tools/check-hash.sh: Add a tool check hash on downloaded packages.

2019-02-15 07:08:44 -06:00 · 2019-02-15 07:08:44 -06:00 · 41245f421e
commit 41245f421e
parent b5e6af60ac
2 changed files with 97 additions and 0 deletions
--- a/tools/README.txt
+++ b/tools/README.txt
@ -7,6 +7,14 @@ The tools/ directory contains miscellaneous scripts and host C programs
 that are necessary parts of the NuttX build system.  These files
 include:
 check-hash.sh
 -------------
  Tool to check commonly used hashes of externaly downloaded packages.
  Good way of checking if download got corrupted or if there is man in the
  middle attack going on. Also protects from situation when upstream
  server gets hacked and sources are replaced with mallicious ones.
 cmpconfig.c
 -----------
--- a/tools/check-hash.sh
+++ b/tools/check-hash.sh
@ -0,0 +1,89 @@
 #!/usr/bin/env sh
 ############################################################################
 # apps/tools/check-hash.sh
 #
 #   Copyright (C) 2019 Michał Łyszczek. All rights reserved.
 #   Author: Michał Łyszczek <michal.lyszczek@bofc.pl>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
 #
 # 1. Redistributions of source code must retain the above copyright
 #    notice, this list of conditions and the following disclaimer.
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in
 #    the documentation and/or other materials provided with the
 #    distribution.
 # 3. Neither the name NuttX nor the names of its contributors may be
 #    used to endorse or promote products derived from this software
 #    without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 # COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
 # OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
 # AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 # POSSIBILITY OF SUCH DAMAGE.
 #
 ############################################################################
 usage="Usage: $0 <hash-algo> <expected-hash> <file-to-check>"
 if [ ${#} -ne 3 ]
 then
    echo "ERROR: invalid number of arguments passed"
    echo ""
    echo ${usage}
    exit 1
 fi
 hash_algo=${1}
 exp_hash=${2}
 file_to_check=${3}
 if [ ! -f "${file_to_check}" ]; then
    echo "ERROR: file '${file_to_check}' does not exist"
    echo ""
    echo ${usage}
    exit 1
 fi
 case "${hash_algo}" in
    sha1|sha224|sha256|sha384|sha512)
        # valid hash passed, continue
        ;;
    *)
        echo "ERROR: invalid hash '${hash_algo}' for file '${file_to_check}'"
        echo "supported hashes are:"
        echo "    sha1, sha224, sha256, sha384, sha512"
        echo ""
        echo ${usage}
        exit 1
 esac
 # Calculate hash value of passed file
 calc_hash=$( ${hash_algo}sum "${file_to_check}" | cut -d' ' -f1 )
 # Does it match expected hash?
 if [ "${exp_hash}" == "${calc_hash}" ]; then
    # yes, they match, we're good
    exit 0
 fi
 # No, hashes don't match, print error message and remove corrupted file
 echo "ERROR: file ${file_to_check} has invalid hash"
 echo "got:      ${calc_hash}"
 echo "expected: ${exp_hash}"
 rm "${file_to_check}"
 exit 1