support/download/check-hash

   1 #!/bin/bash
   2 set -e
   3
   4 # Helper to check a file matches its known hash
   5 # Call it with:
   6 #   $1: the full path to the file to check
   7 #   $2: the path of the file containing all the the expected hashes
   8
   9 h_file="${1}"
  10 file="${2}"
  11
  12 # Does the hash-file exist?
  13 if [ ! -f "${h_file}" ]; then
  14     exit 0
  15 fi
  16
  17 # Check one hash for a file
  18 # $1: known hash
  19 # $2: file (full path)
  20 check_one_hash() {
  21     _h="${1}"
  22     _known="${2}"
  23     _file="${3}"
  24
  25     # Note: md5 is supported, but undocumented on purpose.
  26     # Note: sha3 is not supported, since there is currently no implementation
  27     #       (the NIST has yet to publish the parameters).
  28     case "${_h}" in
  29         md5|sha1)                       ;;
  30         sha224|sha256|sha384|sha512)    ;;
  31         *) # Unknown hash, exit with error
  32             printf "ERROR: unknown hash '%s' for '%s'\n"  \
  33                    "${_h}" "${_file##*/}" >&2
  34             exit 1
  35             ;;
  36     esac
  37
  38     # Do the hashes match?
  39     _hash=$( ${_h}sum "${_file}" |cut -d ' ' -f 1 )
  40     if [ "${_hash}" = "${_known}" ]; then
  41         printf "%s: OK (%s: %s)\n" "${_file##*/}" "${_h}" "${_hash}"
  42         return 0
  43     fi
  44
  45     printf "ERROR: %s has wrong %s hash:\n" "${_file##*/}" "${_h}" >&2
  46     printf "ERROR: expected: %s\n" "${_known}" >&2
  47     printf "ERROR: got     : %s\n" "${_hash}" >&2
  48     printf "ERROR: Incomplete download, or man-in-the-middle (MITM) attack\n" >&2
  49
  50     exit 1
  51 }
  52
  53 # Do we know one or more hashes for that file?
  54 nb_checks=0
  55 while read t h f; do
  56     case "${t}" in
  57         ''|'#'*)
  58             # Skip comments and empty lines
  59             continue
  60             ;;
  61         *)
  62             if [ "${f}" = "${file##*/}" ]; then
  63                 check_one_hash "${t}" "${h}" "${file}"
  64                 : $((nb_checks++))
  65             fi
  66             ;;
  67     esac
  68 done <"${h_file}"
  69
  70 if [ ${nb_checks} -eq 0 ]; then
  71     if [ -n "${BR2_ENFORCE_CHECK_HASH}" ]; then
  72         printf "ERROR: No hash found for %s\n" "${file}" >&2
  73         exit 1
  74     else
  75         printf "WARNING: No hash found for %s\n" "${file}" >&2
  76     fi
  77 fi