[pacman-dev] [PATCH] Use openssl for checksum verification instead of *sum utilities
Roman Kyrylych
roman.kyrylych at gmail.com
Sat May 31 02:34:02 EDT 2008
2008/5/30 Dan McGee <dpmcgee at gmail.com>:
> On Fri, May 30, 2008 at 2:52 PM, Sebastian Nowicki <sebnow at gmail.com> wrote:
>> md5sum, sha1sum, etc, do not exist on BSD systems by default. Openssl is
>> a good portable alternative, but it does not support sha256, sha384, or
>> sha512. This also brings in a dependency for openssl.
>>
>> Signed-off-by: Sebastian Nowicki <sebnow at gmail.com>
>> ---
>> doc/makepkg.conf.5.txt | 2 +-
>> etc/makepkg.conf.in | 2 +-
>> scripts/makepkg.sh.in | 8 ++++----
>> 3 files changed, 6 insertions(+), 6 deletions(-)
>>
>> diff --git a/doc/makepkg.conf.5.txt b/doc/makepkg.conf.5.txt
>> index 113ad14..c662568 100644
>> --- a/doc/makepkg.conf.5.txt
>> +++ b/doc/makepkg.conf.5.txt
>> @@ -126,7 +126,7 @@ Options
>> **INTEGRITY_CHECK=(**check1 ...**)**::
>> File integrity checks to use. Multiple checks may be specified; this
>> affects both generation and checking. The current valid options are:
>> - `md5`, `sha1`, `sha256`, `sha384`, and `sha512`.
>> + `md5` and `sha1`.
>>
>> **DOC_DIRS=(**usr/{,share/}{info,doc} ...**)**::
>> If "!docs" is specified in the OPTIONS array, this variable will
>> diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
>> index 47ed0a4..62dc496 100644
>> --- a/etc/makepkg.conf.in
>> +++ b/etc/makepkg.conf.in
>> @@ -69,7 +69,7 @@ BUILDENV=(fakeroot !distcc color !ccache !xdelta)
>> #
>> OPTIONS=(strip !docs libtool emptydirs zipman)
>>
>> -#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
>> +#-- File integrity checks to use. Valid: md5, sha1
>> INTEGRITY_CHECK=(md5)
>> #-- Info and doc directories to remove (if option set correctly above)
>> DOC_DIRS=(usr/{,share/}{info,doc,gtk-doc} opt/*/{info,doc,gtk-doc})
>> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
>> index 6e2f1ad..aaf1ad6 100644
>> --- a/scripts/makepkg.sh.in
>> +++ b/scripts/makepkg.sh.in
>> @@ -474,7 +474,7 @@ generate_checksums() {
>> for integ in ${INTEGRITY_CHECK[@]}; do
>> integ="$(echo $integ | tr [:upper:] [:lower:])"
>> case "$integ" in
>> - md5|sha1|sha256|sha384|sha512) : ;;
>> + md5|sha1) : ;;
>> *)
>> error "$(gettext "Invalid integrity algorithm '%s' specified.")" "$integ"
>> exit 1;; # $E_CONFIG_ERROR
>> @@ -510,7 +510,7 @@ generate_checksums() {
>> fi
>> fi
>>
>> - local sum="$(${integ}sum "$file" | cut -d ' ' -f 1)"
>> + local sum="$(openssl dgst -${integ} "$file" | awk '{print $2}')"
>> [ $ct -gt 0 ] && echo -n "$indent"
>> echo -n "'$sum'"
>> ct=$(($ct+1))
>> @@ -526,7 +526,7 @@ check_checksums() {
>> for integ in ${INTEGRITY_CHECK[@]}; do
>> integ="$(echo $integ | tr [:upper:] [:lower:])"
>> case "$integ" in
>> - md5|sha1|sha256|sha384|sha512) : ;;
>> + md5|sha1) : ;;
>> *)
>> error "$(gettext "Invalid integrity algorithm '%s' specified")" "$integ"
>> exit 1;; # $E_CONFIG_ERROR
>> @@ -557,7 +557,7 @@ check_checksums() {
>> fi
>> fi
>>
>> - if echo "${integrity_sums[$idx]} $file" | ${integ}sum --status -c - &>/dev/null; then
>> + if [ "${integrity_sums[$idx]}" = "$(openssl dgst -${integ} "$file" | awk '{print $2}')" ]; then
>> echo "$(gettext "Passed")" >&2
>> else
>> echo "$(gettext "FAILED")" >&2
>> --
> Ok, can we take a slightly different approach to this in order to not
> reduce functionality? How about we check for the existence of the
> ${integ}sum programs first (or at least the one we need), and then
> somehow fall back to the openssl binary if necessary? If we have an
> array of sha256 sums, then we would spit a big warning saying we could
> not verify these sums due to us not having a program to verify them.
>
> Of course, I have no idea how easy this is, but I'm really against
> loosing functionality.
>
Oops, sorry about my previous message. I haven't read this one first
(because of gmail's way of sorting messages by threads).
Falling back to openssl only when *sum are not available seems more
better to me.
--
Roman Kyrylych (Роман Кирилич)
More information about the pacman-dev
mailing list