Chromium Code Reviews Chromium Code Reviews
Issue 61493002:
Linux: Verify checksums when downloading Debian Packages.bz2 files in the sysroot script. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 #!/bin/sh | 1 #!/bin/sh |
| 2 # | 2 # |
| 3 # Copyright (c) 2013 The Chromium Authors. All rights reserved. | 3 # Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 # | 6 # |
| 7 #@ This script builds a Debian Wheezy sysroot for building Google Chrome. | 7 #@ This script builds a Debian Wheezy sysroot for building Google Chrome. |
| 8 #@ | 8 #@ |
| 9 #@ Generally this script is invoked as: | 9 #@ Generally this script is invoked as: |
| 10 #@ sysroot-creator-debian.wheezy.sh <mode> <args>* | 10 #@ sysroot-creator-debian.wheezy.sh <mode> <args>* |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 26 readonly INSTALL_ROOT_I386=$(pwd)/debian_wheezy_i386_staging | 26 readonly INSTALL_ROOT_I386=$(pwd)/debian_wheezy_i386_staging |
| 27 | 27 |
| 28 readonly REQUIRED_TOOLS="wget" | 28 readonly REQUIRED_TOOLS="wget" |
| 29 | 29 |
| 30 ###################################################################### | 30 ###################################################################### |
| 31 # Package Config | 31 # Package Config |
| 32 ###################################################################### | 32 ###################################################################### |
| 33 | 33 |
| 34 # this is where we get all the debian packages from | 34 # this is where we get all the debian packages from |
| 35 readonly DEBIAN_REPO=http://http.us.debian.org/debian | 35 readonly DEBIAN_REPO=http://http.us.debian.org/debian |
| 36 readonly REPO_BASEDIR="${DEBIAN_REPO}/dists/wheezy" | |
| 36 | 37 |
| 37 readonly PACKAGE_LIST_AMD64="${DEBIAN_REPO}/dists/wheezy/main/binary-amd64/Packa ges.bz2" | 38 readonly RELEASE_FILE="Release" |
| 38 readonly PACKAGE_LIST_I386="${DEBIAN_REPO}/dists/wheezy/main/binary-i386/Package s.bz2" | 39 readonly RELEASE_FILE_GPG="Release.gpg" |
| 40 readonly RELEASE_LIST="${REPO_BASEDIR}/${RELEASE_FILE}" | |
| 41 readonly RELEASE_LIST_GPG="${REPO_BASEDIR}/${RELEASE_FILE_GPG}" | |
| 42 readonly PACKAGE_FILE_AMD64="main/binary-amd64/Packages.bz2" | |
| 43 readonly PACKAGE_FILE_I386="main/binary-i386/Packages.bz2" | |
| 44 readonly PACKAGE_LIST_AMD64="${REPO_BASEDIR}/${PACKAGE_FILE_AMD64}" | |
| 45 readonly PACKAGE_LIST_I386="${REPO_BASEDIR}/${PACKAGE_FILE_I386}" | |
| 39 | 46 |
| 40 # Sysroot packages: these are the packages needed to build chrome. | 47 # Sysroot packages: these are the packages needed to build chrome. |
| 41 # NOTE: When DEBIAN_PACKAGES is modified, the packagelist files must be updated | 48 # NOTE: When DEBIAN_PACKAGES is modified, the packagelist files must be updated |
| 42 # by running this script in GeneratePackageList mode. | 49 # by running this script in GeneratePackageList mode. |
| 43 readonly DEBIAN_PACKAGES="\ | 50 readonly DEBIAN_PACKAGES="\ |
| 44 comerr-dev \ | 51 comerr-dev \ |
| 45 gcc-4.6 \ | 52 gcc-4.6 \ |
| 46 krb5-multidev \ | 53 krb5-multidev \ |
| 47 libasound2 \ | 54 libasound2 \ |
| 48 libasound2-dev \ | 55 libasound2-dev \ |
| (...skipping 394 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 443 #@ Build everything and package it | 450 #@ Build everything and package it |
| 444 BuildSysrootI386() { | 451 BuildSysrootI386() { |
| 445 ClearInstallDir | 452 ClearInstallDir |
| 446 InstallIntoSysroot ${DEBIAN_DEP_FILES_I386} | 453 InstallIntoSysroot ${DEBIAN_DEP_FILES_I386} |
| 447 CleanupJailSymlinks | 454 CleanupJailSymlinks |
| 448 HacksAndPatchesI386 | 455 HacksAndPatchesI386 |
| 449 CreateTarBall $1 | 456 CreateTarBall $1 |
| 450 } | 457 } |
| 451 | 458 |
| 452 # | 459 # |
| 460 # VerifyPackageListing | |
| 461 # | |
| 462 # Verifies the downloaded Packages.bz2 file has the right checksums. | |
| 463 # | |
| 464 VerifyPackageListing() { | |
| 465 local file_path=$1 | |
| 466 local output_file=$2 | |
| 467 local release_file="${TMP}/${RELEASE_FILE}" | |
| 468 local release_file_gpg="${TMP}/${RELEASE_FILE_GPG}" | |
| 469 DownloadOrCopy ${RELEASE_LIST} ${release_file} | |
| 470 DownloadOrCopy ${RELEASE_LIST_GPG} ${release_file_gpg} | |
| 471 echo "Verifying: ${release_file} with ${release_file_gpg}" | |
| 472 gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg \ | |
| 473 --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg \ | |
|
Michael Moss
2013/11/06 18:32:45
Where do these keyrings come from? Is it safe to a
| |
| 474 ${release_file_gpg} ${release_file} | |
| 475 | |
| 476 echo "Verifying: ${output_file}" | |
| 477 local checksums=$(grep ${file_path} ${release_file} | cut -d " " -f 2) | |
| 478 local md5sum=$(echo ${checksums} | cut -d " " -f 1) | |
| 479 local sha1sum=$(echo ${checksums} | cut -d " " -f 2) | |
| 480 local sha256sum=$(echo ${checksums} | cut -d " " -f 3) | |
| 481 | |
| 482 if [ "${#md5sum}" -ne "32" ]; then | |
| 483 echo "Bad md5sum from ${RELEASE_LIST}" | |
| 484 exit 1 | |
| 485 fi | |
| 486 if [ "${#sha1sum}" -ne "40" ]; then | |
| 487 echo "Bad sha1sum from ${RELEASE_LIST}" | |
| 488 exit 1 | |
| 489 fi | |
| 490 if [ "${#sha256sum}" -ne "64" ]; then | |
| 491 echo "Bad sha256sum from ${RELEASE_LIST}" | |
| 492 exit 1 | |
| 493 fi | |
| 494 | |
| 495 echo "${md5sum} ${output_file}" | md5sum --quiet -c | |
| 496 echo "${sha1sum} ${output_file}" | sha1sum --quiet -c | |
| 497 echo "${sha256sum} ${output_file}" | sha256sum --quiet -c | |
| 498 } | |
| 499 | |
| 500 # | |
| 453 # GeneratePackageList | 501 # GeneratePackageList |
| 454 # | 502 # |
| 455 # Looks up package names in ${TMP}/Packages and write list of URLs | 503 # Looks up package names in ${TMP}/Packages and write list of URLs |
| 456 # to output file. | 504 # to output file. |
| 457 # | 505 # |
| 458 GeneratePackageList() { | 506 GeneratePackageList() { |
| 459 local output_file=$1 | 507 local output_file=$1 |
| 460 echo "Updating: ${output_file}" | 508 echo "Updating: ${output_file}" |
| 461 /bin/rm -f ${output_file} | 509 /bin/rm -f ${output_file} |
| 462 shift | 510 shift |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 473 } | 521 } |
| 474 | 522 |
| 475 #@ | 523 #@ |
| 476 #@ UpdatePackageListsAmd64 | 524 #@ UpdatePackageListsAmd64 |
| 477 #@ | 525 #@ |
| 478 #@ Regenerate the package lists such that they contain an up-to-date | 526 #@ Regenerate the package lists such that they contain an up-to-date |
| 479 #@ list of URLs within the Debian archive. (For amd64) | 527 #@ list of URLs within the Debian archive. (For amd64) |
| 480 UpdatePackageListsAmd64() { | 528 UpdatePackageListsAmd64() { |
| 481 local package_list="${TMP}/Packages.wheezy_amd64.bz2" | 529 local package_list="${TMP}/Packages.wheezy_amd64.bz2" |
| 482 DownloadOrCopy ${PACKAGE_LIST_AMD64} ${package_list} | 530 DownloadOrCopy ${PACKAGE_LIST_AMD64} ${package_list} |
| 531 VerifyPackageListing ${PACKAGE_FILE_AMD64} ${package_list} | |
| 483 bzcat ${package_list} | egrep '^(Package:|Filename:)' > ${TMP}/Packages | 532 bzcat ${package_list} | egrep '^(Package:|Filename:)' > ${TMP}/Packages |
| 484 | 533 |
| 485 GeneratePackageList ${DEBIAN_DEP_LIST_AMD64} "${DEBIAN_PACKAGES}" | 534 GeneratePackageList ${DEBIAN_DEP_LIST_AMD64} "${DEBIAN_PACKAGES}" |
| 486 } | 535 } |
| 487 | 536 |
| 488 #@ | 537 #@ |
| 489 #@ UpdatePackageListsI386 | 538 #@ UpdatePackageListsI386 |
| 490 #@ | 539 #@ |
| 491 #@ Regenerate the package lists such that they contain an up-to-date | 540 #@ Regenerate the package lists such that they contain an up-to-date |
| 492 #@ list of URLs within the Debian archive. (For i386) | 541 #@ list of URLs within the Debian archive. (For i386) |
| 493 UpdatePackageListsI386() { | 542 UpdatePackageListsI386() { |
| 494 local package_list="${TMP}/Packages.wheezy_i386.bz2" | 543 local package_list="${TMP}/Packages.wheezy_i386.bz2" |
| 495 DownloadOrCopy ${PACKAGE_LIST_I386} ${package_list} | 544 DownloadOrCopy ${PACKAGE_LIST_I386} ${package_list} |
| 545 VerifyPackageListing ${PACKAGE_FILE_I386} ${package_list} | |
| 496 bzcat ${package_list} | egrep '^(Package:|Filename:)' > ${TMP}/Packages | 546 bzcat ${package_list} | egrep '^(Package:|Filename:)' > ${TMP}/Packages |
| 497 | 547 |
| 498 GeneratePackageList ${DEBIAN_DEP_LIST_I386} "${DEBIAN_PACKAGES}" | 548 GeneratePackageList ${DEBIAN_DEP_LIST_I386} "${DEBIAN_PACKAGES}" |
| 499 } | 549 } |
| 500 | 550 |
| 501 if [ $# -eq 0 ] ; then | 551 if [ $# -eq 0 ] ; then |
| 502 echo "ERROR: you must specify a mode on the commandline" | 552 echo "ERROR: you must specify a mode on the commandline" |
| 503 echo | 553 echo |
| 504 Usage | 554 Usage |
| 505 exit 1 | 555 exit 1 |
| 506 elif [ "$(type -t $1)" != "function" ]; then | 556 elif [ "$(type -t $1)" != "function" ]; then |
| 507 echo "ERROR: unknown function '$1'." >&2 | 557 echo "ERROR: unknown function '$1'." >&2 |
| 508 echo "For help, try:" | 558 echo "For help, try:" |
| 509 echo " $0 help" | 559 echo " $0 help" |
| 510 exit 1 | 560 exit 1 |
| 511 else | 561 else |
| 512 ChangeDirectory | 562 ChangeDirectory |
| 513 SetEnvironmentVariables "$1" | 563 SetEnvironmentVariables "$1" |
| 514 SanityCheck | 564 SanityCheck |
| 515 "$@" | 565 "$@" |
| 516 fi | 566 fi |
| OLD | NEW |
