support/download/check-hash

   1 #!/usr/bin/env bash
   2 set -e
   3
   4 # Helper to check a file matches its known hash
   5 # Call it with:
   6 #   $1: the path of the file containing all the expected hashes
   7 #   $2: the full path to the temporary file that was downloaded, and
   8 #       that is to be checked
   9 #   $3: the final basename of the file, to which it will be ultimately
  10 #       saved as, to be able to match it to the corresponding hashes
  11 #       in the .hash file
  12 #
  13 # Exit codes:
  14 #   0:  the hash file exists and the file to check matches all its hashes,
  15 #       or the hash file does not exist
  16 #   1:  unknown command-line option
  17 #   2:  the hash file exists and the file to check does not match at least
  18 #       one of its hashes
  19 #   3:  the hash file exists and there was no hash to check the file against
  20 #   4:  the hash file exists and at least one hash type is unknown
  21
  22 while getopts :q OPT; do
  23     case "${OPT}" in
  24     q)  exec >/dev/null;;
  25     \?) exit 1;;
  26     esac
  27 done
  28 shift $((OPTIND-1))
  29
  30 h_file="${1}"
  31 file="${2}"
  32 base="${3}"
  33
  34 # Bail early if no hash to check
  35 if [ -z "${h_file}" ]; then
  36     exit 0
  37 fi
  38 # Does the hash-file exist?
  39 if [ ! -f "${h_file}" ]; then
  40     printf "WARNING: no hash file for %s\n" "${base}" >&2
  41     exit 0
  42 fi
  43
  44 # Check one hash for a file
  45 # $1: known hash
  46 # $2: file (full path)
  47 check_one_hash() {
  48     _h="${1}"
  49     _known="${2}"
  50     _file="${3}"
  51
  52     # Note: md5 is supported, but undocumented on purpose.
  53     # Note: sha3 is not supported, since there is currently no implementation
  54     #       (the NIST has yet to publish the parameters).
  55     # Note: 'none' means there is explicitly no hash for that file.
  56     case "${_h}" in
  57         none)
  58             return 0
  59             ;;
  60         md5|sha1)                       ;;
  61         sha224|sha256|sha384|sha512)    ;;
  62         *) # Unknown hash, exit with error
  63             printf "ERROR: unknown hash '%s' for '%s'\n"  \
  64                    "${_h}" "${base}" >&2
  65             exit 4
  66             ;;
  67     esac
  68
  69     # Do the hashes match?
  70     _hash=$( ${_h}sum "${_file}" |cut -d ' ' -f 1 )
  71     if [ "${_hash}" = "${_known}" ]; then
  72         printf "%s: OK (%s: %s)\n" "${base}" "${_h}" "${_hash}"
  73         return 0
  74     fi
  75
  76     printf "ERROR: %s has wrong %s hash:\n" "${base}" "${_h}" >&2
  77     printf "ERROR: expected: %s\n" "${_known}" >&2
  78     printf "ERROR: got     : %s\n" "${_hash}" >&2
  79     printf "ERROR: Incomplete download, or man-in-the-middle (MITM) attack\n" >&2
  80
  81     exit 2
  82 }
  83
  84 # Do we know one or more hashes for that file?
  85 nb_checks=0
  86 while read t h f; do
  87     case "${t}" in
  88         ''|'#'*)
  89             # Skip comments and empty lines
  90             continue
  91             ;;
  92         *)
  93             if [ "${f}" = "${base}" ]; then
  94                 check_one_hash "${t}" "${h}" "${file}"
  95                 : $((nb_checks++))
  96             fi
  97             ;;
  98     esac
  99 done <"${h_file}"
 100
 101 if [ ${nb_checks} -eq 0 ]; then
 102     case " ${BR_NO_CHECK_HASH_FOR} " in
 103     *" ${base} "*)
 104         # File explicitly has no hash
 105         exit 0
 106         ;;
 107     esac
 108     printf "ERROR: No hash found for %s\n" "${base}" >&2
 109     exit 3
 110 fi