domenico/openwrt-R7800-nss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

build: stricter hash validation on download

Browse Source 
Check the hash after packing the checkout and fail the build if it
does not match.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
Felix Fietkau
2025-07-21 18:32:50 +02:00
parent 9dddc0bed0
commit 042996b46b
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
include/download.mk
View File

@@ -154,7 +154,17 @@ endef
# $(2): "PKG_" if <name> as in Download/<name> is "default", otherwise "Download/<name>:" # $(2): "PKG_" if <name> as in Download/<name> is "default", otherwise "Download/<name>:"
# $(3): shell command sequence to do the download # $(3): shell command sequence to do the download
define wrap_mirror define wrap_mirror
$(if $(if $(MIRROR),$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || ( $(3) ),$(3)) \ $(if $(if $(MIRROR), \
$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || \
( $(3) ) \
$(if $(filter-out x,$(MIRROR_HASH)), && ( \
file_hash="$$$$($(MKHASH) sha256 "$(DL_DIR)/$(FILE)")"; \
[ "$$$$file_hash" = "$(MIRROR_HASH)" ] || { \
echo "Hash mismatch for file $(FILE): expected $(MIRROR_HASH), got $$$$file_hash"; \
false; \
}; \
)),
$(3)) \
$(if $(filter check,$(1)), \ $(if $(filter check,$(1)), \
$(call check_hash,$(FILE),$(MIRROR_HASH),$(2)MIRROR_$(call hash_var,$(MIRROR_MD5SUM))) \ $(call check_hash,$(FILE),$(MIRROR_HASH),$(2)MIRROR_$(call hash_var,$(MIRROR_MD5SUM))) \
$(call check_md5,$(MIRROR_MD5SUM),$(2)MIRROR_MD5SUM,$(2)MIRROR_HASH) \ $(call check_md5,$(MIRROR_MD5SUM),$(2)MIRROR_MD5SUM,$(2)MIRROR_HASH) \