[arch-releng] [PATCH] [configs/releng] Add sha256sums for TianoCore efi downloads

Daniel Edgecumbe email at esotericnonsense.com
Thu Sep 5 12:41:35 UTC 2019


I'm not so sure about building from source, that may make sense, but I do think
that having history beyond 'here is the hash, it was this file' is useful.

There are some other parts of the releng build that I think should probably either be
packages (and therefore mirrored, and therefore archived or at least have reasonable
ways to determine the history of) or at least not simply be pulled in at build time
like that.

The pacman mirror list for example is pulled in from the generator at build time, this
can probably be replaced by using the pacman-mirrorlist package.

Daniel

On 05/09/2019 05.25, Eli Schwartz via arch-releng wrote:
> On 9/4/19 11:16 PM, Daniel Edgecumbe wrote:
>> We should be integrity checking these downloads.
>>
>> This will also aid in future reproducibility efforts as the build will bomb
>> out early in case of failure.
>>
>> Signed-off-by: Daniel Edgecumbe <git at esotericnonsense.com>
>> ---
>>  configs/releng/build.sh | 9 +++++++--
>>  1 file changed, 7 insertions(+), 2 deletions(-)
>>
>> diff --git a/configs/releng/build.sh b/configs/releng/build.sh
>> index 659e8de..857e01d 100755
>> --- a/configs/releng/build.sh
>> +++ b/configs/releng/build.sh
>> @@ -168,9 +168,14 @@ make_efi() {
>>          ${script_path}/efiboot/loader/entries/archiso-x86_64-usb.conf > ${work_dir}/iso/loader/entries/archiso-x86_64.conf
>>  
>>      # EFI Shell 2.0 for UEFI 2.3+
>> -    curl -o ${work_dir}/iso/EFI/shellx64_v2.efi https://raw.githubusercontent.com/tianocore/edk2/UDK2018/ShellBinPkg/UefiShell/X64/Shell.efi
>> +    echo "Downloading shellx64_v2.efi..."
>> +    curl -sSo ${work_dir}/iso/EFI/shellx64_v2.efi https://raw.githubusercontent.com/tianocore/edk2/UDK2018/ShellBinPkg/UefiShell/X64/Shell.efi
>> +    echo "04c89f19efee2a22660fd4650ff9add88e962d102b1b713e535f4e32a07c5185 ${work_dir}/iso/EFI/shellx64_v2.efi" | sha256sum -c > /dev/null
>> +
>>      # EFI Shell 1.0 for non UEFI 2.3+
>> -    curl -o ${work_dir}/iso/EFI/shellx64_v1.efi https://raw.githubusercontent.com/tianocore/edk2/UDK2018/EdkShellBinPkg/FullShell/X64/Shell_Full.efi
>> +    echo "Downloading shellx64_v1.efi..."
>> +    curl -sSo ${work_dir}/iso/EFI/shellx64_v1.efi https://raw.githubusercontent.com/tianocore/edk2/UDK2018/EdkShellBinPkg/FullShell/X64/Shell_Full.efi
>> +    echo "ea5e763a8a5f9733dbf7c33ffa16a19e078c6af635b51d8457bc377a22106a8c ${work_dir}/iso/EFI/shellx64_v1.efi" | sha256sum -c > /dev/null
>>  }
>>  
>>  # Prepare efiboot.img::/EFI for "El Torito" EFI boot mode
> 
> +1, this seems a lot more reasonable. Although I wonder if maybe it
> would make sense to build it from source ourselves, possibly as a pacman
> package.
> 

-- 
Daniel Edgecumbe | esotericnonsense
Kalix NO, Sverige | +358 46 584 2810
email at esotericnonsense.com | https://esotericnonsense.com


More information about the arch-releng mailing list