From 51768ad4c39f8060d7e3a4a71dc7b4c627fd9702 Mon Sep 17 00:00:00 2001 From: ioraff Date: Wed, 28 Sep 2022 19:15:17 +0200 Subject: [PATCH] kiss: switch to blake3 checksums (#72) As discussed in kiss-community/repo#100 and #39, we seem to be in favor of switching to blake3. The following changes are made: - All newly generated checksums are blake3 - The user is prompted to generate blake3 checksums if sha256 sums are present (maybe this should be automatic) - For installed packages, we can fall back to sha256 to check etcsums This includes a name change of the `checksums` and `etcsums` files -- I'm not sure of any better way to detect whether sha256 sums are in use, as blake3 sums are the same length. Feedback is appreciated Co-authored-by: Owen Rafferty Reviewed-on: https://codeberg.org/kiss-community/kiss/pulls/72 --- kiss | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 59 insertions(+), 8 deletions(-) diff --git a/kiss b/kiss index 0e59317..78d3a56 100755 --- a/kiss +++ b/kiss @@ -198,6 +198,41 @@ decompress() { esac < "$1" } +b3() { + # Higher level blake3 function which filters out non-existent + # files (and also directories). + for f do shift + [ -d "$f" ] || [ ! -e "$f" ] || set -- "$@" "$f" + done + + _b3 "$@" +} + +_b3() { + unset hash + + # Skip generation if no arguments. + ! equ "$#" 0 || return 0 + + IFS=$newline + + # Generate checksums for all input files. This is a single + # call to the utility rather than one per file. + # + # The length of the checksum is set to 33 bytes to + # differentiate it from sha256 checksums. + _hash=$("$cmd_b3" -l 33 "$@") || die "Failed to generate checksums" + + # Strip the filename from each element. + # ' ?' -> '' + for sum in $_hash; do + hash=$hash${hash:+"$newline"}${sum%% *} + done + + printf '%s\n' "$hash" + unset IFS +} + sh256() { # Higher level sh256 function which filters out non-existent # files (and also directories). @@ -896,7 +931,7 @@ pkg_etcsums() { set -- "$pkg_dir/$repo_name/$etc" "$@" esac done < manifest - sh256 "$@" > etcsums + b3 "$@" > etcsums } pkg_tar() { @@ -1125,7 +1160,7 @@ pkg_checksum_gen() { esac done < "$repo_dir/sources" - _sh256 "$@" + _b3 "$@" } pkg_verify() { @@ -1145,6 +1180,13 @@ pkg_verify() { # Check that the first column (separated by whitespace) match in both # checksum files. If any part of either file differs, mismatch. Abort. null "$1" || while read -r chk _ || ok "$1"; do + equ "${#chk}" 64 && { + log "$repo_name" "Detected sha256 checksums." ERROR + log "blake3 is the new checksum provider for kiss. Please run" + log "'kiss checksum $repo_name' to regenerate the checksums file." + return 1 + } + printf '%s\n%s\n' "- ${chk:-missing}" "+ ${1:-no source}" equ "$1-${chk:-null}" "$chk-$1" || @@ -1378,10 +1420,13 @@ pkg_remove_files() { # functions allows us to stop duplicating code. while read -r file; do case $file in /etc/?*[!/]) - sh256 "$KISS_ROOT/$file" >/dev/null - read -r sum_pkg <&3 ||: + case "${#sum_pkg}" in + 64) sh256 "$KISS_ROOT/$file" >/dev/null ;; + 66) b3 "$KISS_ROOT/$file" >/dev/null ;; + esac + equ "$hash" "$sum_pkg" || { printf 'Skipping %s (modified)\n' "$file" continue @@ -1413,13 +1458,16 @@ pkg_remove_files() { } pkg_etc() { - sh256 "$tar_dir/$_pkg$file" "$KISS_ROOT$file" >/dev/null + read -r sum_old <&3 2>/dev/null ||: + + case "${#sum_old}" in + 64) sh256 "$tar_dir/$_pkg$file" "$KISS_ROOT$file" >/dev/null ;; + 66) b3 "$tar_dir/$_pkg$file" "$KISS_ROOT$file" >/dev/null ;; + esac sum_new=${hash%%"$newline"*} sum_sys=${hash#*"$newline"} - read -r sum_old <&3 2>/dev/null ||: - # Compare the three checksums to determine what to do. case ${sum_old:-null}${sum_sys:-null}${sum_new} in # old = Y, sys = X, new = Y @@ -2040,6 +2088,9 @@ main() { command -v llvm-readelf )"} || cmd_elf=ldd + # b3sum is, for now, the only supported blake3 digest utility. + cmd_b3=b3sum + # Figure out which sha256 utility is available. cmd_sha=${KISS_CHK:-"$( command -v openssl || @@ -2047,7 +2098,7 @@ main() { command -v sha256 || command -v shasum || command -v digest - )"} || die "No sha256 utility found" + )"} || war "No sha256 utility found" # Figure out which download utility is available. cmd_get=${KISS_GET:-"$(