build: stricter hash validation on download

Check the hash after packing the checkout and fail the build if it
does not match.

Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/include/download.mk b/include/download.mk
index 518a14e035176527d8be52edb0f2de173efd1aeb..be0c9a31f17e9ca860014b31229295c844a9549b 100644 (file)
--- a/include/download.mk
+++ b/include/download.mk
@@ -154,7 +154,17 @@ endef
 # $(2): "PKG_" if <name> as in Download/<name> is "default", otherwise "Download/<name>:"
 # $(3): shell command sequence to do the download
 define wrap_mirror
-$(if $(if $(MIRROR),$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || ( $(3) ),$(3)) \
+$(if $(if $(MIRROR), \
+       $(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || \
+               ( $(3) ) \
+               $(if $(filter-out x,$(MIRROR_HASH)), && ( \
+                       file_hash="$$$$($(MKHASH) sha256 "$(DL_DIR)/$(FILE)")"; \
+                       [ "$$$$file_hash" = "$(MIRROR_HASH)" ] || { \
+                               echo "Hash mismatch for file $(FILE): expected $(MIRROR_HASH), got $$$$file_hash"; \
+                               false; \
+                       }; \
+               )),
+       $(3)) \
 $(if $(filter check,$(1)), \
        $(call check_hash,$(FILE),$(MIRROR_HASH),$(2)MIRROR_$(call hash_var,$(MIRROR_MD5SUM))) \
        $(call check_md5,$(MIRROR_MD5SUM),$(2)MIRROR_MD5SUM,$(2)MIRROR_HASH) \