[openwrt/openwrt] build: stricter hash validation on download
LEDE Commits
lede-commits at lists.infradead.org
Sat Aug 2 08:44:52 PDT 2025
nbd pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/042996b46bd41292ef1fa2d58e3b824a547f4c55
commit 042996b46bd41292ef1fa2d58e3b824a547f4c55
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Mon Jul 21 18:32:50 2025 +0200
build: stricter hash validation on download
Check the hash after packing the checkout and fail the build if it
does not match.
Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
include/download.mk | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/include/download.mk b/include/download.mk
index 518a14e035..be0c9a31f1 100644
--- a/include/download.mk
+++ b/include/download.mk
@@ -154,7 +154,17 @@ endef
# $(2): "PKG_" if <name> as in Download/<name> is "default", otherwise "Download/<name>:"
# $(3): shell command sequence to do the download
define wrap_mirror
-$(if $(if $(MIRROR),$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || ( $(3) ),$(3)) \
+$(if $(if $(MIRROR), \
+ $(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || \
+ ( $(3) ) \
+ $(if $(filter-out x,$(MIRROR_HASH)), && ( \
+ file_hash="$$$$($(MKHASH) sha256 "$(DL_DIR)/$(FILE)")"; \
+ [ "$$$$file_hash" = "$(MIRROR_HASH)" ] || { \
+ echo "Hash mismatch for file $(FILE): expected $(MIRROR_HASH), got $$$$file_hash"; \
+ false; \
+ }; \
+ )),
+ $(3)) \
$(if $(filter check,$(1)), \
$(call check_hash,$(FILE),$(MIRROR_HASH),$(2)MIRROR_$(call hash_var,$(MIRROR_MD5SUM))) \
$(call check_md5,$(MIRROR_MD5SUM),$(2)MIRROR_MD5SUM,$(2)MIRROR_HASH) \
More information about the lede-commits
mailing list