From e0f997d3477fe28c2c5d99229bd1cd0de81604b4 Mon Sep 17 00:00:00 2001 From: Nick Platt Date: Wed, 13 Apr 2016 22:10:42 -0400 Subject: [PATCH] rustbuild: Verify sha256 of downloaded tarballs --- src/bootstrap/bootstrap.py | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/src/bootstrap/bootstrap.py b/src/bootstrap/bootstrap.py index 5c50599fbf4..84b8ad333c1 100644 --- a/src/bootstrap/bootstrap.py +++ b/src/bootstrap/bootstrap.py @@ -10,6 +10,7 @@ import argparse import contextlib +import hashlib import os import shutil import subprocess @@ -18,13 +19,29 @@ import tarfile def get(url, path, verbose=False): print("downloading " + url) - # see http://serverfault.com/questions/301128/how-to-download - if sys.platform == 'win32': - run(["PowerShell.exe", "/nologo", "-Command", - "(New-Object System.Net.WebClient).DownloadFile('" + url + - "', '" + path + "')"], verbose=verbose) - else: - run(["curl", "-o", path, url], verbose=verbose) + sha_url = url + ".sha256" + sha_path = path + ".sha256" + for _url, _path in ((url, path), (sha_url, sha_path)): + # see http://serverfault.com/questions/301128/how-to-download + if sys.platform == 'win32': + run(["PowerShell.exe", "/nologo", "-Command", + "(New-Object System.Net.WebClient)" + ".DownloadFile('{}', '{}')".format(_url, _path)], + verbose=verbose) + else: + run(["curl", "-o", _path, _url], verbose=verbose) + print("verifying " + path) + with open(path, "rb") as f: + found = hashlib.sha256(f.read()).hexdigest() + with open(sha_path, "r") as f: + expected, _ = f.readline().split() + if found != expected: + err = ("invalid checksum:\n" + " found: {}\n" + " expected: {}".format(found, expected)) + if verbose: + raise RuntimeError(err) + sys.exit(err) def unpack(tarball, dst, verbose=False, match=None): print("extracting " + tarball)