This patch attempts to resolve the hash type used in .metadata and then perform verification using the correct tool.
I attempted to submit a similar patchset last week (17th) but it seems to have never made it onto the list.
Tyler Parsons (2): Verify that each file hash listed in .metadata matches the hash of the downloaded file. Fixing URL
get_sources.sh | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-)
--- get_sources.sh | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-)
diff --git a/get_sources.sh b/get_sources.sh index 6451bd0..456e140 100755 --- a/get_sources.sh +++ b/get_sources.sh @@ -16,6 +16,28 @@ if [ -f /etc/centos-git-common ]; then . /etc/centos-git-common fi
+weakHashDetection () { + strHash=${1}; + case $((`echo ${strHash}|wc -m` - 1 )) in + 128) + hashBin='sha512sum' + ;; + 64) + hashBin='sha256sum' + ;; + 40) + hashBin='sha1sum' + ;; + 32) + hashBin='md5sum' + ;; + *) + hashBin='unknown' + ;; + esac + echo ${hashBin}; +} + #parse command line args BRANCH='' while (($# > 0)) @@ -92,7 +114,28 @@ while read -r fsha fname ; do if [ ! -e "${fname}" ]; then for br in "${branches[@]}" do - curl -f "${surl}/${pn}/${br}/${fsha}" -o "${fname}" && break + curl -f "${surl}/${pn}/${br}/${fsha}" -o "${fname}" + if [ $? -eq 0 ]; then + hashType=$(weakHashDetection ${fsha}) + if [ "${hashType}" != "unknown" ]; then + renderedHash=$($hashType ${fname}|awk '{print $1}') + if [ "${renderedHash}" == "${fsha}" ]; then + break + else + echo "ERROR: ${surl}/${pn}/${br}/${fsha} does not match hash of downloaded file ${fname}:${renderedHash}" + newFName=$(mktemp ${fname}.XXXX) + echo " - Archiving File To: ${newFName}" + mv ${fname} ${newFName} + exit 1 + fi + else + echo "ERROR: unknown hash used, file ${fname} can not be verified." + newFName=$(mktemp ${fname}.XXXX) + echo " - Archiving File To: ${newFName}" + mv ${fname} ${newFName} + exit 1 + fi + fi done else echo "${fname} exists. skipping"
--- get_sources.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/get_sources.sh b/get_sources.sh index 456e140..49000b9 100755 --- a/get_sources.sh +++ b/get_sources.sh @@ -9,7 +9,7 @@ # # Might want to drop this in ~/bin/ and chmod u+x it
-surl="https://git.centos.org/sources/" +surl="https://git.centos.org/sources"
# for setting any overrides, such as surl or f if [ -f /etc/centos-git-common ]; then
On 06/24/2014 10:42 AM, Tyler Parsons wrote:
This patch attempts to resolve the hash type used in .metadata and then perform verification using the correct tool.
I attempted to submit a similar patchset last week (17th) but it seems to have never made it onto the list.
Tyler Parsons (2): Verify that each file hash listed in .metadata matches the hash of the downloaded file. Fixing URL
get_sources.sh | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-)
These no longer apply (at least patch1 does not) ... please refactor if still needed.
-
Johnny Hughes -
Tyler Parsons