From: Philipp Zabel <p.zabel@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Philipp Zabel <p.zabel@pengutronix.de>
Subject: [ptxdist] [PATCH 3/4] scripts: add package sha256sum support
Date: Mon, 27 Apr 2026 16:28:47 +0200 [thread overview]
Message-ID: <20260427142848.989702-4-p.zabel@pengutronix.de> (raw)
In-Reply-To: <20260427142848.989702-1-p.zabel@pengutronix.de>
Add support for <PKG>_SHA256 variables as an alternative to <PKG>_MD5,
using sha256sum to check source packages. Plumb SHA256 package checksum
through reporting and add ptx/config-sha256 for packages with checksums
in PTXCONF.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
---
configure.ac | 1 +
doc/ref_make_variables.rst | 9 +++++++++
rules/post/ptxd_make_world_common.make | 2 ++
rules/post/ptxd_make_world_get.make | 2 +-
rules/pre/000-option-disabled.make | 16 ++++++++++++++++
scripts/lib/ptxd_lib_dgen.awk | 1 +
scripts/lib/ptxd_make_check_src.sh | 8 +++++++-
scripts/lib/ptxd_make_world_check_src.sh | 7 +++++++
scripts/lib/ptxd_make_world_get.sh | 10 +++++++---
scripts/lib/ptxd_make_world_license.sh | 3 +++
scripts/lib/ptxd_make_world_package_info.sh | 1 +
scripts/lib/ptxd_make_world_report.sh | 6 ++++++
12 files changed, 61 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index 37a0c4bd6c7c..c6ad34fa647b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -159,6 +159,7 @@ GNU_TOOL(readlink, coreutils)
GNU_TOOL(realpath, coreutils)
GNU_TOOL(rm, coreutils)
GNU_TOOL(rmdir, coreutils)
+GNU_TOOL(sha256sum, coreutils)
GNU_TOOL(sort, coreutils)
GNU_TOOL(stat, coreutils)
GNU_TOOL(touch, coreutils)
diff --git a/doc/ref_make_variables.rst b/doc/ref_make_variables.rst
index 64cc343660cf..f965a1b38c50 100644
--- a/doc/ref_make_variables.rst
+++ b/doc/ref_make_variables.rst
@@ -158,6 +158,15 @@ Package Definition
new version. This check helps to ensure that all developers work with the
same source code.
+ This is the legacy alternative to ``<PKG>_SHA256``.
+
+``<PKG>_SHA256``
+ The sha256 checksum of the source archive. PTXdist calculates the checksum
+ before extracting the archive and will abort if does not match. Upstream
+ project occasionally change the content of an archive without releasing a
+ new version. This check helps to ensure that all developers work with the
+ same source code.
+
``<PKG>_SUFFIX``
The archive suffix without the leading '.', e.g. 'tar.gz' or 'zip'. This
is only used locally to define ``<PKG>_URL`` and ``<PKG>_SOURCE``.
diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make
index 30cc555d86ad..4368a5843fd3 100644
--- a/rules/post/ptxd_make_world_common.make
+++ b/rules/post/ptxd_make_world_common.make
@@ -95,6 +95,8 @@ world/env/impl = \
pkg_srcs="$(call ptx/escape,$($(1)_SOURCES))" \
pkg_md5s="$(call ptx/escape,$(foreach s,$($(1)_PARTS),$($(s)_MD5):))" \
pkg_md5="$(call ptx/escape,$($(1)_MD5))" \
+ pkg_sha256s="$(call ptx/escape,$(foreach s,$($(1)_PARTS),$($(s)_SHA256):))" \
+ pkg_sha256="$(call ptx/escape,$($(1)_SHA256))" \
pkg_url="$(call ptx/escape,$($(1)_URL))" \
pkg_cfghash="$(call ptx/escape,$($(1)_CFGHASH))" \
pkg_srchash="$(call ptx/escape,$($(1)_EXTRACT_CFGHASH))" \
diff --git a/rules/post/ptxd_make_world_get.make b/rules/post/ptxd_make_world_get.make
index 92dd8a44d8c0..007af2a525a4 100644
--- a/rules/post/ptxd_make_world_get.make
+++ b/rules/post/ptxd_make_world_get.make
@@ -58,7 +58,7 @@ get = \
ptxd_make_get "$($(strip $(1))_SOURCE)" "$($(strip $(1))_URL)"
check_src = \
- ptxd_make_check_src "$($(strip $(1))_SOURCE)" "$($(strip $(1))_MD5)"
+ ptxd_make_check_src "$($(strip $(1))_SOURCE)" "$($(strip $(1))_MD5)" "$($(strip $(1))_SHA256)"
getdev = \
ptxd_make_get_nofail=y \
diff --git a/rules/pre/000-option-disabled.make b/rules/pre/000-option-disabled.make
index 9a068b39ce83..646b949a6af9 100644
--- a/rules/pre/000-option-disabled.make
+++ b/rules/pre/000-option-disabled.make
@@ -197,4 +197,20 @@ define ptx/config-md5
$(call ptx/config-foo,$(strip $(1)),$(if $(strip $(2)),$(strip $(2))_MD5,$(strip $(1))_MD5),$(PTXCONF_SETUP_CHECK))
endef
+
+#
+# $(call ptx/config-sha256, PTXCONF_SYMBOL,PTXCONF_SYMBOL2) returns:
+# - if PTXCONF_SYMBOL is defined:
+# - $(PTXCONF_SYMBOL2_SHA256) without quotes if it's not empty
+# - fails with an error otherwise
+# - 'undefined if PTXCONF_SYMBOL is not defined
+# If PTXCONF_SYMBOL2 is empty then PTXCONF_SYMBOL_SHA256 is used instead.
+#
+# This makes it easy to ensure, that the sha256 sum of a package is defined if
+# the package is enabled.
+#
+define ptx/config-sha256
+$(call ptx/config-foo,$(strip $(1)),$(if $(strip $(2)),$(strip $(2))_SHA256,$(strip $(1))_SHA256),$(PTXCONF_SETUP_CHECK))
+endef
+
# vim: syntax=make
diff --git a/scripts/lib/ptxd_lib_dgen.awk b/scripts/lib/ptxd_lib_dgen.awk
index 2292741eb432..635fe5a22221 100644
--- a/scripts/lib/ptxd_lib_dgen.awk
+++ b/scripts/lib/ptxd_lib_dgen.awk
@@ -441,6 +441,7 @@ function write_vars_pkg_all(this_PKG, this_pkg, prefix, dir_prefix) {
print this_PKG " = " dir_prefix "$(" target_PKG ")" > DGEN_DEPS_PRE;
print this_PKG "_VERSION = $(" target_PKG "_VERSION)" > DGEN_DEPS_PRE;
print this_PKG "_MD5 = $(" target_PKG "_MD5)" > DGEN_DEPS_PRE;
+ print this_PKG "_SHA256 = $(" target_PKG "_SHA256)" > DGEN_DEPS_PRE;
print this_PKG "_SOURCE = $(" target_PKG "_SOURCE)" > DGEN_DEPS_PRE;
print this_PKG "_URL = $(" target_PKG "_URL)" > DGEN_DEPS_PRE;
print this_PKG "_DIR = $(addprefix $(" PREFIX \
diff --git a/scripts/lib/ptxd_make_check_src.sh b/scripts/lib/ptxd_make_check_src.sh
index 2a25fdcb96cf..70e20e072ae5 100644
--- a/scripts/lib/ptxd_make_check_src.sh
+++ b/scripts/lib/ptxd_make_check_src.sh
@@ -9,11 +9,14 @@
#
# $1: filename of the source archive to check
# $2: md5sum of the source archive to check
+# $3: sha256sum of the source archive to check
#
ptxd_make_check_src_impl() {
local src="${1}"
local md5="${2}"
+ local sha256="${3}"
local md5sum
+ local sha256sum
if [ -z "${src}" ]; then
ptxd_bailout "ptxd_make_check_src called without source file."
@@ -41,6 +44,9 @@ ptxd_make_check_src_impl() {
for md5sum in ${md5}; do
echo "${md5sum} ${src}" | md5sum --check > /dev/null 2>&1 && return
done
+ for sha256sum in ${sha256}; do
+ echo "${sha256sum} ${src}" | sha256sum --check > /dev/null 2>&1 && return
+ done
return 1
}
export -f ptxd_make_check_src_impl
@@ -51,7 +57,7 @@ export -f ptxd_make_check_src_impl
ptxd_make_check_src() {
ptxd_make_check_src_impl "$@" && return
- if [ -z "${2}" ]; then
+ if [ -z "${2}" -a -z "${3}" ]; then
ptxd_bailout "Checksum for '${1}' missing."
else
ptxd_bailout "Wrong checksum for '${1}'"
diff --git a/scripts/lib/ptxd_make_world_check_src.sh b/scripts/lib/ptxd_make_world_check_src.sh
index 044b1872fd0c..cb368c1932dd 100644
--- a/scripts/lib/ptxd_make_world_check_src.sh
+++ b/scripts/lib/ptxd_make_world_check_src.sh
@@ -60,3 +60,10 @@ ptxd_make_world_update_md5() {
ptxd_make_world_update_checksum md5sum MD5
}
export -f ptxd_make_world_update_md5
+
+# try to update the sha256sum of the current package
+# this only works if the makefile contains a "<PKG>_SHA256 := ..." line.
+ptxd_make_world_update_sha256() {
+ ptxd_make_world_update_checksum sha256sum SHA256
+}
+export -f ptxd_make_world_update_sha256
diff --git a/scripts/lib/ptxd_make_world_get.sh b/scripts/lib/ptxd_make_world_get.sh
index 8c0bb0546150..da7400bff3cb 100644
--- a/scripts/lib/ptxd_make_world_get.sh
+++ b/scripts/lib/ptxd_make_world_get.sh
@@ -22,11 +22,15 @@ ptxd_make_world_get() {
if [ -n "${pkg_src}" ]; then
ptxd_make_get "${pkg_src}" "${pkg_url}" &&
- ptxd_make_check_src_impl "${pkg_src}" "${pkg_md5}" && return
+ ptxd_make_check_src_impl "${pkg_src}" "${pkg_md5}" "${pkg_sha256}" && return
if [ "${PTXCONF_SETUP_CHECK}" = "update" ]; then
- ptxd_make_world_update_md5
- elif [ -z "${pkg_md5}" ]; then
+ if [ -z "${pkg_sha256}" ]; then
+ ptxd_make_world_update_md5
+ else
+ ptxd_make_world_update_sha256
+ fi
+ elif [ -z "${pkg_md5}" ] && [ -z "${pkg_sha256}" ]; then
ptxd_bailout "Checksum for '${pkg_label}' (${pkg_src}) missing."
else
ptxd_bailout "Wrong checksum for '${pkg_label}' (${pkg_src})"
diff --git a/scripts/lib/ptxd_make_world_license.sh b/scripts/lib/ptxd_make_world_license.sh
index 5aa416672d14..6e9d13fea452 100644
--- a/scripts/lib/ptxd_make_world_license.sh
+++ b/scripts/lib/ptxd_make_world_license.sh
@@ -125,6 +125,7 @@ ptxd_make_world_license_write() {
local pkg_chapter="$(ptxd_make_latex_escape ${pkg_label})"
local packages_url="${pkg_url}"
local packages_md5="${pkg_md5}"
+ local packages_sha256="${pkg_sha256}"
local -a flags=( "${!pkg_license_flags[@]}" )
local -a index=( "${!pkg_license_flags[@]}" )
flags=( "${flags[@]/#/\\nameref${brl}}" )
@@ -139,6 +140,7 @@ ptxd_make_world_license_write() {
pkg_chapter="${pkg_chapter} *** Proprietary License!"
packages_url="*not available*"
packages_md5="*not available*"
+ packages_sha256="*not available*"
;;
*unknown*)
pkg_chapter="${pkg_chapter} *** Unknown License!"
@@ -160,6 +162,7 @@ ptxd_make_world_license_write() {
\item[Flags:] $(ptxd_make_latex_escape "${flags[*]}")
\item[URL:] \begin{flushleft}$(ptxd_make_latex_escape "${packages_url}")\end{flushleft}
\item[MD5:] {\ttfamily ${packages_md5}}
+ \item[SHA256:] {\ttfamily ${packages_sha256}}
\fi
\end{description}
EOF
diff --git a/scripts/lib/ptxd_make_world_package_info.sh b/scripts/lib/ptxd_make_world_package_info.sh
index 46e104d25ffe..1d94e9139bd6 100644
--- a/scripts/lib/ptxd_make_world_package_info.sh
+++ b/scripts/lib/ptxd_make_world_package_info.sh
@@ -54,6 +54,7 @@ ptxd_make_world_package_info() {
do_echo "source:" "$(ptxd_print_path "${pkg_src}")"
do_echo "md5:" "${pkg_md5}"
+ do_echo "sha256:" "${pkg_sha256}"
do_echo "url:" "${pkg_url}"
do_echo "${pkg_src}${pkg_url}"
diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh
index 3cb4eb0f93e8..1f3ea9e0d365 100644
--- a/scripts/lib/ptxd_make_world_report.sh
+++ b/scripts/lib/ptxd_make_world_report.sh
@@ -63,6 +63,7 @@ ptxd_make_world_report_yaml_fragment() {
do_echo " version:" "${pkg_version}"
do_list " url:" "${pkg_url}"
do_echo " md5:" "${pkg_md5}"
+ do_echo " sha256:" "${pkg_sha256}"
do_echo " source:" "${pkg_src}"
do_list " cve-product:" "${pkg_cve_product}"
do_echo " cve-version:" "${pkg_cve_version}"
@@ -96,11 +97,16 @@ ptxd_make_world_report_yaml() {
do_echo "version:" "${pkg_version}"
do_list "url:" "${pkg_url}"
do_echo "md5:" "${pkg_md5}"
+ do_echo "sha256:" "${pkg_sha256}"
do_echo "source:" "${pkg_src}"
if [ -n "${pkg_md5s}" -a "${pkg_md5s}" != ":" ]; then
echo "md5s:"
awk "BEGIN { RS=\" *:\\\\s*\"; FS=\":\" } { if (\$1) print \"- '\" \$1 \"'\" }" <<<"${pkg_md5s}"
fi
+ if [ -n "${pkg_sha256s}" -a "${pkg_sha256s}" != ":" ]; then
+ echo "sha256s:"
+ awk "BEGIN { RS=\" *:\\\\s*\"; FS=\":\" } { if (\$1) print \"- '\" \$1 \"'\" }" <<<"${pkg_sha256s}"
+ fi
do_list "sources:" "${pkg_srcs}"
if [ -e "${tmp_report}" ]; then
echo "source-packages:"
--
2.47.3
next prev parent reply other threads:[~2026-04-27 14:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 14:28 [ptxdist] [PATCH 0/4] Add SHA256 package checksum support Philipp Zabel
2026-04-27 14:28 ` [ptxdist] [PATCH 1/4] scripts: make checksum messages hash algorithm agnostic Philipp Zabel
2026-04-27 14:28 ` [ptxdist] [PATCH 2/4] scripts: make checksum update " Philipp Zabel
2026-04-27 14:28 ` Philipp Zabel [this message]
2026-04-27 14:28 ` [ptxdist] [PATCH 4/4] ptxdist: add --update-checksum option Philipp Zabel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260427142848.989702-4-p.zabel@pengutronix.de \
--to=p.zabel@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox