[elbe-devel] [PATCH 10/11] dump: Also validate sha256 sums when they are available

Holger Dengler dengler at linutronix.de
Mon Mar 14 15:22:03 CET 2022 

On 14.03.22 14:48, Torben Hohn wrote:
> Since buster, sha256 checksums in package indices are mandatory
> and md5 sums are only optional.
> On security.debian.org md5 sums are already dropped for bullseye.
> This breaks the fullpackagelist validation.
> 
> Validate sha256 sums when they are there. Make sure, that at least one
> sum is validated in the validation.
> 
> Signed-off-by: Torben Hohn <torben.hohn at linutronix.de>

Reviewed-by: Holger Dengler <dengler at linutronix.de>

> ---
>  elbepack/dump.py | 21 +++++++++++++++++----
>  1 file changed, 17 insertions(+), 4 deletions(-)
> 
> diff --git a/elbepack/dump.py b/elbepack/dump.py
> index e644b445e..23f971c6c 100644
> --- a/elbepack/dump.py
> +++ b/elbepack/dump.py
> @@ -129,6 +129,7 @@ def check_full_pkgs(pkgs, fullpkgs, cache):
>          name = p.et.text
>          ver = p.et.get('version')
>          md5 = p.et.get('md5')
> +        sha256 = p.et.get('sha256')
>  
>          pindex[name] = p
>  
> @@ -150,10 +151,22 @@ def check_full_pkgs(pkgs, fullpkgs, cache):
>              errors += 1
>              continue
>  
> -        if pkg.installed_md5 != md5:
> -            validation.error("Package '%s' md5 %s does not match installed md5 %s",
> -                             name, md5, pkg.installed_md5)
> -            errors += 1
> +        if md5:
> +            if pkg.installed_md5 != md5:
> +                validation.error("Package '%s' md5 %s does not match installed md5 %s",
> +                                 name, md5, pkg.installed_md5)
> +                errors += 1
> +
> +        if sha256:
> +            if pkg.installed_sha256 != sha256:
> +                validation.error("Package '%s' sha256 %s does not match installed sha256 %s",
> +                                 name, sha256, pkg.installed_sha256)
> +                errors += 1
> +
> +        if not md5 and not sha256:
> +            validation.error("Package '%s' has no hash setup in package list.",
> +                             name)
> +            error += 1
>  
>      for cp in cache.get_installed_pkgs():
>          if cp.name not in pindex:

-- 
Gruß,
Holger Dengler
--
phone: +49 7556 25 999 14; fax: +49 7556 25 999 99
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linutronix.de/pipermail/elbe-devel/attachments/20220314/0b205844/attachment.sig>

More information about the elbe-devel mailing list