From 997b6505d79698cb042bf549c1faa8e31c0a5158 Mon Sep 17 00:00:00 2001 From: Enno Boland Date: Fri, 30 Apr 2021 10:02:58 +0200 Subject: [PATCH] common/hooks: add hook to check for resulting package checksum missmatches --- common/hooks/post-pkg/01-check-reproduce.sh | 43 +++++++++++++++++++++ etc/defaults.conf | 6 +++ xbps-src | 3 +- 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 common/hooks/post-pkg/01-check-reproduce.sh diff --git a/common/hooks/post-pkg/01-check-reproduce.sh b/common/hooks/post-pkg/01-check-reproduce.sh new file mode 100644 index 000000000000..f56abb1b11df --- /dev/null +++ b/common/hooks/post-pkg/01-check-reproduce.sh @@ -0,0 +1,43 @@ +# This hook compares the checksum of the package with the saved value + +hook() { + local arch= binpkg= checksum_ptr= checksum_have= checksum_want= + + if [ -z "$XBPS_CHECK_REPRODUCIBLE" ]; then + return 0; + fi + + if [ -z "$XBPS_USE_BUILD_MTIME" ]; then + msg_warn "reproducability check will only report correct results when\n" + msg_warn "XBPS_USE_BUILD_MTIME is enabled.\n" + fi + + if [ -z "$XBPS_CROSS_BUILD" -a -n "$XBPS_ARCH" -a "$XBPS_ARCH" != "$XBPS_TARGET_MACHINE" ]; then + arch=${XBPS_ARCH} + elif [ -n "$XBPS_TARGET_MACHINE" ]; then + arch=$XBPS_TARGET_MACHINE + else + arch=$XBPS_MACHINE + fi + binpkg=${pkgver}.${arch}.xbps + + checksum_ptr="pkg_checksum_${arch//-/_}" + checksum_want=${!checksum_ptr} + + checksum_have=$(sha256sum "$binpkg" | awk '{ print $1 }') + + if [ -z "${checksum_want}" ]; then + msg_normal "$pkgver: template does not define a pkg_checksum\n" + msg_normal "$pkgver: if the build is reproducable define the package checksum in the template:\n" + msg_normal "$pkgver: $checksum_ptr="$checksum_want"\n" + return 0 + fi + + if [ "${checksum_have}" != "${checksum_want}" ]; then + msg_warn "${pkgver}: Checksum mismatch. reproducable build seems to be broken.\n" + msg_warn "${pkgver}: Gather relevant system info:\n" + msg_normal "CPU: $(grep "^model name" /proc/cpuinfo | head -n 1 | sed 's/.*: //')" + else + msg_normal "${pkgver}: Checksums patch; build seems to be reproducable.\n" + fi +} diff --git a/etc/defaults.conf b/etc/defaults.conf index 6147954a18af..55b9568c812a 100644 --- a/etc/defaults.conf +++ b/etc/defaults.conf @@ -130,6 +130,12 @@ XBPS_SUCMD="sudo /bin/sh -c" #XBPS_CHROOT_CMD=uchroot #XBPS_CHROOT_CMD_ARGS="" +# [OPTIONAL] +# If enabled, xbps-src will check the resulting checksum of a package against +# a defined one. This helps to detect packages that have non-deterministic builds +# +#XBPS_CHECK_REPRODUCIBLE=yes + # [OPTIONAL] # Enable to use the standard mtime of files. Otherwise it will be rewritten to # the HEAD commit time. Requires git when disabled. diff --git a/xbps-src b/xbps-src index c3cd7e5db10b..7fdb2dd41b57 100755 --- a/xbps-src +++ b/xbps-src @@ -635,7 +635,8 @@ export XBPS_SHUTILSDIR XBPS_CROSSPFDIR XBPS_TRIGGERSDIR \ XBPS_DESTDIR XBPS_MACHINE XBPS_TEMP_MASTERDIR XBPS_BINPKG_EXISTS \ XBPS_LIBEXECDIR XBPS_DISTDIR XBPS_DISTFILES_MIRROR XBPS_ALLOW_RESTRICTED \ XBPS_USE_GIT_COMMIT_DATE XBPS_PKG_COMPTYPE XBPS_REPO_COMPTYPE \ - XBPS_BUILDHELPERDIR XBPS_USE_BUILD_MTIME XBPS_BUILD_ENVIRONMENT + XBPS_BUILDHELPERDIR XBPS_CHECK_REPRODUCIBLE XBPS_USE_BUILD_MTIME \ + XBPS_BUILD_ENVIRONMENT for i in REPOSITORY DESTDIR BUILDDIR SRCDISTDIR; do eval val="\$XBPS_$i"