[CentOS-devel] [PATCH 1/2] Verify that each file hash listed in .metadata matches the hash of the downloaded file.

Tue Jun 24 15:42:43 UTC 2014

---
 get_sources.sh | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/get_sources.sh b/get_sources.sh
index 6451bd0..456e140 100755
--- a/get_sources.sh
+++ b/get_sources.sh
@@ -16,6 +16,28 @@ if [ -f /etc/centos-git-common ]; then
   . /etc/centos-git-common
 fi
 
+weakHashDetection () {
+  strHash=${1};
+  case $((`echo ${strHash}|wc -m` - 1 )) in
+    128)
+      hashBin='sha512sum'
+      ;;
+    64)
+      hashBin='sha256sum'
+      ;;
+    40)
+      hashBin='sha1sum'
+      ;;
+    32)
+      hashBin='md5sum'
+      ;;
+    *)
+      hashBin='unknown'
+      ;;
+  esac
+  echo ${hashBin};
+}
+
 #parse command line args
 BRANCH=''
 while (($# > 0))
@@ -92,7 +114,28 @@ while read -r fsha fname ; do
     if [ ! -e "${fname}" ]; then
       for br in "${branches[@]}"
       do
-        curl -f "${surl}/${pn}/${br}/${fsha}" -o "${fname}" && break
+        curl -f "${surl}/${pn}/${br}/${fsha}" -o "${fname}"
+        if [ $? -eq 0 ]; then
+          hashType=$(weakHashDetection ${fsha})
+          if [ "${hashType}" != "unknown" ]; then
+            renderedHash=$($hashType ${fname}|awk '{print $1}')
+            if [ "${renderedHash}" == "${fsha}" ]; then
+              break
+            else
+              echo "ERROR: ${surl}/${pn}/${br}/${fsha} does not match hash of downloaded file ${fname}:${renderedHash}"
+              newFName=$(mktemp ${fname}.XXXX)
+              echo "   - Archiving File To: ${newFName}"
+              mv ${fname} ${newFName}
+              exit 1
+            fi
+          else
+            echo "ERROR: unknown hash used, file ${fname} can not be verified."
+            newFName=$(mktemp ${fname}.XXXX)
+            echo "   - Archiving File To: ${newFName}"
+            mv ${fname} ${newFName}
+            exit 1
+          fi
+        fi
       done
     else
       echo "${fname} exists. skipping"
-- 
1.8.4


