[Buildroot] [PATCH 10/12] pkg-infra: add possiblity to check downloaded files against known hashes
Thomas De Schampheleire
patrickdepinguin at gmail.com
Tue Jun 10 19:42:23 UTC 2014
Hi Yann,
On Sun, Jun 8, 2014 at 10:43 PM, Yann E. MORIN <yann.morin.1998 at free.fr> wrote:
[..]
> diff --git a/support/download/check-hash b/support/download/check-hash
> new file mode 100755
> index 0000000..d498752
> --- /dev/null
> +++ b/support/download/check-hash
> @@ -0,0 +1,76 @@
> +#!/bin/sh
> +set -e
> +
> +# Helper to check a file matches its known hash
> +# Call it with:
> +# $1: the full path to the file to check
> +# $2: the path of the file containing all the the expected hashes
> +
> +h_file="${1}"
> +file="${2}"
> +
> +# Does the hash-file exist?
> +if [ ! -f "${h_file}" ]; then
> + exit 0
> +fi
> +
> +# Check one hash for a file
> +# $1: known hash
> +# $2: file (full path)
> +check_one_hash() {
> + _h="${1}"
> + _known="${2}"
> + _file="${3}"
> +
> + # Note: sha3 is not supported, since there is currently no implemetation
nit: implementation
> + # (the NIST has yet to publish the parameters).
> + case "${_h}" in
> + md5|sha1) ;;
> + sha224|sha256|sha384|sha512) ;;
> + *) # Unknown hash, exit with error
> + printf "ERROR: unknown hash '%s' for '%s'\n" \
> + "${_h}" "${_file##*/}" >&2
> + exit 1
> + ;;
> + esac
> +
> + # Do the hashes match?
> + _hash=$( ${_h}sum "${_file}" |cut -d ' ' -f 1 )
> + if [ "${_hash}" = "${_known}" ]; then
> + printf "%s: OK (%s: %s)\n" "${_file##*/}" "${_h}" "${_hash}"
> + return 0
> + fi
> +
> + printf "ERROR: %s has wrong %s hash:\n" "${_file##*/}" "${_h}" >&2
> + printf "ERROR: expected: %s\n" "${_known}" >&2
> + printf "ERROR: got : %s\n" "${_hash}" >&2
> + printf "ERROR: Incomplete download, or MITM attack\n" >&2
I would write MITM in full: the average user will not know or realize
what it means.
[..]
Best regards,
Thomas
More information about the buildroot
mailing list