From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 27 Apr 2026 16:29:14 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wHMxW-00GygL-1o for lore@lore.pengutronix.de; Mon, 27 Apr 2026 16:29:14 +0200 Received: from [127.0.0.1] (helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1wHMxW-0002je-CQ; Mon, 27 Apr 2026 16:29:14 +0200 Received: from dude05.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::54]) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1wHMxF-0002RM-8p; Mon, 27 Apr 2026 16:28:57 +0200 From: Philipp Zabel To: ptxdist@pengutronix.de Date: Mon, 27 Apr 2026 16:28:47 +0200 Message-ID: <20260427142848.989702-4-p.zabel@pengutronix.de> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260427142848.989702-1-p.zabel@pengutronix.de> References: <20260427142848.989702-1-p.zabel@pengutronix.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [ptxdist] [PATCH 3/4] scripts: add package sha256sum support X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Philipp Zabel Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Add support for _SHA256 variables as an alternative to _MD5, using sha256sum to check source packages. Plumb SHA256 package checksum through reporting and add ptx/config-sha256 for packages with checksums in PTXCONF. Signed-off-by: Philipp Zabel --- configure.ac | 1 + doc/ref_make_variables.rst | 9 +++++++++ rules/post/ptxd_make_world_common.make | 2 ++ rules/post/ptxd_make_world_get.make | 2 +- rules/pre/000-option-disabled.make | 16 ++++++++++++++++ scripts/lib/ptxd_lib_dgen.awk | 1 + scripts/lib/ptxd_make_check_src.sh | 8 +++++++- scripts/lib/ptxd_make_world_check_src.sh | 7 +++++++ scripts/lib/ptxd_make_world_get.sh | 10 +++++++--- scripts/lib/ptxd_make_world_license.sh | 3 +++ scripts/lib/ptxd_make_world_package_info.sh | 1 + scripts/lib/ptxd_make_world_report.sh | 6 ++++++ 12 files changed, 61 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index 37a0c4bd6c7c..c6ad34fa647b 100644 --- a/configure.ac +++ b/configure.ac @@ -159,6 +159,7 @@ GNU_TOOL(readlink, coreutils) GNU_TOOL(realpath, coreutils) GNU_TOOL(rm, coreutils) GNU_TOOL(rmdir, coreutils) +GNU_TOOL(sha256sum, coreutils) GNU_TOOL(sort, coreutils) GNU_TOOL(stat, coreutils) GNU_TOOL(touch, coreutils) diff --git a/doc/ref_make_variables.rst b/doc/ref_make_variables.rst index 64cc343660cf..f965a1b38c50 100644 --- a/doc/ref_make_variables.rst +++ b/doc/ref_make_variables.rst @@ -158,6 +158,15 @@ Package Definition new version. This check helps to ensure that all developers work with the same source code. + This is the legacy alternative to ``_SHA256``. + +``_SHA256`` + The sha256 checksum of the source archive. PTXdist calculates the checksum + before extracting the archive and will abort if does not match. Upstream + project occasionally change the content of an archive without releasing a + new version. This check helps to ensure that all developers work with the + same source code. + ``_SUFFIX`` The archive suffix without the leading '.', e.g. 'tar.gz' or 'zip'. This is only used locally to define ``_URL`` and ``_SOURCE``. diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make index 30cc555d86ad..4368a5843fd3 100644 --- a/rules/post/ptxd_make_world_common.make +++ b/rules/post/ptxd_make_world_common.make @@ -95,6 +95,8 @@ world/env/impl = \ pkg_srcs="$(call ptx/escape,$($(1)_SOURCES))" \ pkg_md5s="$(call ptx/escape,$(foreach s,$($(1)_PARTS),$($(s)_MD5):))" \ pkg_md5="$(call ptx/escape,$($(1)_MD5))" \ + pkg_sha256s="$(call ptx/escape,$(foreach s,$($(1)_PARTS),$($(s)_SHA256):))" \ + pkg_sha256="$(call ptx/escape,$($(1)_SHA256))" \ pkg_url="$(call ptx/escape,$($(1)_URL))" \ pkg_cfghash="$(call ptx/escape,$($(1)_CFGHASH))" \ pkg_srchash="$(call ptx/escape,$($(1)_EXTRACT_CFGHASH))" \ diff --git a/rules/post/ptxd_make_world_get.make b/rules/post/ptxd_make_world_get.make index 92dd8a44d8c0..007af2a525a4 100644 --- a/rules/post/ptxd_make_world_get.make +++ b/rules/post/ptxd_make_world_get.make @@ -58,7 +58,7 @@ get = \ ptxd_make_get "$($(strip $(1))_SOURCE)" "$($(strip $(1))_URL)" check_src = \ - ptxd_make_check_src "$($(strip $(1))_SOURCE)" "$($(strip $(1))_MD5)" + ptxd_make_check_src "$($(strip $(1))_SOURCE)" "$($(strip $(1))_MD5)" "$($(strip $(1))_SHA256)" getdev = \ ptxd_make_get_nofail=y \ diff --git a/rules/pre/000-option-disabled.make b/rules/pre/000-option-disabled.make index 9a068b39ce83..646b949a6af9 100644 --- a/rules/pre/000-option-disabled.make +++ b/rules/pre/000-option-disabled.make @@ -197,4 +197,20 @@ define ptx/config-md5 $(call ptx/config-foo,$(strip $(1)),$(if $(strip $(2)),$(strip $(2))_MD5,$(strip $(1))_MD5),$(PTXCONF_SETUP_CHECK)) endef + +# +# $(call ptx/config-sha256, PTXCONF_SYMBOL,PTXCONF_SYMBOL2) returns: +# - if PTXCONF_SYMBOL is defined: +# - $(PTXCONF_SYMBOL2_SHA256) without quotes if it's not empty +# - fails with an error otherwise +# - 'undefined if PTXCONF_SYMBOL is not defined +# If PTXCONF_SYMBOL2 is empty then PTXCONF_SYMBOL_SHA256 is used instead. +# +# This makes it easy to ensure, that the sha256 sum of a package is defined if +# the package is enabled. +# +define ptx/config-sha256 +$(call ptx/config-foo,$(strip $(1)),$(if $(strip $(2)),$(strip $(2))_SHA256,$(strip $(1))_SHA256),$(PTXCONF_SETUP_CHECK)) +endef + # vim: syntax=make diff --git a/scripts/lib/ptxd_lib_dgen.awk b/scripts/lib/ptxd_lib_dgen.awk index 2292741eb432..635fe5a22221 100644 --- a/scripts/lib/ptxd_lib_dgen.awk +++ b/scripts/lib/ptxd_lib_dgen.awk @@ -441,6 +441,7 @@ function write_vars_pkg_all(this_PKG, this_pkg, prefix, dir_prefix) { print this_PKG " = " dir_prefix "$(" target_PKG ")" > DGEN_DEPS_PRE; print this_PKG "_VERSION = $(" target_PKG "_VERSION)" > DGEN_DEPS_PRE; print this_PKG "_MD5 = $(" target_PKG "_MD5)" > DGEN_DEPS_PRE; + print this_PKG "_SHA256 = $(" target_PKG "_SHA256)" > DGEN_DEPS_PRE; print this_PKG "_SOURCE = $(" target_PKG "_SOURCE)" > DGEN_DEPS_PRE; print this_PKG "_URL = $(" target_PKG "_URL)" > DGEN_DEPS_PRE; print this_PKG "_DIR = $(addprefix $(" PREFIX \ diff --git a/scripts/lib/ptxd_make_check_src.sh b/scripts/lib/ptxd_make_check_src.sh index 2a25fdcb96cf..70e20e072ae5 100644 --- a/scripts/lib/ptxd_make_check_src.sh +++ b/scripts/lib/ptxd_make_check_src.sh @@ -9,11 +9,14 @@ # # $1: filename of the source archive to check # $2: md5sum of the source archive to check +# $3: sha256sum of the source archive to check # ptxd_make_check_src_impl() { local src="${1}" local md5="${2}" + local sha256="${3}" local md5sum + local sha256sum if [ -z "${src}" ]; then ptxd_bailout "ptxd_make_check_src called without source file." @@ -41,6 +44,9 @@ ptxd_make_check_src_impl() { for md5sum in ${md5}; do echo "${md5sum} ${src}" | md5sum --check > /dev/null 2>&1 && return done + for sha256sum in ${sha256}; do + echo "${sha256sum} ${src}" | sha256sum --check > /dev/null 2>&1 && return + done return 1 } export -f ptxd_make_check_src_impl @@ -51,7 +57,7 @@ export -f ptxd_make_check_src_impl ptxd_make_check_src() { ptxd_make_check_src_impl "$@" && return - if [ -z "${2}" ]; then + if [ -z "${2}" -a -z "${3}" ]; then ptxd_bailout "Checksum for '${1}' missing." else ptxd_bailout "Wrong checksum for '${1}'" diff --git a/scripts/lib/ptxd_make_world_check_src.sh b/scripts/lib/ptxd_make_world_check_src.sh index 044b1872fd0c..cb368c1932dd 100644 --- a/scripts/lib/ptxd_make_world_check_src.sh +++ b/scripts/lib/ptxd_make_world_check_src.sh @@ -60,3 +60,10 @@ ptxd_make_world_update_md5() { ptxd_make_world_update_checksum md5sum MD5 } export -f ptxd_make_world_update_md5 + +# try to update the sha256sum of the current package +# this only works if the makefile contains a "_SHA256 := ..." line. +ptxd_make_world_update_sha256() { + ptxd_make_world_update_checksum sha256sum SHA256 +} +export -f ptxd_make_world_update_sha256 diff --git a/scripts/lib/ptxd_make_world_get.sh b/scripts/lib/ptxd_make_world_get.sh index 8c0bb0546150..da7400bff3cb 100644 --- a/scripts/lib/ptxd_make_world_get.sh +++ b/scripts/lib/ptxd_make_world_get.sh @@ -22,11 +22,15 @@ ptxd_make_world_get() { if [ -n "${pkg_src}" ]; then ptxd_make_get "${pkg_src}" "${pkg_url}" && - ptxd_make_check_src_impl "${pkg_src}" "${pkg_md5}" && return + ptxd_make_check_src_impl "${pkg_src}" "${pkg_md5}" "${pkg_sha256}" && return if [ "${PTXCONF_SETUP_CHECK}" = "update" ]; then - ptxd_make_world_update_md5 - elif [ -z "${pkg_md5}" ]; then + if [ -z "${pkg_sha256}" ]; then + ptxd_make_world_update_md5 + else + ptxd_make_world_update_sha256 + fi + elif [ -z "${pkg_md5}" ] && [ -z "${pkg_sha256}" ]; then ptxd_bailout "Checksum for '${pkg_label}' (${pkg_src}) missing." else ptxd_bailout "Wrong checksum for '${pkg_label}' (${pkg_src})" diff --git a/scripts/lib/ptxd_make_world_license.sh b/scripts/lib/ptxd_make_world_license.sh index 5aa416672d14..6e9d13fea452 100644 --- a/scripts/lib/ptxd_make_world_license.sh +++ b/scripts/lib/ptxd_make_world_license.sh @@ -125,6 +125,7 @@ ptxd_make_world_license_write() { local pkg_chapter="$(ptxd_make_latex_escape ${pkg_label})" local packages_url="${pkg_url}" local packages_md5="${pkg_md5}" + local packages_sha256="${pkg_sha256}" local -a flags=( "${!pkg_license_flags[@]}" ) local -a index=( "${!pkg_license_flags[@]}" ) flags=( "${flags[@]/#/\\nameref${brl}}" ) @@ -139,6 +140,7 @@ ptxd_make_world_license_write() { pkg_chapter="${pkg_chapter} *** Proprietary License!" packages_url="*not available*" packages_md5="*not available*" + packages_sha256="*not available*" ;; *unknown*) pkg_chapter="${pkg_chapter} *** Unknown License!" @@ -160,6 +162,7 @@ ptxd_make_world_license_write() { \item[Flags:] $(ptxd_make_latex_escape "${flags[*]}") \item[URL:] \begin{flushleft}$(ptxd_make_latex_escape "${packages_url}")\end{flushleft} \item[MD5:] {\ttfamily ${packages_md5}} + \item[SHA256:] {\ttfamily ${packages_sha256}} \fi \end{description} EOF diff --git a/scripts/lib/ptxd_make_world_package_info.sh b/scripts/lib/ptxd_make_world_package_info.sh index 46e104d25ffe..1d94e9139bd6 100644 --- a/scripts/lib/ptxd_make_world_package_info.sh +++ b/scripts/lib/ptxd_make_world_package_info.sh @@ -54,6 +54,7 @@ ptxd_make_world_package_info() { do_echo "source:" "$(ptxd_print_path "${pkg_src}")" do_echo "md5:" "${pkg_md5}" + do_echo "sha256:" "${pkg_sha256}" do_echo "url:" "${pkg_url}" do_echo "${pkg_src}${pkg_url}" diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh index 3cb4eb0f93e8..1f3ea9e0d365 100644 --- a/scripts/lib/ptxd_make_world_report.sh +++ b/scripts/lib/ptxd_make_world_report.sh @@ -63,6 +63,7 @@ ptxd_make_world_report_yaml_fragment() { do_echo " version:" "${pkg_version}" do_list " url:" "${pkg_url}" do_echo " md5:" "${pkg_md5}" + do_echo " sha256:" "${pkg_sha256}" do_echo " source:" "${pkg_src}" do_list " cve-product:" "${pkg_cve_product}" do_echo " cve-version:" "${pkg_cve_version}" @@ -96,11 +97,16 @@ ptxd_make_world_report_yaml() { do_echo "version:" "${pkg_version}" do_list "url:" "${pkg_url}" do_echo "md5:" "${pkg_md5}" + do_echo "sha256:" "${pkg_sha256}" do_echo "source:" "${pkg_src}" if [ -n "${pkg_md5s}" -a "${pkg_md5s}" != ":" ]; then echo "md5s:" awk "BEGIN { RS=\" *:\\\\s*\"; FS=\":\" } { if (\$1) print \"- '\" \$1 \"'\" }" <<<"${pkg_md5s}" fi + if [ -n "${pkg_sha256s}" -a "${pkg_sha256s}" != ":" ]; then + echo "sha256s:" + awk "BEGIN { RS=\" *:\\\\s*\"; FS=\":\" } { if (\$1) print \"- '\" \$1 \"'\" }" <<<"${pkg_sha256s}" + fi do_list "sources:" "${pkg_srcs}" if [ -e "${tmp_report}" ]; then echo "source-packages:" -- 2.47.3