From: Felix Fietkau Date: Mon, 21 Jul 2025 16:32:50 +0000 (+0200) Subject: build: stricter hash validation on download X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=042996b46bd41292ef1fa2d58e3b824a547f4c55;p=thirdparty%2Fopenwrt.git build: stricter hash validation on download Check the hash after packing the checkout and fail the build if it does not match. Signed-off-by: Felix Fietkau --- diff --git a/include/download.mk b/include/download.mk index 518a14e0351..be0c9a31f17 100644 --- a/include/download.mk +++ b/include/download.mk @@ -154,7 +154,17 @@ endef # $(2): "PKG_" if as in Download/ is "default", otherwise "Download/:" # $(3): shell command sequence to do the download define wrap_mirror -$(if $(if $(MIRROR),$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || ( $(3) ),$(3)) \ +$(if $(if $(MIRROR), \ + $(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || \ + ( $(3) ) \ + $(if $(filter-out x,$(MIRROR_HASH)), && ( \ + file_hash="$$$$($(MKHASH) sha256 "$(DL_DIR)/$(FILE)")"; \ + [ "$$$$file_hash" = "$(MIRROR_HASH)" ] || { \ + echo "Hash mismatch for file $(FILE): expected $(MIRROR_HASH), got $$$$file_hash"; \ + false; \ + }; \ + )), + $(3)) \ $(if $(filter check,$(1)), \ $(call check_hash,$(FILE),$(MIRROR_HASH),$(2)MIRROR_$(call hash_var,$(MIRROR_MD5SUM))) \ $(call check_md5,$(MIRROR_MD5SUM),$(2)MIRROR_MD5SUM,$(2)MIRROR_HASH) \