[tor-commits] [tor-browser-bundle/master] Record and check explicit hashes for stuff without sigs.

mikeperry at torproject.org mikeperry at torproject.org
Tue Jul 16 22:10:31 UTC 2013 

commit 71357fc57a1ac014e947a68c74b41a4a6c4412fe
Author: Mike Perry <mikeperry-git at fscked.org>
Date:   Tue Jul 16 15:09:05 2013 -0700

    Record and check explicit hashes for stuff without sigs.
---
 gitian/fetch-inputs.sh |   32 ++++++++++++++++++--------------
 gitian/versions        |    7 +++++++
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh
index 46a0ca5..8fd4725 100755
--- a/gitian/fetch-inputs.sh
+++ b/gitian/fetch-inputs.sh
@@ -109,17 +109,17 @@ do
   fi
 done
 
-# XXX: This doesn't cover everything. See #8525
 for i in TOOLCHAIN4 OSXSDK
 do
   PACKAGE="${i}_PACKAGE"
   URL="${MIRROR_URL}${!PACKAGE}"
   get "${!PACKAGE}" "${MIRROR_URL}${!PACKAGE}"
-  echo >&2 "Warning, not verifying signature for $i"
 done
 
 # Verify packages with weak or no signatures via multipath downloads
 # (OpenSSL is signed with MD5, and OSXSDK is not signed at all)
+# XXX: Google won't allow wget -N.. We need to re-download the whole
+# TOOLCHAIN4 each time. Rely only on SHA256 for now..
 mkdir -p verify
 cd verify
 for i in OPENSSL OSXSDK
@@ -131,18 +131,10 @@ do
     mv "${!PACKAGE}" "${!PACKAGE}.removed"
     exit 1
   fi
-done
-# XXX: Google won't allow wget -N.. We need to re-download the whole
-# TOOLCHAIN4 each time :/
-rm -f "$TOOLCHAIN4_PACKAGE"
-wget "$TOOLCHAIN4_URL"
-for i in OPENSSL OSXSDK TOOLCHAIN4
-do
-   PACKAGE="${i}_PACKAGE"
-   if ! diff "${!PACKAGE}" "../${!PACKAGE}"; then
-     echo "Package ${!PACKAGE} differs from our mirror's version!"
-     exit 1
-   fi
+  if ! diff "${!PACKAGE}" "../${!PACKAGE}"; then
+    echo "Package ${!PACKAGE} differs from our mirror's version!"
+    exit 1
+  fi
 done
 cd ..
 
@@ -150,6 +142,18 @@ cd ..
 wget -N https://addons.mozilla.org/firefox/downloads/latest/722/addon-722-latest.xpi
 wget -N https://addons.mozilla.org/firefox/downloads/latest/352704/addon-352704-latest.xpi
 
+# Verify packages with weak or no signatures via direct sha256 check
+# (OpenSSL is signed with MD5, and OSXSDK is not signed at all)
+for i in OPENSSL OSXSDK TOOLCHAIN4 NOSCRIPT PDFJS
+do
+   PACKAGE="${i}_PACKAGE"
+   HASH="${i}_HASH"
+   if ! echo "${!HASH}  ${!PACKAGE}" | sha256sum -c -; then
+     echo "Package hash for ${!PACKAGE} differs from our locally stored sha256!"
+     exit 1
+   fi
+done
+
 # So is mingw:
 if [ ! -f mingw-w64-svn-snapshot-r5830.zip ];
 then
diff --git a/gitian/versions b/gitian/versions
index 58870ef..7ecf6be 100755
--- a/gitian/versions
+++ b/gitian/versions
@@ -24,6 +24,13 @@ PDFJS_PACKAGE=addon-352704-latest.xpi
 TOOLCHAIN4_PACKAGE=multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz
 OSXSDK_PACKAGE=apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb
 
+# Hashes for things with weak sigs or no sigs
+OPENSSL_HASH=f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3
+OSXSDK_HASH=6602d8d5ddb371fbc02e2a5967d9bd0cd7358d46f9417753c8234b923f2ea6fc
+TOOLCHAIN4_HASH=65c1b2d302358a6b95a26c6828a66908a199276193bb0b268f2dcc1a997731e9
+NOSCRIPT_HASH=6d5d50dea791dd52caf41ea28199743591776ecd7dd88bcccfcfb7e8de32386d
+PDFJS_HASH=2e3e6811f5294b24aafeba44e8206ddc81fb15e5934e5166a2c7df3a4405020b
+
 OPENSSL_URL=https://www.openssl.org/source/${OPENSSL_PACKAGE}
 TOOLCHAIN4_URL=https://mingw-and-ndk.googlecode.com/files/${TOOLCHAIN4_PACKAGE}
 OSXSDK_URL=https://launchpad.net/~flosoft/+archive/cross-apple/+files/${OSXSDK_PACKAGE}

More information about the tor-commits mailing list