9bd8b59526
Some of the packages that Buildroot might build are sensitive packages, related to security: openssl, dropbear, ca-certificates... Some of those packages are downloaded over plain http, because there is no way to get them over a secure channel, such as https. In these dark times of pervasive surveillance, the potential for harm that a tampered-with package could generate, we may want to check the integrity of those sensitive packages. So, each package may now provide a list of hashes for all files that needs to be downloaded, and Buildroot will just fail if any downloaded file does not match its known hash, in which case it is removed. Hashes can be any of the md5, sha1 or sha2 variants, and will be checked even if the file was pre-downloaded. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Baruch Siach <baruch@tkos.co.il> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
77 lines
1.9 KiB
Bash
Executable File
77 lines
1.9 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
# Helper to check a file matches its known hash
|
|
# Call it with:
|
|
# $1: the full path to the file to check
|
|
# $2: the path of the file containing all the the expected hashes
|
|
|
|
h_file="${1}"
|
|
file="${2}"
|
|
|
|
# Does the hash-file exist?
|
|
if [ ! -f "${h_file}" ]; then
|
|
exit 0
|
|
fi
|
|
|
|
# Check one hash for a file
|
|
# $1: known hash
|
|
# $2: file (full path)
|
|
check_one_hash() {
|
|
_h="${1}"
|
|
_known="${2}"
|
|
_file="${3}"
|
|
|
|
# Note: sha3 is not supported, since there is currently no implementation
|
|
# (the NIST has yet to publish the parameters).
|
|
case "${_h}" in
|
|
md5|sha1) ;;
|
|
sha224|sha256|sha384|sha512) ;;
|
|
*) # Unknown hash, exit with error
|
|
printf "ERROR: unknown hash '%s' for '%s'\n" \
|
|
"${_h}" "${_file##*/}" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
# Do the hashes match?
|
|
_hash=$( ${_h}sum "${_file}" |cut -d ' ' -f 1 )
|
|
if [ "${_hash}" = "${_known}" ]; then
|
|
printf "%s: OK (%s: %s)\n" "${_file##*/}" "${_h}" "${_hash}"
|
|
return 0
|
|
fi
|
|
|
|
printf "ERROR: %s has wrong %s hash:\n" "${_file##*/}" "${_h}" >&2
|
|
printf "ERROR: expected: %s\n" "${_known}" >&2
|
|
printf "ERROR: got : %s\n" "${_hash}" >&2
|
|
printf "ERROR: Incomplete download, or man-in-the-middle (MITM) attack\n" >&2
|
|
|
|
exit 1
|
|
}
|
|
|
|
# Do we know one or more hashes for that file?
|
|
nb_checks=0
|
|
while read t h f; do
|
|
case "${t}" in
|
|
''|'#'*)
|
|
# Skip comments and empty lines
|
|
continue
|
|
;;
|
|
*)
|
|
if [ "${f}" = "${file##*/}" ]; then
|
|
check_one_hash "${t}" "${h}" "${file}"
|
|
: $((nb_checks++))
|
|
fi
|
|
;;
|
|
esac
|
|
done <"${h_file}"
|
|
|
|
if [ ${nb_checks} -eq 0 ]; then
|
|
if [ -n "${BR2_ENFORCE_CHECK_HASH}" ]; then
|
|
printf "ERROR: No hash found for %s\n" "${file}" >&2
|
|
exit 1
|
|
else
|
|
printf "WARNING: No hash found for %s\n" "${file}" >&2
|
|
fi
|
|
fi
|