X-Git-Url: https://review.fuel-infra.org/gitweb?a=blobdiff_plain;f=cirros-testvm%2Fsrc-cirros%2Fbuildroot-2015.05%2Fsupport%2Fdownload%2Fcheck-hash;fp=cirros-testvm%2Fsrc-cirros%2Fbuildroot-2015.05%2Fsupport%2Fdownload%2Fcheck-hash;h=c1ff53c02b5cf2253b248896380084bdffe5a21f;hb=b0a0f15dfaa205161a7fcb20cf1b8cd4948c2ef3;hp=0000000000000000000000000000000000000000;hpb=c6ac3cd55ee2da956195eee393b0882105dfad4e;p=packages%2Ftrusty%2Fcirros-testvm.git diff --git a/cirros-testvm/src-cirros/buildroot-2015.05/support/download/check-hash b/cirros-testvm/src-cirros/buildroot-2015.05/support/download/check-hash new file mode 100755 index 0000000..c1ff53c --- /dev/null +++ b/cirros-testvm/src-cirros/buildroot-2015.05/support/download/check-hash @@ -0,0 +1,110 @@ +#!/usr/bin/env bash +set -e + +# Helper to check a file matches its known hash +# Call it with: +# $1: the path of the file containing all the expected hashes +# $2: the full path to the temporary file that was downloaded, and +# that is to be checked +# $3: the final basename of the file, to which it will be ultimately +# saved as, to be able to match it to the corresponding hashes +# in the .hash file +# +# Exit codes: +# 0: the hash file exists and the file to check matches all its hashes, +# or the hash file does not exist +# 1: unknown command-line option +# 2: the hash file exists and the file to check does not match at least +# one of its hashes +# 3: the hash file exists and there was no hash to check the file against +# 4: the hash file exists and at least one hash type is unknown + +while getopts :q OPT; do + case "${OPT}" in + q) exec >/dev/null;; + \?) exit 1;; + esac +done +shift $((OPTIND-1)) + +h_file="${1}" +file="${2}" +base="${3}" + +# Bail early if no hash to check +if [ -z "${h_file}" ]; then + exit 0 +fi +# Does the hash-file exist? +if [ ! -f "${h_file}" ]; then + printf "WARNING: no hash file for %s\n" "${base}" >&2 + exit 0 +fi + +# Check one hash for a file +# $1: known hash +# $2: file (full path) +check_one_hash() { + _h="${1}" + _known="${2}" + _file="${3}" + + # Note: md5 is supported, but undocumented on purpose. + # Note: sha3 is not supported, since there is currently no implementation + # (the NIST has yet to publish the parameters). + # Note: 'none' means there is explicitly no hash for that file. + case "${_h}" in + none) + return 0 + ;; + md5|sha1) ;; + sha224|sha256|sha384|sha512) ;; + *) # Unknown hash, exit with error + printf "ERROR: unknown hash '%s' for '%s'\n" \ + "${_h}" "${base}" >&2 + exit 4 + ;; + esac + + # Do the hashes match? + _hash=$( ${_h}sum "${_file}" |cut -d ' ' -f 1 ) + if [ "${_hash}" = "${_known}" ]; then + printf "%s: OK (%s: %s)\n" "${base}" "${_h}" "${_hash}" + return 0 + fi + + printf "ERROR: %s has wrong %s hash:\n" "${base}" "${_h}" >&2 + printf "ERROR: expected: %s\n" "${_known}" >&2 + printf "ERROR: got : %s\n" "${_hash}" >&2 + printf "ERROR: Incomplete download, or man-in-the-middle (MITM) attack\n" >&2 + + exit 2 +} + +# Do we know one or more hashes for that file? +nb_checks=0 +while read t h f; do + case "${t}" in + ''|'#'*) + # Skip comments and empty lines + continue + ;; + *) + if [ "${f}" = "${base}" ]; then + check_one_hash "${t}" "${h}" "${file}" + : $((nb_checks++)) + fi + ;; + esac +done <"${h_file}" + +if [ ${nb_checks} -eq 0 ]; then + case " ${BR_NO_CHECK_HASH_FOR} " in + *" ${base} "*) + # File explicitly has no hash + exit 0 + ;; + esac + printf "ERROR: No hash found for %s\n" "${base}" >&2 + exit 3 +fi