From 7938949369daaca5def35fc2cf245cb394e871c6 Mon Sep 17 00:00:00 2001 From: "Yann E. MORIN" Date: Mon, 6 Nov 2023 20:09:14 +0100 Subject: [PATCH] pkg-download: add option to enforce hash checking Currently, when a package is downloaded from a custom location or version, Buildroot excludes such a package from the mandatory integrity check with hashes, because it was until now not possible to have such hashes. We now have a mechanism which users can leverage to provide additional hashes, and so custom versions or locations can now be checked too. Buildroot has no way to know that hashes have indeed been provided for a custom location/version, and so will still happily ignore an unchecked package. However, users who do provide extra hashes most probably do expect that no download is done without an integrity check, and thus expect that a missing hash not be ignored. Add an option that users can select to make Buildroot forcibly require at least one valid hash, and no invalid hash, for all downloads. Reported-by: "Martin Zeiser (mzeiser)" Signed-off-by: Yann E. MORIN Signed-off-by: Peter Korsgaard (cherry picked from commit e091e31831122b60b084bd755e94df4dfe7188d2) Signed-off-by: Peter Korsgaard --- Config.in | 17 +++++++++++++++++ package/pkg-download.mk | 5 ++--- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/Config.in b/Config.in index 339c28f29c..d3bf6000ca 100644 --- a/Config.in +++ b/Config.in @@ -699,6 +699,23 @@ config BR2_FORCE_HOST_BUILD This option will increase build time. +config BR2_DOWNLOAD_FORCE_CHECK_HASHES + bool "Force all downloads to have a valid hash" + depends on BR2_GLOBAL_PATCH_DIR != "" + help + For packages where a custom version or location can be set, + Buildroot does not carry a hash for those custom versions or + locations, so the integrity of such downloads is not verified. + + Say 'y' here to enforce downloads to have at least one valid + hash (and of course, that all hashes be valid). + + Those hashes are looked in files in BR2_GLOBAL_PATCH_DIR, + see above. + +comment "Forcing all downloads to have a valid hash needs a global patch and hash directory" + depends on BR2_GLOBAL_PATCH_DIR = "" + config BR2_REPRODUCIBLE bool "Make the build reproducible (experimental)" # SOURCE_DATE_EPOCH support in toolchain-wrapper requires GCC 4.4 diff --git a/package/pkg-download.mk b/package/pkg-download.mk index 44cc178dea..078470808e 100644 --- a/package/pkg-download.mk +++ b/package/pkg-download.mk @@ -66,9 +66,7 @@ github = https://github.com/$(1)/$(2)/archive/$(3) gitlab = https://gitlab.com/$(1)/$(2)/-/archive/$(3) # Expressly do not check hashes for those files -# Exported variables default to immediately expanded in some versions of -# make, but we need it to be recursively-epxanded, so explicitly assign it. -export BR_NO_CHECK_HASH_FOR = +BR_NO_CHECK_HASH_FOR = ################################################################################ # DOWNLOAD_URIS - List the candidates URIs where to get the package from: @@ -110,6 +108,7 @@ endif define DOWNLOAD $(Q)mkdir -p $($(2)_DL_DIR) $(Q)$(EXTRA_ENV) $($(2)_DL_ENV) \ + BR_NO_CHECK_HASH_FOR="$(if $(BR2_DOWNLOAD_FORCE_CHECK_HASHES),,$(BR_NO_CHECK_HASH_FOR))" \ flock $($(2)_DL_DIR)/.lock $(DL_WRAPPER) \ -c '$($(2)_DL_VERSION)' \ -d '$($(2)_DL_DIR)' \