From 5831824bc45ad0cd4affdba3c510785dfb6b2486 Mon Sep 17 00:00:00 2001
From: Klaus Aehlig <klaus.aehlig@huawei.com>
Date: Wed, 27 Apr 2022 14:54:04 +0200
Subject: just-mr: support additional hashes for fetched files

While git's (sha1-based) blob identifier is good for daily use and
strong enough to avoid accidental hash collisions (after all, we're
using git to version our sources), sha1 is no longer considered
safe enough to verify files downloaded through an unsecure channel.
Therefore, support additional checksum verification when obtaining
a file from the network.
---
 bin/just-mr.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'bin/just-mr.py')

diff --git a/bin/just-mr.py b/bin/just-mr.py
index 5c8109e3..1cb389c5 100755
--- a/bin/just-mr.py
+++ b/bin/just-mr.py
@@ -257,6 +257,16 @@ def archive_checkout(desc, repo_type="archive", *, fetch_only=False):
     if not is_in_cas(content_id):
         url = desc["fetch"]
         data = subprocess.run(["wget", "-O", "-", url], stdout=subprocess.PIPE).stdout
+        if "sha256" in desc:
+            actual_hash = hashlib.sha256(data).hexdigest()
+            if desc["sha256"] != actual_hash:
+                fail("SHA256 mismatch for %s, expected %s, found %s"
+                     % (url, desc["sha256"], actual_hash))
+        if "sha512" in desc:
+            actual_hash = hashlib.sha512(data).hexdigest()
+            if desc["sha512"] != actual_hash:
+                fail("SHA512 mismatch for %s, expected %s, found %s"
+                     % (url, desc["sha512"], actual_hash))
         add_to_cas(data)
         if not is_in_cas(content_id):
             fail("Failed to fetch a file with id %s from %s" % (content_id, url))
-- 
cgit v1.2.3