/file; \
-	  elif [ $$n = findutils ]; then w=http://akhlaghi.org/src; \
-	  elif [ $$n = gawk      ]; then w=http://ftp.gnu.org/gnu/gawk; \
-	  elif [ $$n = gcc       ]; then w=http://ftp.gnu.org/gnu/gcc/gcc-$(gcc-version); \
-	  elif [ $$n = git       ]; then w=http://mirrors.edge.kernel.org/pub/software/scm/git; \
-	  elif [ $$n = gmp       ]; then w=https://gmplib.org/download/gmp; \
-	  elif [ $$n = grep      ]; then w=http://ftp.gnu.org/gnu/grep; \
-	  elif [ $$n = gzip      ]; then w=http://ftp.gnu.org/gnu/gzip; \
-	  elif [ $$n = isl       ]; then w=ftp://gcc.gnu.org/pub/gcc/infrastructure; \
-	  elif [ $$n = libbsd    ]; then w=http://libbsd.freedesktop.org/releases; \
-	  elif [ $$n = libiconv  ]; then w=https://ftp.gnu.org/pub/gnu/libiconv; \
-	  elif [ $$n = libtool   ]; then w=http://ftp.gnu.org/gnu/libtool; \
-	  elif [ $$n = lzip      ]; then w=http://download.savannah.gnu.org/releases/lzip; \
-	  elif [ $$n = m         ]; then \
-	    mergenames=0; \
-	    w=http://akhlaghi.org/src/m4-1.4.18-patched.tar.gz; \
-	  elif [ $$n = make      ]; then w=http://akhlaghi.org/src; \
-	  elif [ $$n = metastore ]; then w=http://akhlaghi.org/src; \
-	  elif [ $$n = mpfr      ]; then w=http://www.mpfr.org/mpfr-current;\
-	  elif [ $$n = mpc       ]; then w=http://ftp.gnu.org/gnu/mpc; \
-	  elif [ $$n = ncurses   ]; then w=http://ftp.gnu.org/gnu/ncurses; \
-	  elif [ $$n = openssl   ]; then w=http://www.openssl.org/source; \
-	  elif [ $$n = patchelf  ]; then w=http://nixos.org/releases/patchelf/patchelf-$(patchelf-version); \
-	  elif [ $$n = pkg       ]; then w=http://pkg-config.freedesktop.org/releases; \
-	  elif [ $$n = readline  ]; then w=http://ftp.gnu.org/gnu/readline; \
-	  elif [ $$n = sed       ]; then w=http://ftp.gnu.org/gnu/sed; \
-	  elif [ $$n = tar       ]; then w=http://ftp.gnu.org/gnu/tar; \
-	  elif [ $$n = texinfo   ]; then w=http://ftp.gnu.org/gnu/texinfo; \
-	  elif [ $$n = unzip     ]; then \
-	    mergenames=0; v=$$(echo $(unzip-version) | sed -e's/\.//'); \
-	    w=ftp://ftp.info-zip.org/pub/infozip/src/unzip$$v.tgz; \
-	  elif [ $$n = wget      ]; then w=http://ftp.gnu.org/gnu/wget; \
-	  elif [ $$n = which     ]; then w=http://ftp.gnu.org/gnu/which; \
-	  elif [ $$n = xz        ]; then w=http://tukaani.org/xz; \
-	  elif [ $$n = zip       ]; then \
-	    mergenames=0; v=$$(echo $(zip-version) | sed -e's/\.//'); \
-	    w=ftp://ftp.info-zip.org/pub/infozip/src/zip$$v.tgz; \
-	  elif [ $$n = zlib      ]; then w=http://www.zlib.net; \
-	  else \
-	    echo; echo; echo; \
-	    echo "'$$n' not a basic dependency name (for downloading)." \
-	    echo; echo; echo; \
-	    exit 1; \
-	  fi; \
-	      \
 	  if [ $$mergenames = 1 ]; then  tarballurl=$$w/"$*"; \
 	  else                           tarballurl=$$w; \
 	  fi; \
@@ -210,8 +216,18 @@ $(tarballs): $(tdir)/%: | $(lockdir)
 	      \
 	  touch $(lockdir)/download; \
 	  $(downloadwrapper) "$$downloader" $(lockdir)/download \
-	                     $$tarballurl $@; \
-	fi
+	                     $$tarballurl "$@.unchecked"; \
+	fi; \
+	                                                \
+	                                                \
+	if type sha512sum > /dev/null 2>/dev/null; then \
+	  checksum=$$(sha512sum "$@.unchecked" | awk '{print $$1}'); \
+	  echo "$*: should be '$$c', is '$$checksum'"; \
+	  if [ x$$checksum = x$$c ]; then mv "$@.unchecked" "$@"; \
+	  else echo "ERROR: Non-matching checksum for '$*'."; exit 1; \
+	  fi; \
+	else mv "$@.unchecked" "$@"; \
+	fi;
 
 
 
diff --git a/reproduce/software/make/high-level.mk b/reproduce/software/make/high-level.mk
index b9a70de..3b37961 100644
--- a/reproduce/software/make/high-level.mk
+++ b/reproduce/software/make/high-level.mk
@@ -32,6 +32,7 @@ include reproduce/software/config/installation/LOCAL.mk
 include reproduce/software/config/installation/TARGETS.mk
 include reproduce/software/config/installation/texlive.mk
 include reproduce/software/config/installation/versions.mk
+include reproduce/software/config/installation/checksums.mk
 
 lockdir = $(BDIR)/locks
 tdir    = $(BDIR)/software/tarballs
@@ -161,86 +162,96 @@ tarballs = $(foreach t, astrometry.net-$(astrometrynet-version).tar.gz \
                         yaml-$(yaml-version).tar.gz \
                       , $(tdir)/$(t) )
 $(tarballs): $(tdir)/%: | $(lockdir)
-	if [ -f $(DEPENDENCIES-DIR)/$* ]; then
-	  cp $(DEPENDENCIES-DIR)/$* $@
+
+        # Remove all numbers, `-' and `.' from the tarball name so we can
+        # search more easily only with the program name.
+	n=$$(echo $* | sed -e's/[0-9\-]/ /g' -e's/\./ /g' \
+	             | awk '{print $$1}' )
+
+	# Set the top download link of the requested tarball.
+	mergenames=1
+	if   [ $$n = astrometry  ]; then c=$(astrometrynet-checksum); w=http://astrometry.net/downloads
+	elif [ $$n = atlas       ]; then
+	  mergenames=0
+	  c=$(atlas-checksum)
+	  w=https://sourceforge.net/projects/math-atlas/files/Stable/$(atlas-version)/atlas$(atlas-version).tar.bz2/download
+	elif [ $$n = cairo       ]; then c=$(cairo-checksum); w=https://www.cairographics.org/releases
+	elif [ $$n = cdsclient   ]; then c=$(cdsclient-checksum); w=http://cdsarc.u-strasbg.fr/ftp/pub/sw
+	elif [ $$n = cfitsio     ]; then c=$(cfitsio-checksum); w=https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c
+	elif [ $$n = cmake       ]; then
+	  mergenames=0
+	  c=$(cmake-checksum)
+	  majv=$$(echo $(cmake-version) \
+	               | sed -e's/\./ /' \
+	               | awk '{printf("%d.%d", $$1, $$2)}')
+	  w=https://cmake.org/files/v$$majv/cmake-$(cmake-version).tar.gz
+	elif [ $$n = fftw        ]; then c=$(fftw-checksum); w=ftp://ftp.fftw.org/pub/fftw
+	elif [ $$n = freetype    ]; then c=$(freetype-checksum); w=https://download.savannah.gnu.org/releases/freetype
+	elif [ $$n = ghostscript ]; then c=$(ghostscript-checksum); w=https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926
+	elif [ $$n = gnuastro    ]; then c=$(gnuastro-checksum); w=http://ftp.gnu.org/gnu/gnuastro
+	elif [ $$n = gsl         ]; then c=$(gsl-checksum); w=http://ftp.gnu.org/gnu/gsl
+	elif [ $$n = hdf         ]; then
+	  mergenames=0
+	  c=$(hdf5-checksum)
+	  majorver=$$(echo $(hdf5-version) | sed -e 's/\./ /g' | awk '{printf("%d.%d", $$1, $$2)}')
+	  w=https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-$$majorver/hdf5-$(hdf5-version)/src/$*
+	elif [ $$n = imagemagick ]; then
+	  mergenames=0
+	  c=$(imagemagick-checksum)
+	  w=https://www.imagemagick.org/download/releases/ImageMagick-$(imagemagick-version).tar.xz
+	elif [ $$n = imfit       ]; then
+	  mergenames=0
+	  c=$(imfit-checksum)
+	  w=http://www.mpe.mpg.de/~erwin/resources/imfit/imfit-$(imfit-version)-source.tar.gz
+	elif [ $$n = install     ]; then c=NO-CHECK-SUM; w=http://mirror.ctan.org/systems/texlive/tlnet
+	elif [ $$n = jpegsrc     ]; then c=$(libjpeg-checksum); w=http://ijg.org/files
+	elif [ $$n = lapack      ]; then c=$(lapack-checksum); w=http://www.netlib.org/lapack
+	elif [ $$n = libpng      ]; then c=$(libpng-checksum); w=https://download.sourceforge.net/libpng
+	elif [ $$n = libgit      ]; then
+	  mergenames=0
+	  c=$(libgit2-checksum)
+	  w=https://github.com/libgit2/libgit2/archive/v$(libgit2-version).tar.gz
+	elif [ $$n = libxml      ]; then c=$(libxml-checksum); w=ftp://xmlsoft.org/libxml2
+	elif [ $$n = netpbm      ]; then c=$(netpbm-checksum); w=http://akhlaghi.org/src
+	elif [ $$n = openblas    ]; then
+	  mergenames=0
+	  c=$(openblas-checksum)
+	  w=https://github.com/xianyi/OpenBLAS/archive/v$(openblas-version).tar.gz
+	elif [ $$n = openmpi     ]; then
+	  mergenames=0
+	  c=$(openmpi-checksum)
+	  majorver=$$(echo $(openmpi-version) | sed -e 's/\./ /g' | awk '{printf("%d.%d", $$1, $$2)}')
+	  w=https://download.open-mpi.org/release/open-mpi/v$$majorver/$*
+	elif [ $$n = pixman      ]; then c=$(pixman-checksum); w=https://www.cairographics.org/releases
+	elif [ $$n = scamp       ]; then c=$(scamp-checksum); w=http://akhlaghi.org/src
+	elif [ $$n = scons       ]; then
+	  mergenames=0
+	  c=$(scons-checksum)
+	  w=https://sourceforge.net/projects/scons/files/scons/$(scons-version)/scons-$(scons-version).tar.gz/download
+	elif [ $$n = sextractor  ]; then c=$(sextractor-checksum); w=http://akhlaghi.org/src
+	elif [ $$n = swarp       ]; then c=$(swarp-checksum); w=https://www.astromatic.net/download/swarp
+	elif [ $$n = swig        ]; then c=$(swig-checksum); w=https://sourceforge.net/projects/swig/files/swig/swig-$(swig-version)
+	elif [ $$n = tides       ]; then c=$(tides-checksum); w=http://akhlaghi.org/src
+	elif [ $$n = tiff        ]; then c=$(libtiff-checksum); w=https://download.osgeo.org/libtiff
+	elif [ $$n = wcslib      ]; then c=$(wcslib-checksum); w=ftp://ftp.atnf.csiro.au/pub/software/wcslib
+	elif [ $$n = yaml        ]; then c=$(yaml-checksum); w=pyyaml.org/download/libyaml
 	else
-	  # Remove all numbers, `-' and `.' from the tarball name so we can
-	  # search more easily only with the program name.
-	  n=$$(echo $* | sed -e's/[0-9\-]/ /g' -e's/\./ /g' \
-	               | awk '{print $$1}' )
-
-	  # Set the top download link of the requested tarball.
-	  mergenames=1
-	  if   [ $$n = astrometry  ]; then w=http://astrometry.net/downloads
-	  elif [ $$n = atlas       ]; then
-	    mergenames=0
-	    w=https://sourceforge.net/projects/math-atlas/files/Stable/$(atlas-version)/atlas$(atlas-version).tar.bz2/download
-	  elif [ $$n = cairo       ]; then w=https://www.cairographics.org/releases
-	  elif [ $$n = cdsclient   ]; then w=http://cdsarc.u-strasbg.fr/ftp/pub/sw
-	  elif [ $$n = cfitsio     ]; then w=https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c
-	  elif [ $$n = cmake       ]; then
-	    mergenames=0
-	    majv=$$(echo $(cmake-version) \
-	                 | sed -e's/\./ /' \
-	                 | awk '{printf("%d.%d", $$1, $$2)}')
-	    w=https://cmake.org/files/v$$majv/cmake-$(cmake-version).tar.gz
-	  elif [ $$n = fftw        ]; then w=ftp://ftp.fftw.org/pub/fftw
-	  elif [ $$n = freetype    ]; then w=https://download.savannah.gnu.org/releases/freetype
-	  elif [ $$n = hdf         ]; then
-	    mergenames=0
-	    majorver=$$(echo $(hdf5-version) | sed -e 's/\./ /g' | awk '{printf("%d.%d", $$1, $$2)}')
-	    w=https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-$$majorver/hdf5-$(hdf5-version)/src/$*
-	  elif [ $$n = ghostscript ]; then w=https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926
-	  elif [ $$n = gnuastro    ]; then w=http://ftp.gnu.org/gnu/gnuastro
-	  elif [ $$n = gsl         ]; then w=http://ftp.gnu.org/gnu/gsl
-	  elif [ $$n = imagemagick ]; then
-	    mergenames=0
-	    w=https://www.imagemagick.org/download/releases/ImageMagick-$(imagemagick-version).tar.xz
-	  elif [ $$n = imfit       ]; then
-	    mergenames=0
-	    w=http://www.mpe.mpg.de/~erwin/resources/imfit/imfit-$(imfit-version)-source.tar.gz
-	  elif [ $$n = install     ]; then w=http://mirror.ctan.org/systems/texlive/tlnet
-	  elif [ $$n = jpegsrc     ]; then w=http://ijg.org/files
-	  elif [ $$n = lapack      ]; then w=http://www.netlib.org/lapack
-	  elif [ $$n = libpng      ]; then w=https://download.sourceforge.net/libpng
-	  elif [ $$n = libgit      ]; then
-	    mergenames=0
-	    w=https://github.com/libgit2/libgit2/archive/v$(libgit2-version).tar.gz
-	  elif [ $$n = libxml      ]; then w=ftp://xmlsoft.org/libxml2
-	  elif [ $$n = netpbm      ]; then w=http://akhlaghi.org/src
-	  elif [ $$n = openblas    ]; then
-	    mergenames=0
-	    w=https://github.com/xianyi/OpenBLAS/archive/v$(openblas-version).tar.gz
-	  elif [ $$n = openmpi     ]; then
-	    mergenames=0
-	    majorver=$$(echo $(openmpi-version) | sed -e 's/\./ /g' | awk '{printf("%d.%d", $$1, $$2)}')
-	    w=https://download.open-mpi.org/release/open-mpi/v$$majorver/$*
-	  elif [ $$n = pixman      ]; then w=https://www.cairographics.org/releases
-	  elif [ $$n = scamp       ]; then w=http://akhlaghi.org/src
-	  elif [ $$n = scons       ]; then
-	    mergenames=0
-	    w=https://sourceforge.net/projects/scons/files/scons/$(scons-version)/scons-$(scons-version).tar.gz/download
-	  elif [ $$n = sextractor  ]; then w=http://akhlaghi.org/src
-	  elif [ $$n = swarp       ]; then w=https://www.astromatic.net/download/swarp
-	  elif [ $$n = swig        ]; then w=https://sourceforge.net/projects/swig/files/swig/swig-$(swig-version)
-	  elif [ $$n = tides       ]; then w=http://akhlaghi.org/src
-	  elif [ $$n = tiff        ]; then w=https://download.osgeo.org/libtiff
-	  elif [ $$n = wcslib      ]; then w=ftp://ftp.atnf.csiro.au/pub/software/wcslib
-	  elif [ $$n = yaml        ]; then w=pyyaml.org/download/libyaml
-	  else
-	    echo; echo; echo;
-	    echo "'$$n' not recognized as a dependency name to download."
-	    echo; echo; echo;
-	    exit 1
-	  fi
+	  echo; echo; echo;
+	  echo "'$$n' not recognized as a software tarball name to download."
+	  echo; echo; echo;
+	  exit 1
+	fi
 
-      # Download the requested tarball. Note that some packages may not
-      # follow our naming convention (where the package name is merged
-      # with its version number). In such cases, `w' will be the full
-      # address, not just the top directory address. But since we are
-      # storing all the tarballs in one directory, we want it to have
-      # the same naming convention, so we'll download it to a temporary
-      # name, then rename that.
+        # Download the requested tarball. Note that some packages may not
+        # follow our naming convention (where the package name is merged
+        # with its version number). In such cases, `w' will be the full
+        # address, not just the top directory address. But since we are
+        # storing all the tarballs in one directory, we want it to have the
+        # same naming convention, so we'll download it to a temporary name,
+        # then rename that.
+	if [ -f $(DEPENDENCIES-DIR)/$* ]; then
+	  cp $(DEPENDENCIES-DIR)/$* "$@.unchecked"
+	else
 	  if [ $$mergenames = 1 ]; then  tarballurl=$$w/"$*"
 	  else                           tarballurl=$$w
 	  fi
@@ -249,7 +260,20 @@ $(tarballs): $(tdir)/%: | $(lockdir)
 	  touch $(lockdir)/download
 	  downloader="wget --no-use-server-timestamps -O"
 	  $(downloadwrapper) "$$downloader" $(lockdir)/download \
-	                     $$tarballurl $@
+	                     $$tarballurl "$@.unchecked"
+	fi
+
+        # Make sure this is the expected tarball. Note that we now have a
+        # controlled `sha512sum' build (as part of GNU Coreutils). So we
+        # don't need to check its existance like `basic.mk'. But for LaTeX,
+        # we need to ignore a checksum (it downloads the binaries).
+	if [ $$c == NO-CHECK-SUM ]; then
+	  mv "$@.unchecked" "$@"
+	else
+	  checksum=$$(sha512sum "$@.unchecked" | awk '{print $$1}')
+	  if [ x$$checksum = x$$c ]; then mv "$@.unchecked" "$@"
+	    else echo "ERROR: Non-matching checksum for '$*'."; exit 1
+	  fi
 	fi
 
 
diff --git a/reproduce/software/make/python.mk b/reproduce/software/make/python.mk
index ed1c87d..bc2995f 100644
--- a/reproduce/software/make/python.mk
+++ b/reproduce/software/make/python.mk
@@ -102,108 +102,113 @@ pytarballs = $(foreach t, asn1crypto-$(asn1crypto-version).tar.gz \
                       , $(tdir)/$(t) )
 pytopurl=https://files.pythonhosted.org/packages
 $(pytarballs): $(tdir)/%:
-	if [ -f $(DEPENDENCIES-DIR)/$* ]; then
-	  cp $(DEPENDENCIES-DIR)/$* $@
-	else
 
-          # Convenience variable
-          # --------------------
-          #
-          # `n' is just for convenience and to avoid having to repeat the
-          # package tarball name in the conditional to find its URL.
-          #
-          # For some packages (for example `python-dateutil', or those with
-          # a number or dash in their name), we need special consideration
-          # because the tokenization above will produce `python' as the
-          # first string.
-	  if [ $* = python-dateutil-$(python-dateutil-version).tar.gz ]; then
-	    n=dateutil
-	  elif [ $* = h5py-$(h5py-version).tar.gz ]; then
-	    n=h5py
-
-          # elif [ $* = strange-tarball5name-version.tar.gz ]; then
-          #  n=strange5-name
-	  else
-            # Remove all numbers, `-' and `.' from the tarball name so we can
-            # search more easily only with the program name.
-	    n=$$(echo $* | sed -e's/[0-9\-]/ /g' -e's/\./ /g'           \
-	              | awk '{print $$1}')
-	  fi
+        # Convenience variable
+        # --------------------
+        #
+        # `n' is just for convenience and to avoid having to repeat the
+        # package tarball name in the conditional to find its URL.
+        #
+        # For some packages (for example `python-dateutil', or those with
+        # a number or dash in their name), we need special consideration
+        # because the tokenization above will produce `python' as the
+        # first string.
+	if [ $* = python-dateutil-$(python-dateutil-version).tar.gz ]; then
+	  n=dateutil
+	elif [ $* = h5py-$(h5py-version).tar.gz ]; then
+	  n=h5py
+
+        # elif [ $* = strange-tarball5name-version.tar.gz ]; then
+        #  n=strange5-name
+	else
+          # Remove all numbers, `-' and `.' from the tarball name so we can
+          # search more easily only with the program name.
+	  n=$$(echo $* | sed -e's/[0-9\-]/ /g' -e's/\./ /g'           \
+	            | awk '{print $$1}')
+	fi
 
-          # Set the top download link of the requested tarball. The ones
-          # that have non-standard filenames (differing from our archived
-          # tarball names) are treated first, then the standard ones.
-	  mergenames=1
-	  if [ $$n = cython         ]; then
-	    mergenames=0
-	    hash=36/da/fcb979fc8cb486a67a013d6aefefbb95a3e19e67e49dff8a35e014046c5e
-	    h=$(pytopurl)/$$hash/Cython-$(cython-version).tar.gz
-	  elif [ $$n = python           ]; then
-	    mergenames=0
-	    h=https://www.python.org/ftp/python/$(python-version)/Python-$(python-version).tgz
-	  elif [ $$n = pyyaml           ]; then
-	    mergenames=0
-	    hash=9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d
-	    h=$(pytopurl)/$$hash/PyYAML-$(pyyaml-version).tar.gz
-	  elif [ $$n = libffi         ]; then
-	    mergenames=0
-	    h=ftp://sourceware.org/pub/libffi/libffi-$(libffi-version).tar.gz
-	  elif [ $$n = secretstorage  ]; then
-	    mergenames=0
-	    hash=a6/89/df343dbc2957a317127e7ff2983230dc5336273be34f2e1911519d85aeb5
-	    h=$(pytopurl)/$$hash/SecretStorage-$(secretstorage-version).tar.gz
-	  elif [ $$n = asn            ]; then h=fc/f1/8db7daa71f414ddabfa056c4ef792e1461ff655c2ae2928a2b675bfed6b4
-	  elif [ $$n = astroquery     ]; then h=61/50/a7a08f9e54d7d9d97e69433cd88231e1ad2901811c9d1ae9ac7ccaef9396
-	  elif [ $$n = astropy        ]; then h=eb/f7/1251bf6881861f24239efe0c24cbcfc4191ccdbb69ac3e9bb740d0c23352
-	  elif [ $$n = beautifulsoup  ]; then h=80/f2/f6aca7f1b209bb9a7ef069d68813b091c8c3620642b568dac4eb0e507748
-	  elif [ $$n = certifi        ]; then h=55/54/3ce77783acba5979ce16674fc98b1920d00b01d337cfaaf5db22543505ed
-	  elif [ $$n = cffi           ]; then h=64/7c/27367b38e6cc3e1f49f193deb761fe75cda9f95da37b67b422e62281fcac
-	  elif [ $$n = chardet        ]; then h=fc/bb/a5768c230f9ddb03acc9ef3f0d4a3cf93462473795d18e9535498c8f929d
-	  elif [ $$n = cryptography   ]; then h=07/ca/bc827c5e55918ad223d59d299fff92f3563476c3b00d0a9157d9c0217449
-	  elif [ $$n = cycler         ]; then h=c2/4b/137dea450d6e1e3d474e1d873cd1d4f7d3beed7e0dc973b06e8e10d32488
-	  elif [ $$n = entrypoints    ]; then h=b4/ef/063484f1f9ba3081e920ec9972c96664e2edb9fdc3d8669b0e3b8fc0ad7c
-	  elif [ $$n = h5py           ]; then h=43/27/a6e7dcb8ae20a4dbf3725321058923fec262b6f7835179d78ccc8d98deec
-	  elif [ $$n = html           ]; then h=85/3e/cf449cf1b5004e87510b9368e7a5f1acd8831c2d6691edd3c62a0823f98f
-	  elif [ $$n = idna           ]; then h=ad/13/eb56951b6f7950cadb579ca166e448ba77f9d24efc03edd7e55fa57d04b7
-	  elif [ $$n = jeepney        ]; then h=16/1d/74adf3b164a8d19a60d0fcf706a751ffa2a1eaa8e5bbb1b6705c92a05263
-	  elif [ $$n = keyring        ]; then h=15/88/c6ce9509438bc02d54cf214923cfba814412f90c31c95028af852b19f9b2
-	  elif [ $$n = kiwisolver     ]; then h=31/60/494fcce70d60a598c32ee00e71542e52e27c978e5f8219fae0d4ac6e2864
-	  elif [ $$n = matplotlib     ]; then h=89/0c/653aec68e9cfb775c4fbae8f71011206e5e7fe4d60fcf01ea1a9d3bc957f
-	  elif [ $$n = mpi            ]; then h=55/a2/c827b196070e161357b49287fa46d69f25641930fd5f854722319d431843
-	  elif [ $$n = mpmath         ]; then h=ca/63/3384ebb3b51af9610086b23ea976e6d27d6d97bf140a76a365bd77a3eb32
-	  elif [ $$n = numpy          ]; then h=cf/8d/6345b4f32b37945fedc1e027e83970005fc9c699068d2f566b82826515f2
-	  elif [ $$n = pip            ]; then h=4c/4d/88bc9413da11702cbbace3ccc51350ae099bb351febae8acc85fec34f9af
-	  elif [ $$n = pkgconfig      ]; then h=6e/a9/ff67ef67217dfdf2aca847685fe789f82b931a6957a3deac861297585db6
-	  elif [ $$n = pycparser      ]; then h=68/9e/49196946aee219aead1290e00d1e7fdeab8567783e83e1b9ab5585e6206a
-	  elif [ $$n = pyparsing      ]; then h=b9/b8/6b32b3e84014148dcd60dd05795e35c2e7f4b72f918616c61fdce83d27fc
-	  elif [ $$n = dateutil       ]; then h=ad/99/5b2e99737edeb28c71bcbec5b5dda19d0d9ef3ca3e92e3e925e7c0bb364c
-	  elif [ $$n = requests       ]; then h=52/2c/514e4ac25da2b08ca5a464c50463682126385c4272c18193876e91f4bc38
-	  elif [ $$n = scipy          ]; then h=a9/b4/5598a706697d1e2929eaf7fe68898ef4bea76e4950b9efbe1ef396b8813a
-	  elif [ $$n = secretstorage  ]; then h=a6/89/df343dbc2957a317127e7ff2983230dc5336273be34f2e1911519d85aeb5
-	  elif [ $$n = setuptools     ]; then h=c2/f7/c7b501b783e5a74cf1768bc174ee4fb0a8a6ee5af6afa92274ff964703e0
-	  elif [ $$n = setuptools_scm ]; then h=54/85/514ba3ca2a022bddd68819f187ae826986051d130ec5b972076e4f58a9f3
-	  elif [ $$n = six            ]; then h=dd/bf/4138e7bfb757de47d1f4b6994648ec67a51efe58fa907c1e11e350cddfca
-	  elif [ $$n = sip_tpv        ]; then h=27/93/a973aab2a3bf0c12cb385611819710921e13b090304c6bd015026cf9c502
-	  elif [ $$n = soupsieve      ]; then h=0c/52/e9088bb9b96e2d39fc3b33fcda5b4fde9d71473536ac660a1ca9a0958a2f
-	  elif [ $$n = sympy          ]; then h=54/2e/6adb11fe599d4cfb7e8833753350ac51aa2c0603c226b36f9051cc9d2425
-	  elif [ $$n = urllib         ]; then h=b1/53/37d82ab391393565f2f831b8eedbffd57db5a718216f82f1a8b4d381a1c1
-	  elif [ $$n = virtualenv     ]; then h=51/aa/c395a6e6eaaedfa5a04723b6446a1df783b16cca6fec66e671cede514688
-	  elif [ $$n = webencodings   ]; then h=0b/02/ae6ceac1baeda530866a85075641cec12989bd8d31af6d5ab4a3e8c92f47
-#	  elif [ $$n = strange5-name  ]; then h=XXXXX
-	  else
-	    echo; echo; echo;
-	    echo "'$$n' not recognized as a dependency name to download."
-	    echo; echo; echo;
-	    exit 1
-	  fi
+        # Set the top download link of the requested tarball. The ones
+        # that have non-standard filenames (differing from our archived
+        # tarball names) are treated first, then the standard ones.
+	mergenames=1
+	if [ $$n = cython         ]; then
+	  mergenames=0
+	  c=$(cython-checksum)
+	  hash=36/da/fcb979fc8cb486a67a013d6aefefbb95a3e19e67e49dff8a35e014046c5e
+	  h=$(pytopurl)/$$hash/Cython-$(cython-version).tar.gz
+	elif [ $$n = python           ]; then
+	  mergenames=0
+	  c=$(python-checksum)
+	  h=https://www.python.org/ftp/python/$(python-version)/Python-$(python-version).tgz
+	elif [ $$n = pyyaml           ]; then
+	  mergenames=0
+	  c=$(pyyaml-checksum)
+	  hash=9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d
+	  h=$(pytopurl)/$$hash/PyYAML-$(pyyaml-version).tar.gz
+	elif [ $$n = libffi         ]; then
+	  mergenames=0
+	  c=$(libffi-checksum)
+	  h=ftp://sourceware.org/pub/libffi/libffi-$(libffi-version).tar.gz
+	elif [ $$n = secretstorage  ]; then
+	  mergenames=0
+	  c=$(secretstorage-checksum)
+	  hash=a6/89/df343dbc2957a317127e7ff2983230dc5336273be34f2e1911519d85aeb5
+	  h=$(pytopurl)/$$hash/SecretStorage-$(secretstorage-version).tar.gz
+	elif [ $$n = asn            ]; then h=fc/f1/8db7daa71f414ddabfa056c4ef792e1461ff655c2ae2928a2b675bfed6b4; c=$(asn1crypto-checksum)
+	elif [ $$n = astroquery     ]; then h=61/50/a7a08f9e54d7d9d97e69433cd88231e1ad2901811c9d1ae9ac7ccaef9396; c=$(astroquery-checksum)
+	elif [ $$n = astropy        ]; then h=eb/f7/1251bf6881861f24239efe0c24cbcfc4191ccdbb69ac3e9bb740d0c23352; c=$(astropy-checksum)
+	elif [ $$n = beautifulsoup  ]; then h=80/f2/f6aca7f1b209bb9a7ef069d68813b091c8c3620642b568dac4eb0e507748; c=$(beautifulsoup-checksum)
+	elif [ $$n = certifi        ]; then h=55/54/3ce77783acba5979ce16674fc98b1920d00b01d337cfaaf5db22543505ed; c=$(certifi-checksum)
+	elif [ $$n = cffi           ]; then h=64/7c/27367b38e6cc3e1f49f193deb761fe75cda9f95da37b67b422e62281fcac; c=$(cffi-checksum)
+	elif [ $$n = chardet        ]; then h=fc/bb/a5768c230f9ddb03acc9ef3f0d4a3cf93462473795d18e9535498c8f929d; c=$(chardet-checksum)
+	elif [ $$n = cryptography   ]; then h=07/ca/bc827c5e55918ad223d59d299fff92f3563476c3b00d0a9157d9c0217449; c=$(cryptography-checksum)
+	elif [ $$n = cycler         ]; then h=c2/4b/137dea450d6e1e3d474e1d873cd1d4f7d3beed7e0dc973b06e8e10d32488; c=$(cycler-checksum)
+	elif [ $$n = entrypoints    ]; then h=b4/ef/063484f1f9ba3081e920ec9972c96664e2edb9fdc3d8669b0e3b8fc0ad7c; c=$(entrypoints-checksum)
+	elif [ $$n = h5py           ]; then h=43/27/a6e7dcb8ae20a4dbf3725321058923fec262b6f7835179d78ccc8d98deec; c=$(h5py-checksum)
+	elif [ $$n = html           ]; then h=85/3e/cf449cf1b5004e87510b9368e7a5f1acd8831c2d6691edd3c62a0823f98f; c=$(html5lib-checksum)
+	elif [ $$n = idna           ]; then h=ad/13/eb56951b6f7950cadb579ca166e448ba77f9d24efc03edd7e55fa57d04b7; c=$(idna-checksum)
+	elif [ $$n = jeepney        ]; then h=16/1d/74adf3b164a8d19a60d0fcf706a751ffa2a1eaa8e5bbb1b6705c92a05263; c=$(jeepney-checksum)
+	elif [ $$n = keyring        ]; then h=15/88/c6ce9509438bc02d54cf214923cfba814412f90c31c95028af852b19f9b2; c=$(keyring-checksum)
+	elif [ $$n = kiwisolver     ]; then h=31/60/494fcce70d60a598c32ee00e71542e52e27c978e5f8219fae0d4ac6e2864; c=$(kiwisolver-checksum)
+	elif [ $$n = matplotlib     ]; then h=89/0c/653aec68e9cfb775c4fbae8f71011206e5e7fe4d60fcf01ea1a9d3bc957f; c=$(matplotlib-checksum)
+	elif [ $$n = mpi            ]; then h=55/a2/c827b196070e161357b49287fa46d69f25641930fd5f854722319d431843; c=$(mpi4py-checksum)
+	elif [ $$n = mpmath         ]; then h=ca/63/3384ebb3b51af9610086b23ea976e6d27d6d97bf140a76a365bd77a3eb32; c=$(mpmath-checksum)
+	elif [ $$n = numpy          ]; then h=cf/8d/6345b4f32b37945fedc1e027e83970005fc9c699068d2f566b82826515f2; c=$(numpy-checksum)
+	elif [ $$n = pip            ]; then h=4c/4d/88bc9413da11702cbbace3ccc51350ae099bb351febae8acc85fec34f9af; c=$(pip-checksum)
+	elif [ $$n = pkgconfig      ]; then h=6e/a9/ff67ef67217dfdf2aca847685fe789f82b931a6957a3deac861297585db6; c=$(pypkgconfig-checksum)
+	elif [ $$n = pycparser      ]; then h=68/9e/49196946aee219aead1290e00d1e7fdeab8567783e83e1b9ab5585e6206a; c=$(pycparser-checksum)
+	elif [ $$n = pyparsing      ]; then h=b9/b8/6b32b3e84014148dcd60dd05795e35c2e7f4b72f918616c61fdce83d27fc; c=$(pyparsing-checksum)
+	elif [ $$n = dateutil       ]; then h=ad/99/5b2e99737edeb28c71bcbec5b5dda19d0d9ef3ca3e92e3e925e7c0bb364c; c=$(python-dateutil-checksum)
+	elif [ $$n = requests       ]; then h=52/2c/514e4ac25da2b08ca5a464c50463682126385c4272c18193876e91f4bc38; c=$(requests-checksum)
+	elif [ $$n = scipy          ]; then h=a9/b4/5598a706697d1e2929eaf7fe68898ef4bea76e4950b9efbe1ef396b8813a; c=$(scipy-checksum)
+	elif [ $$n = secretstorage  ]; then h=a6/89/df343dbc2957a317127e7ff2983230dc5336273be34f2e1911519d85aeb5; c=$(secretstorage-checksum)
+	elif [ $$n = setuptools     ]; then h=c2/f7/c7b501b783e5a74cf1768bc174ee4fb0a8a6ee5af6afa92274ff964703e0; c=$(setuptools-checksum)
+	elif [ $$n = setuptools_scm ]; then h=54/85/514ba3ca2a022bddd68819f187ae826986051d130ec5b972076e4f58a9f3; c=$(setuptools_scm-checksum)
+	elif [ $$n = six            ]; then h=dd/bf/4138e7bfb757de47d1f4b6994648ec67a51efe58fa907c1e11e350cddfca; c=$(six-checksum)
+	elif [ $$n = sip_tpv        ]; then h=27/93/a973aab2a3bf0c12cb385611819710921e13b090304c6bd015026cf9c502; c=$(sip_tpv-checksum)
+	elif [ $$n = soupsieve      ]; then h=0c/52/e9088bb9b96e2d39fc3b33fcda5b4fde9d71473536ac660a1ca9a0958a2f; c=$(soupsieve-checksum)
+	elif [ $$n = sympy          ]; then h=54/2e/6adb11fe599d4cfb7e8833753350ac51aa2c0603c226b36f9051cc9d2425; c=$(sympy-checksum)
+	elif [ $$n = urllib         ]; then h=b1/53/37d82ab391393565f2f831b8eedbffd57db5a718216f82f1a8b4d381a1c1; c=$(urllib3-checksum)
+	elif [ $$n = virtualenv     ]; then h=51/aa/c395a6e6eaaedfa5a04723b6446a1df783b16cca6fec66e671cede514688; c=$(virtualenv-checksum)
+	elif [ $$n = webencodings   ]; then h=0b/02/ae6ceac1baeda530866a85075641cec12989bd8d31af6d5ab4a3e8c92f47; c=$(webencodings-checksum)
+#	elif [ $$n = strange5-name  ]; then h=XXXXX; c=$(XXXXX-checksum)
+	else
+	  echo; echo; echo;
+	  echo "'$$n' not recognized as a dependency name to download."
+	  echo; echo; echo;
+	  exit 1
+	fi
 
-          # Download the requested tarball. Note that some packages may not
-          # follow our naming convention (where the package name is merged
-          # with its version number). In such cases, `w' will be the full
-          # address, not just the top directory address. But since we are
-          # storing all the tarballs in one directory, we want it to have
-          # the same naming convention, so we'll download it to a temporary
-          # name, then rename that.
+        # Download the requested tarball. Note that some packages may not
+        # follow our naming convention (where the package name is merged
+        # with its version number). In such cases, `w' will be the full
+        # address, not just the top directory address. But since we are
+        # storing all the tarballs in one directory, we want it to have
+        # the same naming convention, so we'll download it to a temporary
+        # name, then rename that.
+	if [ -f $(DEPENDENCIES-DIR)/$* ]; then
+	  cp $(DEPENDENCIES-DIR)/$* "$@.unchecked"
+	else
 	  if [ $$mergenames = 1 ]; then  tarballurl=$(pytopurl)/$$h/"$*"
 	  else                           tarballurl=$$h
 	  fi
@@ -212,7 +217,15 @@ $(pytarballs): $(tdir)/%:
 	  touch $(lockdir)/download
 	  downloader="wget --no-use-server-timestamps -O"
 	  $(downloadwrapper) "$$downloader" $(lockdir)/download \
-	                     $$tarballurl $@
+	                     $$tarballurl "$@.unchecked"
+	fi
+
+        # Make sure this is the expected tarball. Note that we now have a
+        # controlled `sha512sum' build (as part of GNU Coreutils). So we
+        # don't need to check its existance like `basic.mk'.
+	checksum=$$(sha512sum "$@.unchecked" | awk '{print $$1}')
+	if [ x$$checksum = x$$c ]; then mv "$@.unchecked" "$@"
+	  else echo "ERROR: Non-matching checksum for '$*'."; exit 1
 	fi