diff options
| author | Klaus Aehlig <klaus.aehlig@huawei.com> | 2022-04-27 14:54:04 +0200 |
|---|---|---|
| committer | Klaus Aehlig <klaus.aehlig@huawei.com> | 2022-04-27 16:33:07 +0200 |
| commit | 5831824bc45ad0cd4affdba3c510785dfb6b2486 (patch) | |
| tree | c3db47ec6975ed144384940b524a9b9df67a2f9a /bin/just-mr.py | |
| parent | 029ae930011b956a580c991f3e0c2a251de13e64 (diff) | |
| download | justbuild-5831824bc45ad0cd4affdba3c510785dfb6b2486.tar.gz | |
just-mr: support additional hashes for fetched files
While git's (sha1-based) blob identifier is good for daily use and
strong enough to avoid accidental hash collisions (after all, we're
using git to version our sources), sha1 is no longer considered
safe enough to verify files downloaded through an unsecure channel.
Therefore, support additional checksum verification when obtaining
a file from the network.
Diffstat (limited to 'bin/just-mr.py')
| -rwxr-xr-x | bin/just-mr.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/bin/just-mr.py b/bin/just-mr.py index 5c8109e3..1cb389c5 100755 --- a/bin/just-mr.py +++ b/bin/just-mr.py @@ -257,6 +257,16 @@ def archive_checkout(desc, repo_type="archive", *, fetch_only=False): if not is_in_cas(content_id): url = desc["fetch"] data = subprocess.run(["wget", "-O", "-", url], stdout=subprocess.PIPE).stdout + if "sha256" in desc: + actual_hash = hashlib.sha256(data).hexdigest() + if desc["sha256"] != actual_hash: + fail("SHA256 mismatch for %s, expected %s, found %s" + % (url, desc["sha256"], actual_hash)) + if "sha512" in desc: + actual_hash = hashlib.sha512(data).hexdigest() + if desc["sha512"] != actual_hash: + fail("SHA512 mismatch for %s, expected %s, found %s" + % (url, desc["sha512"], actual_hash)) add_to_cas(data) if not is_in_cas(content_id): fail("Failed to fetch a file with id %s from %s" % (content_id, url)) |