[pacman-dev] [PATCH] Use openssl for checksum verification instead of *sum utilities
Dan McGee
dpmcgee at gmail.com
Fri May 30 16:33:51 EDT 2008
On Fri, May 30, 2008 at 2:52 PM, Sebastian Nowicki <sebnow at gmail.com> wrote:
> md5sum, sha1sum, etc, do not exist on BSD systems by default. Openssl is
> a good portable alternative, but it does not support sha256, sha384, or
> sha512. This also brings in a dependency for openssl.
>
> Signed-off-by: Sebastian Nowicki <sebnow at gmail.com>
> ---
> doc/makepkg.conf.5.txt | 2 +-
> etc/makepkg.conf.in | 2 +-
> scripts/makepkg.sh.in | 8 ++++----
> 3 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/doc/makepkg.conf.5.txt b/doc/makepkg.conf.5.txt
> index 113ad14..c662568 100644
> --- a/doc/makepkg.conf.5.txt
> +++ b/doc/makepkg.conf.5.txt
> @@ -126,7 +126,7 @@ Options
> **INTEGRITY_CHECK=(**check1 ...**)**::
> File integrity checks to use. Multiple checks may be specified; this
> affects both generation and checking. The current valid options are:
> - `md5`, `sha1`, `sha256`, `sha384`, and `sha512`.
> + `md5` and `sha1`.
>
> **DOC_DIRS=(**usr/{,share/}{info,doc} ...**)**::
> If "!docs" is specified in the OPTIONS array, this variable will
> diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
> index 47ed0a4..62dc496 100644
> --- a/etc/makepkg.conf.in
> +++ b/etc/makepkg.conf.in
> @@ -69,7 +69,7 @@ BUILDENV=(fakeroot !distcc color !ccache !xdelta)
> #
> OPTIONS=(strip !docs libtool emptydirs zipman)
>
> -#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
> +#-- File integrity checks to use. Valid: md5, sha1
> INTEGRITY_CHECK=(md5)
> #-- Info and doc directories to remove (if option set correctly above)
> DOC_DIRS=(usr/{,share/}{info,doc,gtk-doc} opt/*/{info,doc,gtk-doc})
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 6e2f1ad..aaf1ad6 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -474,7 +474,7 @@ generate_checksums() {
> for integ in ${INTEGRITY_CHECK[@]}; do
> integ="$(echo $integ | tr [:upper:] [:lower:])"
> case "$integ" in
> - md5|sha1|sha256|sha384|sha512) : ;;
> + md5|sha1) : ;;
> *)
> error "$(gettext "Invalid integrity algorithm '%s' specified.")" "$integ"
> exit 1;; # $E_CONFIG_ERROR
> @@ -510,7 +510,7 @@ generate_checksums() {
> fi
> fi
>
> - local sum="$(${integ}sum "$file" | cut -d ' ' -f 1)"
> + local sum="$(openssl dgst -${integ} "$file" | awk '{print $2}')"
> [ $ct -gt 0 ] && echo -n "$indent"
> echo -n "'$sum'"
> ct=$(($ct+1))
> @@ -526,7 +526,7 @@ check_checksums() {
> for integ in ${INTEGRITY_CHECK[@]}; do
> integ="$(echo $integ | tr [:upper:] [:lower:])"
> case "$integ" in
> - md5|sha1|sha256|sha384|sha512) : ;;
> + md5|sha1) : ;;
> *)
> error "$(gettext "Invalid integrity algorithm '%s' specified")" "$integ"
> exit 1;; # $E_CONFIG_ERROR
> @@ -557,7 +557,7 @@ check_checksums() {
> fi
> fi
>
> - if echo "${integrity_sums[$idx]} $file" | ${integ}sum --status -c - &>/dev/null; then
> + if [ "${integrity_sums[$idx]}" = "$(openssl dgst -${integ} "$file" | awk '{print $2}')" ]; then
> echo "$(gettext "Passed")" >&2
> else
> echo "$(gettext "FAILED")" >&2
> --
Ok, can we take a slightly different approach to this in order to not
reduce functionality? How about we check for the existence of the
${integ}sum programs first (or at least the one we need), and then
somehow fall back to the openssl binary if necessary? If we have an
array of sha256 sums, then we would spit a big warning saying we could
not verify these sums due to us not having a program to verify them.
Of course, I have no idea how easy this is, but I'm really against
loosing functionality.
-Dan
More information about the pacman-dev
mailing list