From mboxrd@z Thu Jan 1 00:00:00 1970 From: john at keeping.me.uk (John Keeping) Date: Sat, 7 Mar 2015 17:02:59 +0000 Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading In-Reply-To: <20150307155926.6430.47439@typhoon> References: <0146555fda82120aa6ff6a7e9761d00d53ced865.1425739601.git.john@keeping.me.uk> <20150307155926.6430.47439@typhoon> Message-ID: <20150307170259.GI1369@serenity.lan> On Sat, Mar 07, 2015 at 04:59:26PM +0100, Lukas Fleischer wrote: > On Sat, 07 Mar 2015 at 15:46:41, John Keeping wrote: > > This requires that we save the downloaded file explicitly rather than > > piping it straight to tar, but that is advisable anyway since it allows > > us to check the exit status of curl and make sure that we have > > downloaded the file successfully. > > > > Also add a test to make sure we don't forget to update the file when > > updating our Git version in the future. > > > > Signed-off-by: John Keeping > > --- > > Makefile | 8 ++++++-- > > git.sha256sum | 1 + > > tests/t0001-validate-git-versions.sh | 11 +++++++++++ > > 3 files changed, 18 insertions(+), 2 deletions(-) > > create mode 100644 git.sha256sum > > [...] > > I like the idea, however, sha256sum is not available on all platforms. > This breaks `make get-git` under OpenBSD, for example (OpenBSD has a > utility called sha256 with a different command line interface). Maybe we > can make the check optional, though? I'm not sure what benefit it has if it's optional. Will anyone check? Maybe we could do something like: if type sha256sum >/dev/null 2>&1 then sha256sum --check git.sha256sum $(GIT_FILE) else echo >&2 'WARNING: sha256sum not found so we cannot verify' echo >&2 'WARNING: the integrity of the Git archive!' fi > On a related note, can we download a signature and use `gpg --verify` > instead (should probably be optional as well, to avoid a dependency on > GnuPG)? I thought about that, but we'd have to embed a key with CGit for it to work reliably and how do we choose what key to use (given that individual Git archives are not signed - the list of SHA256 checksums is)?