[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor-browser-bundle/master] Record and check explicit hashes for stuff without sigs.
commit 71357fc57a1ac014e947a68c74b41a4a6c4412fe
Author: Mike Perry <mikeperry-git@xxxxxxxxxx>
Date: Tue Jul 16 15:09:05 2013 -0700
Record and check explicit hashes for stuff without sigs.
---
gitian/fetch-inputs.sh | 32 ++++++++++++++++++--------------
gitian/versions | 7 +++++++
2 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh
index 46a0ca5..8fd4725 100755
--- a/gitian/fetch-inputs.sh
+++ b/gitian/fetch-inputs.sh
@@ -109,17 +109,17 @@ do
fi
done
-# XXX: This doesn't cover everything. See #8525
for i in TOOLCHAIN4 OSXSDK
do
PACKAGE="${i}_PACKAGE"
URL="${MIRROR_URL}${!PACKAGE}"
get "${!PACKAGE}" "${MIRROR_URL}${!PACKAGE}"
- echo >&2 "Warning, not verifying signature for $i"
done
# Verify packages with weak or no signatures via multipath downloads
# (OpenSSL is signed with MD5, and OSXSDK is not signed at all)
+# XXX: Google won't allow wget -N.. We need to re-download the whole
+# TOOLCHAIN4 each time. Rely only on SHA256 for now..
mkdir -p verify
cd verify
for i in OPENSSL OSXSDK
@@ -131,18 +131,10 @@ do
mv "${!PACKAGE}" "${!PACKAGE}.removed"
exit 1
fi
-done
-# XXX: Google won't allow wget -N.. We need to re-download the whole
-# TOOLCHAIN4 each time :/
-rm -f "$TOOLCHAIN4_PACKAGE"
-wget "$TOOLCHAIN4_URL"
-for i in OPENSSL OSXSDK TOOLCHAIN4
-do
- PACKAGE="${i}_PACKAGE"
- if ! diff "${!PACKAGE}" "../${!PACKAGE}"; then
- echo "Package ${!PACKAGE} differs from our mirror's version!"
- exit 1
- fi
+ if ! diff "${!PACKAGE}" "../${!PACKAGE}"; then
+ echo "Package ${!PACKAGE} differs from our mirror's version!"
+ exit 1
+ fi
done
cd ..
@@ -150,6 +142,18 @@ cd ..
wget -N https://addons.mozilla.org/firefox/downloads/latest/722/addon-722-latest.xpi
wget -N https://addons.mozilla.org/firefox/downloads/latest/352704/addon-352704-latest.xpi
+# Verify packages with weak or no signatures via direct sha256 check
+# (OpenSSL is signed with MD5, and OSXSDK is not signed at all)
+for i in OPENSSL OSXSDK TOOLCHAIN4 NOSCRIPT PDFJS
+do
+ PACKAGE="${i}_PACKAGE"
+ HASH="${i}_HASH"
+ if ! echo "${!HASH} ${!PACKAGE}" | sha256sum -c -; then
+ echo "Package hash for ${!PACKAGE} differs from our locally stored sha256!"
+ exit 1
+ fi
+done
+
# So is mingw:
if [ ! -f mingw-w64-svn-snapshot-r5830.zip ];
then
diff --git a/gitian/versions b/gitian/versions
index 58870ef..7ecf6be 100755
--- a/gitian/versions
+++ b/gitian/versions
@@ -24,6 +24,13 @@ PDFJS_PACKAGE=addon-352704-latest.xpi
TOOLCHAIN4_PACKAGE=multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz
OSXSDK_PACKAGE=apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb
+# Hashes for things with weak sigs or no sigs
+OPENSSL_HASH=f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3
+OSXSDK_HASH=6602d8d5ddb371fbc02e2a5967d9bd0cd7358d46f9417753c8234b923f2ea6fc
+TOOLCHAIN4_HASH=65c1b2d302358a6b95a26c6828a66908a199276193bb0b268f2dcc1a997731e9
+NOSCRIPT_HASH=6d5d50dea791dd52caf41ea28199743591776ecd7dd88bcccfcfb7e8de32386d
+PDFJS_HASH=2e3e6811f5294b24aafeba44e8206ddc81fb15e5934e5166a2c7df3a4405020b
+
OPENSSL_URL=https://www.openssl.org/source/${OPENSSL_PACKAGE}
TOOLCHAIN4_URL=https://mingw-and-ndk.googlecode.com/files/${TOOLCHAIN4_PACKAGE}
OSXSDK_URL=https://launchpad.net/~flosoft/+archive/cross-apple/+files/${OSXSDK_PACKAGE}
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits