[Buildroot] [PATCH 11/13] pkg-infra: add possiblity to check downloaded files against known hashes

Yann E. MORIN yann.morin.1998 at free.fr
Sun Mar 2 22:19:59 UTC 2014


Samuel, All,

On 2014-03-02 21:10 +0100, Samuel Martin spake thusly:
> Yann,
> 
> On Sun, Mar 2, 2014 at 6:51 PM, Yann E. MORIN <yann.morin.1998 at free.fr> wrote:
> > From: "Yann E. MORIN" <yann.morin.1998 at free.fr>
> >
> > Some of the packages that Buildroot might build are sensitive packages,
> > related to security: openssl, dropbear, ca-certificates...
> >
> > Some of those packages are downloaded over plain http, because there is
> > no way to get them over a secure channel, such as https.
> >
> > In these dark times of pervasive surveillance, the potential for harm that
> > a tampered-with package could generate, we may want to check the integrity
> > of those sensitive packages.
> >
> > So, each package may now provide a list of hashes for all files that needs
> > to be downloaded, and Buildroot will just fail if any downloaded file does
> > not match its known hash.
> >
> > Hashes can be any of the sha1 or sha2 variants, and will be checked even if
> > the file was pre-downloaded.
> >
> > Signed-off-by: "Yann E. MORIN" <yann.morin.1998 at free.fr>
> > Cc: Baruch Siach <baruch at tkos.co.il>
> > Cc: Arnout Vandecappelle <arnout at mind.be>
> > ---
> > Note: this is not a bullet-proof solution, since Buildroot may itself be
> > compromised. But since we do sign our releases, then we secure the list of
> > hashes at the same time. Only random snapshots from the repository may be
> > at risk of tampering, although this is highly doubtfull, given how git
> > stores its data.
> > ---
> >  package/pkg-download.mk     | 27 +++++++++++------
> >  support/download/check-hash | 71 +++++++++++++++++++++++++++++++++++++++++++++
> >  2 files changed, 89 insertions(+), 9 deletions(-)
> >  create mode 100755 support/download/check-hash
> >
> > diff --git a/package/pkg-download.mk b/package/pkg-download.mk
> > index c94ecba..adaccef 100644
> > --- a/package/pkg-download.mk
> > +++ b/package/pkg-download.mk
> > @@ -58,6 +58,17 @@ domainseparator=$(if $(1),$(1),/)
> >  # github(user,package,version): returns site of github repository
> >  github = https://github.com/$(1)/$(2)/tarball/$(3)
> >
> > +# Helper for checking a tarball's checksum
> > +# If the hash does not match, remove the incorrect file
> > +# $(1): the path to the fies with the hashes
> 
> nit:
> s/fies/file/

Already spotted by Gustavo on IRC. Thanks!

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'



More information about the buildroot mailing list