[PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

[john at keeping.me.uk (John Keeping)]

On Sat, Mar 07, 2015 at 04:59:26PM +0100, Lukas Fleischer wrote:
> On Sat, 07 Mar 2015 at 15:46:41, John Keeping wrote:
> > This requires that we save the downloaded file explicitly rather than
> > piping it straight to tar, but that is advisable anyway since it allows
> > us to check the exit status of curl and make sure that we have
> > downloaded the file successfully.
> > 
> > Also add a test to make sure we don't forget to update the file when
> > updating our Git version in the future.
> > 
> > Signed-off-by: John Keeping <john at keeping.me.uk>
> > ---
> >  Makefile                             |  8 ++++++--
> >  git.sha256sum                        |  1 +
> >  tests/t0001-validate-git-versions.sh | 11 +++++++++++
> >  3 files changed, 18 insertions(+), 2 deletions(-)
> >  create mode 100644 git.sha256sum
> > [...]
> 
> I like the idea, however, sha256sum is not available on all platforms.
> This breaks `make get-git` under OpenBSD, for example (OpenBSD has a
> utility called sha256 with a different command line interface). Maybe we
> can make the check optional, though?

I'm not sure what benefit it has if it's optional.  Will anyone check?

Maybe we could do something like:

	if type sha256sum >/dev/null 2>&1
	then
		sha256sum --check git.sha256sum $(GIT_FILE)
	else
		echo >&2 'WARNING: sha256sum not found so we cannot verify'
		echo >&2 'WARNING: the integrity of the Git archive!'
	fi

> On a related note, can we download a signature and use `gpg --verify`
> instead (should probably be optional as well, to avoid a dependency on
> GnuPG)?

I thought about that, but we'd have to embed a key with CGit for it to
work reliably and how do we choose what key to use (given that
individual Git archives are not signed - the list of SHA256 checksums
is)?