Linux: Verify checksums when downloading Debian Packages.bz2 files in the sysroot script.

chrome/installer/linux/sysroot_scripts/sysroot-creator-debian.wheezy.sh

 #!/bin/sh
 #
 # Copyright (c) 2013 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
 #@ This script builds a Debian Wheezy sysroot for building Google Chrome.
 #@
 #@  Generally this script is invoked as:
 #@  sysroot-creator-debian.wheezy.sh <mode> <args>*
@@ skipping 15 matching lines @@
 readonly INSTALL_ROOT_I386=$(pwd)/debian_wheezy_i386_staging
 
 readonly REQUIRED_TOOLS="wget"
 
 ######################################################################
 # Package Config
 ######################################################################
 
 # this is where we get all the debian packages from
 readonly DEBIAN_REPO=http://http.us.debian.org/debian
+readonly REPO_BASEDIR="${DEBIAN_REPO}/dists/wheezy"
 
-readonly PACKAGE_LIST_AMD64="${DEBIAN_REPO}/dists/wheezy/main/binary-amd64/Packages.bz2"
-readonly PACKAGE_LIST_I386="${DEBIAN_REPO}/dists/wheezy/main/binary-i386/Packages.bz2"
+readonly RELEASE_FILE="Release"
+readonly RELEASE_FILE_GPG="Release.gpg"
+readonly RELEASE_LIST="${REPO_BASEDIR}/${RELEASE_FILE}"
+readonly RELEASE_LIST_GPG="${REPO_BASEDIR}/${RELEASE_FILE_GPG}"
+readonly PACKAGE_FILE_AMD64="main/binary-amd64/Packages.bz2"
+readonly PACKAGE_FILE_I386="main/binary-i386/Packages.bz2"
+readonly PACKAGE_LIST_AMD64="${REPO_BASEDIR}/${PACKAGE_FILE_AMD64}"
+readonly PACKAGE_LIST_I386="${REPO_BASEDIR}/${PACKAGE_FILE_I386}"
 
 # Sysroot packages: these are the packages needed to build chrome.
 # NOTE: When DEBIAN_PACKAGES is modified, the packagelist files must be updated
 # by running this script in GeneratePackageList mode.
 readonly DEBIAN_PACKAGES="\
   comerr-dev \
   gcc-4.6 \
   krb5-multidev \
   libasound2 \
   libasound2-dev \
@@ skipping 394 matching lines @@
 #@    Build everything and package it
 BuildSysrootI386() {
   ClearInstallDir
   InstallIntoSysroot ${DEBIAN_DEP_FILES_I386}
   CleanupJailSymlinks
   HacksAndPatchesI386
   CreateTarBall $1
 }
 
 #
+# CheckForDebianGPGKeys
+#
+#     Make sure the Debian GPG keys exist. Otherwise print a helpful message.
+#
+CheckForDebianGPGKeys() {
+  if [ ! -e "/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg" ]  ||
+     [ ! -e "/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg" ]; then
+    echo "Debian GPG keys missing. Install the debian-archive-keyring package."
+    exit 1
+  fi
+}
+
+#
+# VerifyPackageListing
+#
+#     Verifies the downloaded Packages.bz2 file has the right checksums.
+#
+VerifyPackageListing() {
+  local file_path=$1
+  local output_file=$2
+  local release_file="${TMP}/${RELEASE_FILE}"
+  local release_file_gpg="${TMP}/${RELEASE_FILE_GPG}"
+
+  CheckForDebianGPGKeys
+
+  DownloadOrCopy ${RELEASE_LIST} ${release_file}
+  DownloadOrCopy ${RELEASE_LIST_GPG} ${release_file_gpg}
+  echo "Verifying: ${release_file} with ${release_file_gpg}"
+  gpgv --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg \
+       --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg \
+       ${release_file_gpg} ${release_file}
+
+  echo "Verifying: ${output_file}"
+  local checksums=$(grep ${file_path} ${release_file} | cut -d " " -f 2)
+  local md5sum=$(echo ${checksums} | cut -d " " -f 1)
+  local sha1sum=$(echo ${checksums} | cut -d " " -f 2)
+  local sha256sum=$(echo ${checksums} | cut -d " " -f 3)
+
+  if [ "${#md5sum}" -ne "32" ]; then
+    echo "Bad md5sum from ${RELEASE_LIST}"
+    exit 1
+  fi
+  if [ "${#sha1sum}" -ne "40" ]; then
+    echo "Bad sha1sum from ${RELEASE_LIST}"
+    exit 1
+  fi
+  if [ "${#sha256sum}" -ne "64" ]; then
+    echo "Bad sha256sum from ${RELEASE_LIST}"
+    exit 1
+  fi
+
+  echo "${md5sum}  ${output_file}" | md5sum --quiet -c
+  echo "${sha1sum}  ${output_file}" | sha1sum --quiet -c
+  echo "${sha256sum}  ${output_file}" | sha256sum --quiet -c
+}
+
+#
 # GeneratePackageList
 #
 #     Looks up package names in ${TMP}/Packages and write list of URLs
 #     to output file.
 #
 GeneratePackageList() {
   local output_file=$1
   echo "Updating: ${output_file}"
   /bin/rm -f ${output_file}
   shift
@@ skipping 10 matching lines @@
 }
 
 #@
 #@ UpdatePackageListsAmd64
 #@
 #@     Regenerate the package lists such that they contain an up-to-date
 #@     list of URLs within the Debian archive. (For amd64)
 UpdatePackageListsAmd64() {
   local package_list="${TMP}/Packages.wheezy_amd64.bz2"
   DownloadOrCopy ${PACKAGE_LIST_AMD64} ${package_list}
+  VerifyPackageListing ${PACKAGE_FILE_AMD64} ${package_list}
   bzcat ${package_list} | egrep '^(Package:|Filename:)' > ${TMP}/Packages
 
   GeneratePackageList ${DEBIAN_DEP_LIST_AMD64} "${DEBIAN_PACKAGES}"
 }
 
 #@
 #@ UpdatePackageListsI386
 #@
 #@     Regenerate the package lists such that they contain an up-to-date
 #@     list of URLs within the Debian archive. (For i386)
 UpdatePackageListsI386() {
   local package_list="${TMP}/Packages.wheezy_i386.bz2"
   DownloadOrCopy ${PACKAGE_LIST_I386} ${package_list}
+  VerifyPackageListing ${PACKAGE_FILE_I386} ${package_list}
   bzcat ${package_list} | egrep '^(Package:|Filename:)' > ${TMP}/Packages
 
   GeneratePackageList ${DEBIAN_DEP_LIST_I386} "${DEBIAN_PACKAGES}"
 }
 
 if [ $# -eq 0 ] ; then
   echo "ERROR: you must specify a mode on the commandline"
   echo
   Usage
   exit 1
 elif [ "$(type -t $1)" != "function" ]; then
   echo "ERROR: unknown function '$1'." >&2
   echo "For help, try:"
   echo "    $0 help"
   exit 1
 else
   ChangeDirectory
   SetEnvironmentVariables "$1"
   SanityCheck
   "$@"
 fi