[arch-releng] [PATCH] [configs/releng] Add sha256sums for TianoCore efi downloads

Eli Schwartz eschwartz at archlinux.org
Thu Sep 5 03:25:48 UTC 2019 

On 9/4/19 11:16 PM, Daniel Edgecumbe wrote:
> We should be integrity checking these downloads.
> 
> This will also aid in future reproducibility efforts as the build will bomb
> out early in case of failure.
> 
> Signed-off-by: Daniel Edgecumbe <git at esotericnonsense.com>
> ---
>  configs/releng/build.sh | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/configs/releng/build.sh b/configs/releng/build.sh
> index 659e8de..857e01d 100755
> --- a/configs/releng/build.sh
> +++ b/configs/releng/build.sh
> @@ -168,9 +168,14 @@ make_efi() {
>          ${script_path}/efiboot/loader/entries/archiso-x86_64-usb.conf > ${work_dir}/iso/loader/entries/archiso-x86_64.conf
>  
>      # EFI Shell 2.0 for UEFI 2.3+
> -    curl -o ${work_dir}/iso/EFI/shellx64_v2.efi https://raw.githubusercontent.com/tianocore/edk2/UDK2018/ShellBinPkg/UefiShell/X64/Shell.efi
> +    echo "Downloading shellx64_v2.efi..."
> +    curl -sSo ${work_dir}/iso/EFI/shellx64_v2.efi https://raw.githubusercontent.com/tianocore/edk2/UDK2018/ShellBinPkg/UefiShell/X64/Shell.efi
> +    echo "04c89f19efee2a22660fd4650ff9add88e962d102b1b713e535f4e32a07c5185 ${work_dir}/iso/EFI/shellx64_v2.efi" | sha256sum -c > /dev/null
> +
>      # EFI Shell 1.0 for non UEFI 2.3+
> -    curl -o ${work_dir}/iso/EFI/shellx64_v1.efi https://raw.githubusercontent.com/tianocore/edk2/UDK2018/EdkShellBinPkg/FullShell/X64/Shell_Full.efi
> +    echo "Downloading shellx64_v1.efi..."
> +    curl -sSo ${work_dir}/iso/EFI/shellx64_v1.efi https://raw.githubusercontent.com/tianocore/edk2/UDK2018/EdkShellBinPkg/FullShell/X64/Shell_Full.efi
> +    echo "ea5e763a8a5f9733dbf7c33ffa16a19e078c6af635b51d8457bc377a22106a8c ${work_dir}/iso/EFI/shellx64_v1.efi" | sha256sum -c > /dev/null
>  }
>  
>  # Prepare efiboot.img::/EFI for "El Torito" EFI boot mode

+1, this seems a lot more reasonable. Although I wonder if maybe it
would make sense to build it from source ourselves, possibly as a pacman
package.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-releng/attachments/20190904/a364fc58/attachment.sig>

More information about the arch-releng mailing list