ExternalVendorCode/genode
1
0
Fork 0
mirror of https://github.com/genodelabs/genode.git synced 2025-04-07 11:27:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

prepare_port: prefer SHA256 file verification

Browse Source 
SHA1 is susceptible to collision attacks and is generally deprecated.
Source code archives are particularly vulnerable because the hash digest
can be tweaked by hiding by arbitrary data in code comments and files
not processed during build.

With this in mind the 'prepare_port' tool now attempts to verify digests
as SHA256 with a fallback to SHA1. When CHECK_HASH=no is set the tool
will refuse to verify digests as SHA1. The use of SHA1 for creating
unique port versions is retained because the hashes are produced locally
from inputs stored in a git history.

Issue #2767
This commit is contained in:
Emery Hemingway 2018-04-19 09:50:09 +02:00 committed by Christian Helmuth
parent b8ad9ad880
commit 80b3994500
1 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
tool/ports/mk/install.mk
View File

@ -59,7 +59,9 @@ include $(GENODE_DIR)/tool/ports/mk/common.inc
$(call check_tool,wget)
$(call check_tool,patch)
$(call check_tool, $(HASHSUM))
$(call check_tool,sha1sum)
$(call check_tool,sha256sum)
$(call check_tool,$(HASHSUM))
#
# Assertion for the presence of a LICENSE and VERSION declarations in the port
@ -193,6 +195,19 @@ _svn_dir = $(call _assert,$(DIR($1)),Missing declaration of DIR($*))
_file_name = $(call _prefer,$(NAME($1)),$(notdir $(URL($1))))
_verify_sha256 = \
($(ECHO) "$(SHA($1)) $(call _file_name,$1)" \
| sha256sum -c > /dev/null 2> /dev/null)
# Generate shell code for verifying a file
ifeq ($(CHECK_HASH),no)
_verify_sha1 = ($(ECHO) CHECK_HASH=no enables only SHA256 checksums; false)
else
_verify_sha1 = \
($(ECHO) "$(SHA($1)) $(call _file_name,$1)" \
| sha1sum -c > /dev/null 2> /dev/null)
endif
# Some downloads are available via HTTPS only, but wget < 3.14 does not support
# server-name identification, which is used by some sites. So, we disable
# certificate checking in wget and check the validity of the download via SIG
@ -206,10 +221,8 @@ _file_name = $(call _prefer,$(NAME($1)),$(notdir $(URL($1))))
(test -f $$name || $(MSG_DOWNLOAD)$(URL($*))); \
(test -f $$name || wget --quiet --no-check-certificate $(URL($*)) -O $$name) || \
($(ECHO) Error: Download for $* failed; false)
$(VERBOSE)\
($(ECHO) "$(SHA($*)) $(call _file_name,$*)" |\
$(HASHSUM) -c > /dev/null 2> /dev/null) || \
($(ECHO) Error: Hash sum check for $* failed; false)
$(VERBOSE) $(call _verify_sha256,$*) || $(call _verify_sha1,$*) \
|| ($(ECHO) Error: Hash sum check for $* failed; false)
##