[coreboot-gerrit] New patch to review for coreboot: util/crossgcc: Implement buildgcc script checksum verification
Philipp Deppenwiese (zaolin.daisuki@googlemail.com)
gerrit at coreboot.org
Tue Jun 14 02:08:37 CEST 2016
Philipp Deppenwiese (zaolin.daisuki at googlemail.com) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/15170
-gerrit
commit fa94651e9aae944f2d93b850868c8aa7f821319b
Author: Philipp Deppenwiese <zaolin at das-labor.org>
Date: Mon Jun 13 17:01:07 2016 -0700
util/crossgcc: Implement buildgcc script checksum verification
In order to build a secure toolchain https and checksum verification
should be used for the sources.
The hash alogrithm has changed from SHA1 to SHA384 for security
purpose.
Change-Id: Id45097fc7e8435fadce4bda75769592af2730b0c
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
---
util/crossgcc/buildgcc | 79 ++++++++++++++--------
util/crossgcc/sum/Python-3.5.1.tar.xz.cksum | 2 +-
.../sum/acpica-unix2-20160318.tar.gz.cksum | 2 +-
util/crossgcc/sum/binutils-2.26.tar.bz2.cksum | 2 +-
util/crossgcc/sum/cfe-3.8.0.src.tar.xz.cksum | 2 +-
.../sum/clang-tools-extra-3.8.0.src.tar.xz.cksum | 2 +-
.../sum/compiler-rt-3.8.0.src.tar.xz.cksum | 2 +-
util/crossgcc/sum/expat-2.1.1.tar.bz2.cksum | 2 +-
util/crossgcc/sum/gcc-5.3.0.tar.bz2.cksum | 2 +-
util/crossgcc/sum/gdb-7.11.tar.xz.cksum | 2 +-
util/crossgcc/sum/gmp-6.1.0.tar.xz.cksum | 2 +-
util/crossgcc/sum/libelf-0.8.13.tar.gz.cksum | 2 +-
util/crossgcc/sum/llvm-3.8.0.src.tar.xz.cksum | 2 +-
util/crossgcc/sum/make-4.1.tar.bz2.cksum | 2 +-
util/crossgcc/sum/mpc-1.0.3.tar.gz.cksum | 2 +-
util/crossgcc/sum/mpfr-3.1.4.tar.xz.cksum | 2 +-
16 files changed, 67 insertions(+), 42 deletions(-)
diff --git a/util/crossgcc/buildgcc b/util/crossgcc/buildgcc
index 1e761da..b015041 100755
--- a/util/crossgcc/buildgcc
+++ b/util/crossgcc/buildgcc
@@ -51,22 +51,22 @@ MAKE_VERSION=4.1
# These are sanitized by the jenkins toolchain test builder, so if
# a completely new URL is added here, it probably needs to be added
# to the jenkins build as well, or the builder won't download it.
-GMP_ARCHIVE="http://ftpmirror.gnu.org/gmp/gmp-${GMP_VERSION}.tar.xz"
-MPFR_ARCHIVE="http://ftpmirror.gnu.org/mpfr/mpfr-${MPFR_VERSION}.tar.xz"
-MPC_ARCHIVE="http://ftpmirror.gnu.org/mpc/mpc-${MPC_VERSION}.tar.gz"
+GMP_ARCHIVE="https://ftp.gnu.org/gnu/gmp/gmp-${GMP_VERSION}.tar.xz"
+MPFR_ARCHIVE="https://ftp.gnu.org/gnu/mpfr/mpfr-${MPFR_VERSION}.tar.xz"
+MPC_ARCHIVE="https://ftp.gnu.org/gnu/mpc/mpc-${MPC_VERSION}.tar.gz"
LIBELF_ARCHIVE="http://www.mr511.de/software/libelf-${LIBELF_VERSION}.tar.gz"
-GCC_ARCHIVE="http://ftpmirror.gnu.org/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.bz2"
-BINUTILS_ARCHIVE="http://ftpmirror.gnu.org/binutils/binutils-${BINUTILS_VERSION}.tar.bz2"
-GDB_ARCHIVE="http://ftpmirror.gnu.org/gdb/gdb-${GDB_VERSION}.tar.xz"
+GCC_ARCHIVE="https://ftp.gnu.org/gnu/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.bz2"
+BINUTILS_ARCHIVE="https://ftp.gnu.org/gnu/binutils/binutils-${BINUTILS_VERSION}.tar.bz2"
+GDB_ARCHIVE="https://ftp.gnu.org/gnu/gdb/gdb-${GDB_VERSION}.tar.xz"
IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-${IASL_VERSION}.tar.gz"
-PYTHON_ARCHIVE="http://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz"
-EXPAT_ARCHIVE="http://downloads.sourceforge.net/sourceforge/expat/expat-${EXPAT_VERSION}.tar.bz2"
+PYTHON_ARCHIVE="https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz"
+EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-${EXPAT_VERSION}.tar.bz2"
# CLANG toolchain archive locations
LLVM_ARCHIVE="http://llvm.org/releases/${CLANG_VERSION}/llvm-${CLANG_VERSION}.src.tar.xz"
CFE_ARCHIVE="http://llvm.org/releases/${CLANG_VERSION}/cfe-${CLANG_VERSION}.src.tar.xz"
CRT_ARCHIVE="http://llvm.org/releases/${CLANG_VERSION}/compiler-rt-${CLANG_VERSION}.src.tar.xz"
CTE_ARCHIVE="http://llvm.org/releases/${CLANG_VERSION}/clang-tools-extra-${CLANG_VERSION}.src.tar.xz"
-MAKE_ARCHIVE="http://ftpmirror.gnu.org/make/make-${MAKE_VERSION}.tar.bz2"
+MAKE_ARCHIVE="https://ftp.gnu.org/gnu/make/make-${MAKE_VERSION}.tar.bz2"
ALL_ARCHIVES="$GMP_ARCHIVE $MPFR_ARCHIVE $MPC_ARCHIVE $LIBELF_ARCHIVE \
$GCC_ARCHIVE $BINUTILS_ARCHIVE $GDB_ARCHIVE $IASL_ARCHIVE \
@@ -202,26 +202,45 @@ check_for_library() {
rm -rf "${LIBTEST_FILE}.c" "${LIBTEST_FILE}"
}
-check_sum() {
- test -z "$CHECKSUM" || \
- test "$(cat sum/$1.cksum 2>/dev/null | sed -e 's at .*\([0-9a-f]\{40,\}\).*@\1@')" = \
- "$($CHECKSUM tarballs/$1 2>/dev/null | sed -e 's at .*\([0-9a-f]\{40,\}\).*@\1@')"
+calculate_checksum() {
+ test ! -f sum/$1.cksum && test -f tarballs/$1 && \
+ (test -z "$CHECKSUM" || $CHECKSUM tarballs/$1 > sum/$1.cksum ) && \
+ printf "(checksum created. ${RED}Note. Please upload sum/$1.cksum if the corresponding archive is upgraded.)${NC}"
}
-compute_sum() {
- test ! -f sum/$1.cksum && test -f tarballs/$1 && \
- (test -z "$CHECKSUM" || $CHECKSUM tarballs/$1 > sum/$1.cksum ) && \
- printf "(checksum created. ${RED}Note. Please upload sum/$1.cksum if the corresponding archive is upgraded.)${NC}"
+verify_checksum() {
+ test -z "${CHECKSUM}"
+ if [ "${?}" != "1" ] ; then
+ printf "\n${RED}Checksum tool not found.\n"
+ exit 1
+ fi
+
+ local static_hash=$(cat sum/$1.cksum 2>/dev/null | cut -d ' ' -f 1)
+ local file_hash=$($CHECKSUM tarballs/$1 2>/dev/null | cut -d ' ' -f 1)
+
+ if [ "${static_hash}" != "${file_hash}" ] ; then
+ printf "\n${RED}Failed to verify checksum of package ${1}.${NC}\n"
+ exit 1
+ fi
}
download_showing_percentage() {
url=$1
printf " ..${red} 0%%"
- wget --no-check-certificate $url 2>&1 | while read line; do
- printf "${red}"
- echo $line | grep -o "[0-9]\+%" | awk '{printf("\b\b\b\b%4s", $1)}'
- printf "${NC}"
- done
+ wget --quiet --spider $url 2>&1
+ if [ "${?}" != "0" ] ; then
+ wget --no-check-certificate $url 2>&1 | while read line; do
+ printf "${red}"
+ echo $line | grep -o "[0-9]\+%" | awk '{printf("\b\b\b\b%4s", $1)}'
+ printf "${NC}"
+ done
+ else
+ wget $url 2>&1 | while read line; do
+ printf "${red}"
+ echo $line | grep -o "[0-9]\+%" | awk '{printf("\b\b\b\b%4s", $1)}'
+ printf "${NC}"
+ done
+ fi
}
download() {
@@ -231,7 +250,7 @@ download() {
FILE=$(basename $archive)
printf " * $FILE "
- if test -f tarballs/$FILE && check_sum $FILE ; then
+ if test -f tarballs/$FILE ; then
printf "(cached)"
else
printf "(downloading from $archive)"
@@ -239,13 +258,16 @@ download() {
cd tarballs
download_showing_percentage $archive
cd ..
- compute_sum $FILE
+ calculate_checksum ${FILE}
fi
if [ ! -f tarballs/$FILE ]; then
printf "\n${RED}Failed to download $FILE.${NC}\n"
exit 1
fi
+
+ verify_checksum ${FILE}
+
printf "\n"
}
@@ -253,6 +275,10 @@ unpack_and_patch() {
package=$1
archive="$(eval echo \$$package"_ARCHIVE")"
dir="$(eval echo \$$package"_DIR")"
+ FILE="$(basename $archive)"
+
+ verify_checksum ${FILE}
+
test -d ${dir} && test -f ${dir}/.unpack_success || (
printf " * $(basename $archive)\n"
FLAGS=zxf
@@ -723,9 +749,8 @@ esac
TAR=$(searchtool tar) || exit $?
PATCH=$(searchtool patch) || exit $?
MAKE=$(searchtool make) || exit $?
-SHA1SUM=$(searchtool sha1sum)
-SHA512SUM=$(searchtool sha512sum)
-CHECKSUM=$SHA1SUM
+SHA384SUM=$(searchtool sha384sum)
+CHECKSUM=$SHA384SUM
LBZIP2=$(searchtool lbzip2 "" nofail)
PIGZ=$(searchtool pigz "" nofail)
diff --git a/util/crossgcc/sum/Python-3.5.1.tar.xz.cksum b/util/crossgcc/sum/Python-3.5.1.tar.xz.cksum
index 58affb0..5093e22 100644
--- a/util/crossgcc/sum/Python-3.5.1.tar.xz.cksum
+++ b/util/crossgcc/sum/Python-3.5.1.tar.xz.cksum
@@ -1 +1 @@
-0186da436db76776196612b98bb9c2f76acfe90e tarballs/Python-3.5.1.tar.xz
+9aca49d2cde4760035f4fff23e8a446f6451e8effb6e6fab3f259645a631593acb2ce3412aadf810f103f3f6b561abe7 tarballs/Python-3.5.1.tar.xz
diff --git a/util/crossgcc/sum/acpica-unix2-20160318.tar.gz.cksum b/util/crossgcc/sum/acpica-unix2-20160318.tar.gz.cksum
index 2f9b331..793a794 100644
--- a/util/crossgcc/sum/acpica-unix2-20160318.tar.gz.cksum
+++ b/util/crossgcc/sum/acpica-unix2-20160318.tar.gz.cksum
@@ -1 +1 @@
-786811c1501b9cc90c988293a1c3afefa33b60cc tarballs/acpica-unix2-20160318.tar.gz
+73305954ec571a19fd1ced884f5ce951b9a6c183faf111408fefddb1628ccc5aabcc9200d5f0619eb248f3d803e6ae98 tarballs/acpica-unix2-20160318.tar.gz
diff --git a/util/crossgcc/sum/binutils-2.26.tar.bz2.cksum b/util/crossgcc/sum/binutils-2.26.tar.bz2.cksum
index ac0a3c3..4d99d04 100644
--- a/util/crossgcc/sum/binutils-2.26.tar.bz2.cksum
+++ b/util/crossgcc/sum/binutils-2.26.tar.bz2.cksum
@@ -1 +1 @@
-a637508cffeb2323b14bc8dd65378819768ad4ff tarballs/binutils-2.26.tar.bz2
+ff22e865d7f4ac6fb5d408f92cbc0dcc749a36ee8c5f19a0292fc3d6f08e00f852e04734c47c9a578f092c6963b46878 tarballs/binutils-2.26.tar.bz2
diff --git a/util/crossgcc/sum/cfe-3.8.0.src.tar.xz.cksum b/util/crossgcc/sum/cfe-3.8.0.src.tar.xz.cksum
index 7ba8c8c..b278aac 100644
--- a/util/crossgcc/sum/cfe-3.8.0.src.tar.xz.cksum
+++ b/util/crossgcc/sum/cfe-3.8.0.src.tar.xz.cksum
@@ -1 +1 @@
-2230ef962f2df3c13ec93f5b04b0e3cdff94b2ce tarballs/cfe-3.8.0.src.tar.xz
+3edbe3cafc58ad6fc3d3a133156a656ea7756e8a36176b29bba63434d6f073cef63241cc6df8337fcab3832dd5b5c485 tarballs/cfe-3.8.0.src.tar.xz
diff --git a/util/crossgcc/sum/clang-tools-extra-3.8.0.src.tar.xz.cksum b/util/crossgcc/sum/clang-tools-extra-3.8.0.src.tar.xz.cksum
index e9d8d72..dd5c566 100644
--- a/util/crossgcc/sum/clang-tools-extra-3.8.0.src.tar.xz.cksum
+++ b/util/crossgcc/sum/clang-tools-extra-3.8.0.src.tar.xz.cksum
@@ -1 +1 @@
-a99d8b6fc5e593c4671424b327779318a1856acf tarballs/clang-tools-extra-3.8.0.src.tar.xz
+abd447239f09295f8592225bb7e07ba57cedc3d19a4972b45cd7d70a2db82106d1874a5be03656f8209a0e8a1308fb31 tarballs/clang-tools-extra-3.8.0.src.tar.xz
diff --git a/util/crossgcc/sum/compiler-rt-3.8.0.src.tar.xz.cksum b/util/crossgcc/sum/compiler-rt-3.8.0.src.tar.xz.cksum
index 081705d..9239365 100644
--- a/util/crossgcc/sum/compiler-rt-3.8.0.src.tar.xz.cksum
+++ b/util/crossgcc/sum/compiler-rt-3.8.0.src.tar.xz.cksum
@@ -1 +1 @@
-480ea09e369dac6de1f3759b27fa19417b26b69e tarballs/compiler-rt-3.8.0.src.tar.xz
+4560d512f3c3a0dbcc5c29ab7754b07d91ffa1ddc1c06a5215f3d325bc3f138ebf483e2a37abb10fc36cd125e6bf559e tarballs/compiler-rt-3.8.0.src.tar.xz
diff --git a/util/crossgcc/sum/expat-2.1.1.tar.bz2.cksum b/util/crossgcc/sum/expat-2.1.1.tar.bz2.cksum
index 882e501..11800c1 100644
--- a/util/crossgcc/sum/expat-2.1.1.tar.bz2.cksum
+++ b/util/crossgcc/sum/expat-2.1.1.tar.bz2.cksum
@@ -1 +1 @@
-ff91419882ac52151050dad0ee8190645fbeee08 tarballs/expat-2.1.1.tar.bz2
+816e8ca9ac57b6aac76e9979d11714313246492a49c228bb0a16d349174be45cd780d760524eb45acf12ff371e8b96a3 tarballs/expat-2.1.1.tar.bz2
diff --git a/util/crossgcc/sum/gcc-5.3.0.tar.bz2.cksum b/util/crossgcc/sum/gcc-5.3.0.tar.bz2.cksum
index bb05e39..2b81f5e 100644
--- a/util/crossgcc/sum/gcc-5.3.0.tar.bz2.cksum
+++ b/util/crossgcc/sum/gcc-5.3.0.tar.bz2.cksum
@@ -1 +1 @@
-0612270b103941da08376df4d0ef4e5662a2e9eb tarballs/gcc-5.3.0.tar.bz2
+4184972f66dc929686c30936cf8f5085829d8584118ebc3e2ec53a40754afbefc351cfd2c211c09dd3b6eb4ab4759820 tarballs/gcc-5.3.0.tar.bz2
diff --git a/util/crossgcc/sum/gdb-7.11.tar.xz.cksum b/util/crossgcc/sum/gdb-7.11.tar.xz.cksum
index ffe5a1c..9cc5d91 100644
--- a/util/crossgcc/sum/gdb-7.11.tar.xz.cksum
+++ b/util/crossgcc/sum/gdb-7.11.tar.xz.cksum
@@ -1 +1 @@
-466208d771d97d3dfcf965d5c835a669cff8d847 tarballs/gdb-7.11.tar.xz
+82f89ef35ea1916d5faa67b7fefa2ac3627894d245c43fb4e20828274566cbbb5d7f83899baad77a3cf7fe9fec6f8c7b tarballs/gdb-7.11.tar.xz
diff --git a/util/crossgcc/sum/gmp-6.1.0.tar.xz.cksum b/util/crossgcc/sum/gmp-6.1.0.tar.xz.cksum
index 348b80f..7e00489 100644
--- a/util/crossgcc/sum/gmp-6.1.0.tar.xz.cksum
+++ b/util/crossgcc/sum/gmp-6.1.0.tar.xz.cksum
@@ -1 +1 @@
-99d691607613e749aa5d7c0c2a89aeab38fec070 tarballs/gmp-6.1.0.tar.xz
+ec69b394cbcf887ab0717473b04bb70ce30102abf24869eca5acb781de405d3a5670fabb776ba68cfe6e117631522d9f tarballs/gmp-6.1.0.tar.xz
diff --git a/util/crossgcc/sum/libelf-0.8.13.tar.gz.cksum b/util/crossgcc/sum/libelf-0.8.13.tar.gz.cksum
index daa27c6..0d3f568 100644
--- a/util/crossgcc/sum/libelf-0.8.13.tar.gz.cksum
+++ b/util/crossgcc/sum/libelf-0.8.13.tar.gz.cksum
@@ -1 +1 @@
-c1d6ac5f182d19dd685c4dfd74eedbfe3992425d tarballs/libelf-0.8.13.tar.gz
+07fc0b1a40ba3d2b003899df199d1043bb5d44cf7d913e6460c985582e5275b634edb6af6779255d770010fd7d09580e tarballs/libelf-0.8.13.tar.gz
diff --git a/util/crossgcc/sum/llvm-3.8.0.src.tar.xz.cksum b/util/crossgcc/sum/llvm-3.8.0.src.tar.xz.cksum
index 2f0af53..547ad8f 100644
--- a/util/crossgcc/sum/llvm-3.8.0.src.tar.xz.cksum
+++ b/util/crossgcc/sum/llvm-3.8.0.src.tar.xz.cksum
@@ -1 +1 @@
-723ac918979255706434a05f5af34b71c49c9971 tarballs/llvm-3.8.0.src.tar.xz
+5d5a012e4d494a4534fcec7643ad28bab7467b96029b6d497e1d523357ae7c9e8bd86400dc90e261d791d6391a369b30 tarballs/llvm-3.8.0.src.tar.xz
diff --git a/util/crossgcc/sum/make-4.1.tar.bz2.cksum b/util/crossgcc/sum/make-4.1.tar.bz2.cksum
index 02807c6..455d779 100644
--- a/util/crossgcc/sum/make-4.1.tar.bz2.cksum
+++ b/util/crossgcc/sum/make-4.1.tar.bz2.cksum
@@ -1 +1 @@
-0d701882fd6fd61a9652cb8d866ad7fc7de54d58 tarballs/make-4.1.tar.bz2
+8a3adbc49c19db130bfd3c2b7df061d9419b77019d21d23765cf1c961bc6a35d611dbda4241316e98cecc09adccecd90 tarballs/make-4.1.tar.bz2
diff --git a/util/crossgcc/sum/mpc-1.0.3.tar.gz.cksum b/util/crossgcc/sum/mpc-1.0.3.tar.gz.cksum
index c7ca1ac..70ee62f 100644
--- a/util/crossgcc/sum/mpc-1.0.3.tar.gz.cksum
+++ b/util/crossgcc/sum/mpc-1.0.3.tar.gz.cksum
@@ -1 +1 @@
-b8be66396c726fdc36ebb0f692ed8a8cca3bcc66 tarballs/mpc-1.0.3.tar.gz
+dceeb2566d6145fa771641d22de3bef866fa601fe1fa964bc680a275919080bd12bc1abab4f68cecdbaef71d295b7397 tarballs/mpc-1.0.3.tar.gz
diff --git a/util/crossgcc/sum/mpfr-3.1.4.tar.xz.cksum b/util/crossgcc/sum/mpfr-3.1.4.tar.xz.cksum
index 90f90eb..54cd485 100644
--- a/util/crossgcc/sum/mpfr-3.1.4.tar.xz.cksum
+++ b/util/crossgcc/sum/mpfr-3.1.4.tar.xz.cksum
@@ -1 +1 @@
-cedc0055d55b6ee4cd17e1e6119ed412520ff81a tarballs/mpfr-3.1.4.tar.xz
+30a2807378f578544538810b24bb65d44268015e5d2390d8ae6383fe3939b3bba1e85279789400a226b365010de4bbcd tarballs/mpfr-3.1.4.tar.xz
More information about the coreboot-gerrit
mailing list