NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
de9436e29d
kumquat-buildroot/support/download/check-hash

116 lines
3.4 KiB
Plaintext
Raw Normal View History

Change /bin/bash shebangs into /usr/bin/env bash Not all systems have /bin/bash (e.g. NixOS[1] doesn't). Buildroot already uses /usr/bin/env shebangs for other interpreters (perl, python), so why not bash? This changes only the shebangs used by Buildroot itself; stuff installed to the target system is left unchanged. With this applied I can run Buildroot unmodified on NixOS. [1]: http://nixos.org/ Signed-off-by: Bjørn Forsman <bjorn.forsman@gmail.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-10-21 16:05:56 +02:00
#!/usr/bin/env bash
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
set -e
# Helper to check a file matches its known hash
# Call it with:
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
# $1: the full path to the temporary file that was downloaded, and
pkg-download: verify the hashes from the download wrapper Instead of repeating the check in our download rules, delegate the check of the hashes to the download wrapper. This needs three different changes: - add a new argument to the download wrapper, that is the full path to the hash file; if the hash file does not exist, that does not change the current behaviour, as the existence of the hash file is checked for in the check-hash script; - add a third argument to the check-hash script, to be the basename of the file to check; this is required because we no longer check the final file with the final filename, but an intermediate file with a temporary filename; - do the actual call to the check-hash script from within the download wrapper. This further paves the way to doing pre-download checks of the hashes for the locally cached files. Note: this patch removes the check for hashes for already downloaded files, since the wrapper script exits early. The behaviour to check localy cached files will be restored and enhanced in the following patch. [Thomas: fix minor typo in comment.] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Peter Korsgaard <jacmet@uclibc.org> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-12-11 23:52:07 +01:00
# that is to be checked
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
# $2: the final basename of the file, to which it will be ultimately
pkg-download: verify the hashes from the download wrapper Instead of repeating the check in our download rules, delegate the check of the hashes to the download wrapper. This needs three different changes: - add a new argument to the download wrapper, that is the full path to the hash file; if the hash file does not exist, that does not change the current behaviour, as the existence of the hash file is checked for in the check-hash script; - add a third argument to the check-hash script, to be the basename of the file to check; this is required because we no longer check the final file with the final filename, but an intermediate file with a temporary filename; - do the actual call to the check-hash script from within the download wrapper. This further paves the way to doing pre-download checks of the hashes for the locally cached files. Note: this patch removes the check for hashes for already downloaded files, since the wrapper script exits early. The behaviour to check localy cached files will be restored and enhanced in the following patch. [Thomas: fix minor typo in comment.] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Peter Korsgaard <jacmet@uclibc.org> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-12-11 23:52:07 +01:00
# saved as, to be able to match it to the corresponding hashes
# in the .hash file
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
# $*: the paths of the files containing all the expected hashes
support/download: return different exit codes for different failures Return different exit codes depending on the error that occured: 0: no error (hash file missing, or all hashes match) 1: unknown option 2: hash file exists, but at least one hash in error 3: hash file exists, but no hash for file to check 4: hash file exists, but at least one hash type unknown This will be used in a later patch to decide whether the downloaded file should be kept or removed. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Samuel Martin <s.martin49@gmail.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-01 00:15:04 +02:00
#
# Exit codes:
# 0: the hash file exists and the file to check matches all its hashes,
# or the hash file does not exist
# 1: unknown command-line option
# 2: the hash file exists and the file to check does not match at least
# one of its hashes
# 3: the hash file exists and there was no hash to check the file against
# 4: the hash file exists and at least one hash type is unknown
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
support/download: support -q in all download backends Add an option flag to all backends, as well as the check-hash script, so as to silence download helpers when the user wants a silent build. Additionaly, make the default be verbose. Inspired by Fabio's patch on git/svn. [Thomas: fix a typo "Environemnt" -> "Environment" Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Fabio Porcedda <fabio.porcedda@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-01-02 16:53:39 +01:00
while getopts :q OPT; do
case "${OPT}" in
q) exec >/dev/null;;
\?) exit 1;;
esac
done
shift $((OPTIND-1))
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
file="${1}"
base="${2}"
shift 2
declare -a h_files=( "${@}" )
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
# Check one hash for a file
support/download: fix check_one_hash description Function check_one_hash takes three arguments: - algo hash - known hash - file to hash Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-09-11 21:32:32 +02:00
# $1: algo hash
# $2: known hash
# $3: file (full path)
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
# $4: hash file (full path)
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
check_one_hash() {
_h="${1}"
_known="${2}"
_file="${3}"
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
_h_file="${4}"
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
manual: add documentation about packages' hashes Although md5 is, for legacy reasons, a supported hash type, it is not documented on purpose, since it is now known to be weak. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Reviewed-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:22 +02:00
# Note: md5 is supported, but undocumented on purpose.
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
# Note: sha3 is not supported, since there is currently no implementation
# (the NIST has yet to publish the parameters).
case "${_h}" in
md5|sha1) ;;
sha224|sha256|sha384|sha512) ;;
*) # Unknown hash, exit with error
printf "ERROR: unknown hash '%s' for '%s'\n" \
pkg-download: verify the hashes from the download wrapper Instead of repeating the check in our download rules, delegate the check of the hashes to the download wrapper. This needs three different changes: - add a new argument to the download wrapper, that is the full path to the hash file; if the hash file does not exist, that does not change the current behaviour, as the existence of the hash file is checked for in the check-hash script; - add a third argument to the check-hash script, to be the basename of the file to check; this is required because we no longer check the final file with the final filename, but an intermediate file with a temporary filename; - do the actual call to the check-hash script from within the download wrapper. This further paves the way to doing pre-download checks of the hashes for the locally cached files. Note: this patch removes the check for hashes for already downloaded files, since the wrapper script exits early. The behaviour to check localy cached files will be restored and enhanced in the following patch. [Thomas: fix minor typo in comment.] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Peter Korsgaard <jacmet@uclibc.org> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-12-11 23:52:07 +01:00
"${_h}" "${base}" >&2
support/download: return different exit codes for different failures Return different exit codes depending on the error that occured: 0: no error (hash file missing, or all hashes match) 1: unknown option 2: hash file exists, but at least one hash in error 3: hash file exists, but no hash for file to check 4: hash file exists, but at least one hash type unknown This will be used in a later patch to decide whether the downloaded file should be kept or removed. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Samuel Martin <s.martin49@gmail.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-01 00:15:04 +02:00
exit 4
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
;;
esac
# Do the hashes match?
support/download/check-hash: fix shellcheck errors The hash files do not use trailing backslash \ to continue lines, so we don't want them to be interpreted thusly, so we use 'read -r' (SC2162). The h_file is used twice in the same loop, once for reading from it, and once just to print it, so there is no conflict (SC2094). Integrer variables need not be quoted (SC2086). In any case, should there be an actual issue and they be set empty, that would cause a runtime issue, wether they be quoted or not. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 9cb421c16f9aa026eabe050d94664c137f93eff5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-03-10 00:44:28 +01:00
_hash="$( "${_h}sum" "${_file}" |cut -d ' ' -f 1 )"
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
if [ "${_hash}" = "${_known}" ]; then
pkg-download: verify the hashes from the download wrapper Instead of repeating the check in our download rules, delegate the check of the hashes to the download wrapper. This needs three different changes: - add a new argument to the download wrapper, that is the full path to the hash file; if the hash file does not exist, that does not change the current behaviour, as the existence of the hash file is checked for in the check-hash script; - add a third argument to the check-hash script, to be the basename of the file to check; this is required because we no longer check the final file with the final filename, but an intermediate file with a temporary filename; - do the actual call to the check-hash script from within the download wrapper. This further paves the way to doing pre-download checks of the hashes for the locally cached files. Note: this patch removes the check for hashes for already downloaded files, since the wrapper script exits early. The behaviour to check localy cached files will be restored and enhanced in the following patch. [Thomas: fix minor typo in comment.] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Peter Korsgaard <jacmet@uclibc.org> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-12-11 23:52:07 +01:00
printf "%s: OK (%s: %s)\n" "${base}" "${_h}" "${_hash}"
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
return 0
fi
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
printf "ERROR: while checking hashes from %s\n" "${_h_file}" >&2
pkg-download: verify the hashes from the download wrapper Instead of repeating the check in our download rules, delegate the check of the hashes to the download wrapper. This needs three different changes: - add a new argument to the download wrapper, that is the full path to the hash file; if the hash file does not exist, that does not change the current behaviour, as the existence of the hash file is checked for in the check-hash script; - add a third argument to the check-hash script, to be the basename of the file to check; this is required because we no longer check the final file with the final filename, but an intermediate file with a temporary filename; - do the actual call to the check-hash script from within the download wrapper. This further paves the way to doing pre-download checks of the hashes for the locally cached files. Note: this patch removes the check for hashes for already downloaded files, since the wrapper script exits early. The behaviour to check localy cached files will be restored and enhanced in the following patch. [Thomas: fix minor typo in comment.] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Peter Korsgaard <jacmet@uclibc.org> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-12-11 23:52:07 +01:00
printf "ERROR: %s has wrong %s hash:\n" "${base}" "${_h}" >&2
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
printf "ERROR: expected: %s\n" "${_known}" >&2
printf "ERROR: got : %s\n" "${_hash}" >&2
printf "ERROR: Incomplete download, or man-in-the-middle (MITM) attack\n" >&2
support/download: return different exit codes for different failures Return different exit codes depending on the error that occured: 0: no error (hash file missing, or all hashes match) 1: unknown option 2: hash file exists, but at least one hash in error 3: hash file exists, but no hash for file to check 4: hash file exists, but at least one hash type unknown This will be used in a later patch to decide whether the downloaded file should be kept or removed. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Samuel Martin <s.martin49@gmail.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-01 00:15:04 +02:00
exit 2
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
}
# Do we know one or more hashes for that file?
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
nb_h_files=0
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
nb_checks=0
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
for h_file in "${h_files[@]}"; do
[ -f "${h_file}" ] || continue
: $((nb_h_files++))
support/download/check-hash: fix shellcheck errors The hash files do not use trailing backslash \ to continue lines, so we don't want them to be interpreted thusly, so we use 'read -r' (SC2162). The h_file is used twice in the same loop, once for reading from it, and once just to print it, so there is no conflict (SC2094). Integrer variables need not be quoted (SC2086). In any case, should there be an actual issue and they be set empty, that would cause a runtime issue, wether they be quoted or not. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 9cb421c16f9aa026eabe050d94664c137f93eff5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-03-10 00:44:28 +01:00
# shellcheck disable=SC2094 # we're really reading it only once
while read -r t h f; do
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
case "${t}" in
''|'#'*)
# Skip comments and empty lines
continue
;;
*)
if [ "${f}" = "${base}" ]; then
support/download/check-hash: fix shellcheck errors The hash files do not use trailing backslash \ to continue lines, so we don't want them to be interpreted thusly, so we use 'read -r' (SC2162). The h_file is used twice in the same loop, once for reading from it, and once just to print it, so there is no conflict (SC2094). Integrer variables need not be quoted (SC2086). In any case, should there be an actual issue and they be set empty, that would cause a runtime issue, wether they be quoted or not. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 9cb421c16f9aa026eabe050d94664c137f93eff5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-03-10 00:44:28 +01:00
# shellcheck disable=SC2094 # we're only printing the h_file filename
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
check_one_hash "${t}" "${h}" "${file}" "${h_file}"
: $((nb_checks++))
fi
;;
esac
done <"${h_file}"
done
support/download/check-hash: fix shellcheck errors The hash files do not use trailing backslash \ to continue lines, so we don't want them to be interpreted thusly, so we use 'read -r' (SC2162). The h_file is used twice in the same loop, once for reading from it, and once just to print it, so there is no conflict (SC2094). Integrer variables need not be quoted (SC2086). In any case, should there be an actual issue and they be set empty, that would cause a runtime issue, wether they be quoted or not. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 9cb421c16f9aa026eabe050d94664c137f93eff5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-03-10 00:44:28 +01:00
# shellcheck disable=SC2086 # nb_h_files is a non-empty int
support/download: teach dl-wrapper to handle more than one hash file Currently, we expect and only use hash files that lie within the package directory, alongside the .mk file. Those hash files are thus bundled with Buildroot. This implies that only what's known to Buildroot can ever get into those hash files. For packages where the version is fixed (or a static choice), then we can carry hashes for those known versions. However, we do have a few packages for which the version is a free-form entry, where the user can provide a custom location and/or version. like a custom VCS tree and revision, or a custom tarball URL. This means that Buildroot has no way to be able to cary hashes for such custom versions. This means that there is no integrity check that what was downloaded is what was expected. For a sha1 in a git tree, this is a minor issue, because the sha1 by itself is already a hash of the expected content. But for custom tarballs URLs, or for a tag in a VCS, there is indeed no integrity check. Buildroot can't provide such hashes, but interested users may want to provide those, and currently there is no (easy) way to do so. So, we need our download helpers to be able to accept more than one hash file to lookup for hashes. Extend the dl-wrapper and the check-hash helpers thusly, and update the legal-info accordingly. Note that, to be able to pass more than one hash file, we also need to re-order the arguments passed to support/download/check-hash, which also impies some shuffling in the three places it is called: - 2 in dl-wrapper - 1 in the legal-info infra That in turn also requires that the legal-license-file macro args get re-ordered to have the hash file last; we take the opportunity to also move the HOST/TARGET arg to be first, like in the other legal-info macros. Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-11-06 20:09:12 +01:00
if [ ${nb_h_files} -eq 0 ]; then
printf "WARNING: no hash file for %s\n" "${base}" >&2
exit 0
fi
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
support/download/check-hash: fix shellcheck errors The hash files do not use trailing backslash \ to continue lines, so we don't want them to be interpreted thusly, so we use 'read -r' (SC2162). The h_file is used twice in the same loop, once for reading from it, and once just to print it, so there is no conflict (SC2094). Integrer variables need not be quoted (SC2086). In any case, should there be an actual issue and they be set empty, that would cause a runtime issue, wether they be quoted or not. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 9cb421c16f9aa026eabe050d94664c137f93eff5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-03-10 00:44:28 +01:00
# shellcheck disable=SC2086 # nb_checks is a non-empty int
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
if [ ${nb_checks} -eq 0 ]; then
support/download: add possibility to not fail on missing hash In very constrained cases, it might be needed to not fail if a hash is missing. This is notably the case for custom external toolchains to be downloaded, because we do have a .hash file for external toolchains, but we obviously can not have hashes for all existing custom toolchains (he, "custom"!). So, add a way to avoid failing in that case. >From the Makefile, we export the list of files for which not to check the hash. Then, from the check-hash script, if no check was done, and the file we were trying to match in in this exclusion list, we just exit without error. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Tested-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> changes v6 -> v7: - /beautify/ the pattern in the case clause Changed v5 -> v6: (Arnout) - fix the pattern in the case clause Changes v4 -> v5: - micro-optimisation, use case-esac instead of a for-loop (Arnout) - typoes (Arnout) Changes v3 -> v4: - drop the magic value, use a list of excluded files (Arnout) Changes v1 -> v2: - fix typoes in commit log Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-23 00:08:38 +02:00
case " ${BR_NO_CHECK_HASH_FOR} " in
*" ${base} "*)
# File explicitly has no hash
exit 0
;;
esac
support/download: always fail when there's no hash At the time we introduced hashes, we did not want to be too harsh in the beginning, and give people some time to adapt and accept the hashes. So we so far only whined^Wwarned about a missing hash (when the .hash file exists). Some time has passed now, and people are still missing updating hashes when bumping packages. Let's make that warning a little bit more annoying... Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-01 00:15:06 +02:00
printf "ERROR: No hash found for %s\n" "${base}" >&2
support/download: restore mandatory check of hashes Now that custom external toolchains to be downloaded properly instruct to not fail on a missing hash, restore the mandatory hash check for everything else. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-23 00:08:41 +02:00
exit 3
pkg-infra: add possiblity to check downloaded files against known hashes Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-07-03 21:36:21 +02:00
fi
Reference in New Issue Copy Permalink