NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pkg-download: add option to enforce hash checking

Browse Source 
Currently, when a package is downloaded from a custom location or
version, Buildroot excludes such a package from the mandatory integrity
check with hashes, because it was until now not possible to have such
hashes.

We now have a mechanism which users can leverage to provide additional
hashes, and so custom versions or locations can now be checked too.

Buildroot has no way to know that hashes have indeed been provided for
a custom location/version, and so will still happily ignore an
unchecked package.

However, users who do provide extra hashes most probably do expect that
no download is done without an integrity check, and thus expect that a
missing hash not be ignored.

Add an option that users can select to make Buildroot forcibly require
at least one valid hash, and no invalid hash, for all downloads.

Reported-by: "Martin Zeiser (mzeiser)" <mzeiser@cisco.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Yann E. MORIN 2023-11-06 20:09:14 +01:00 committed by Peter Korsgaard
parent 5d36710e36
commit e091e31831
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Config.in
View File

@ -709,6 +709,23 @@ config BR2_FORCE_HOST_BUILD
This option will increase build time.
config BR2_DOWNLOAD_FORCE_CHECK_HASHES
bool "Force all downloads to have a valid hash"
depends on BR2_GLOBAL_PATCH_DIR != ""
help
For packages where a custom version or location can be set,
Buildroot does not carry a hash for those custom versions or
locations, so the integrity of such downloads is not verified.
Say 'y' here to enforce downloads to have at least one valid
hash (and of course, that all hashes be valid).
Those hashes are looked in files in BR2_GLOBAL_PATCH_DIR,
see above.
comment "Forcing all downloads to have a valid hash needs a global patch and hash directory"
depends on BR2_GLOBAL_PATCH_DIR = ""
config BR2_REPRODUCIBLE
bool "Make the build reproducible (experimental)"
# SOURCE_DATE_EPOCH support in toolchain-wrapper requires GCC 4.4

5
package/pkg-download.mk
View File

@ -66,9 +66,7 @@ github = https://github.com/$(1)/$(2)/archive/$(3)
gitlab = https://gitlab.com/$(1)/$(2)/-/archive/$(3)
# Expressly do not check hashes for those files
# Exported variables default to immediately expanded in some versions of
# make, but we need it to be recursively-epxanded, so explicitly assign it.
export BR_NO_CHECK_HASH_FOR =
BR_NO_CHECK_HASH_FOR =
################################################################################
# DOWNLOAD_URIS - List the candidates URIs where to get the package from:
@ -110,6 +108,7 @@ endif
define DOWNLOAD
$(Q)mkdir -p $($(2)_DL_DIR)
$(Q)$(EXTRA_ENV) $($(2)_DL_ENV) \
BR_NO_CHECK_HASH_FOR="$(if $(BR2_DOWNLOAD_FORCE_CHECK_HASHES),,$(BR_NO_CHECK_HASH_FOR))" \
flock $($(2)_DL_DIR)/.lock $(DL_WRAPPER) \
-c '$($(2)_DL_VERSION)' \
-d '$($(2)_DL_DIR)' \