diff options
| author | Felix Fietkau | 2025-07-21 16:32:50 +0000 |
|---|---|---|
| committer | Felix Fietkau | 2025-08-02 14:41:08 +0000 |
| commit | 042996b46bd41292ef1fa2d58e3b824a547f4c55 (patch) | |
| tree | bfcc749a126e35af56dfaf8af44221d0a988e9b3 | |
| parent | 9dddc0bed096b655f792a29043912e8f0d07b754 (diff) | |
| download | openwrt-042996b46bd41292ef1fa2d58e3b824a547f4c55.tar.gz | |
build: stricter hash validation on download
Check the hash after packing the checkout and fail the build if it
does not match.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
| -rw-r--r-- | include/download.mk | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/include/download.mk b/include/download.mk index 518a14e035..be0c9a31f1 100644 --- a/include/download.mk +++ b/include/download.mk @@ -154,7 +154,17 @@ endef # $(2): "PKG_" if <name> as in Download/<name> is "default", otherwise "Download/<name>:" # $(3): shell command sequence to do the download define wrap_mirror -$(if $(if $(MIRROR),$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || ( $(3) ),$(3)) \ +$(if $(if $(MIRROR), \ + $(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || \ + ( $(3) ) \ + $(if $(filter-out x,$(MIRROR_HASH)), && ( \ + file_hash="$$$$($(MKHASH) sha256 "$(DL_DIR)/$(FILE)")"; \ + [ "$$$$file_hash" = "$(MIRROR_HASH)" ] || { \ + echo "Hash mismatch for file $(FILE): expected $(MIRROR_HASH), got $$$$file_hash"; \ + false; \ + }; \ + )), + $(3)) \ $(if $(filter check,$(1)), \ $(call check_hash,$(FILE),$(MIRROR_HASH),$(2)MIRROR_$(call hash_var,$(MIRROR_MD5SUM))) \ $(call check_md5,$(MIRROR_MD5SUM),$(2)MIRROR_MD5SUM,$(2)MIRROR_HASH) \ |