forked from kiss-community/kiss
kiss: switch to blake3 checksums (#72)
As discussed in kiss-community/repo#100 and #39, we seem to be in favor of switching to blake3. The following changes are made: - All newly generated checksums are blake3 - The user is prompted to generate blake3 checksums if sha256 sums are present (maybe this should be automatic) - For installed packages, we can fall back to sha256 to check etcsums This includes a name change of the `checksums` and `etcsums` files -- I'm not sure of any better way to detect whether sha256 sums are in use, as blake3 sums are the same length. Feedback is appreciated Co-authored-by: Owen Rafferty <owen@owenrafferty.com> Reviewed-on: https://codeberg.org/kiss-community/kiss/pulls/72
This commit is contained in:
parent
d31dcf585e
commit
51768ad4c3
67
kiss
67
kiss
@ -198,6 +198,41 @@ decompress() {
|
|||||||
esac < "$1"
|
esac < "$1"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
b3() {
|
||||||
|
# Higher level blake3 function which filters out non-existent
|
||||||
|
# files (and also directories).
|
||||||
|
for f do shift
|
||||||
|
[ -d "$f" ] || [ ! -e "$f" ] || set -- "$@" "$f"
|
||||||
|
done
|
||||||
|
|
||||||
|
_b3 "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
_b3() {
|
||||||
|
unset hash
|
||||||
|
|
||||||
|
# Skip generation if no arguments.
|
||||||
|
! equ "$#" 0 || return 0
|
||||||
|
|
||||||
|
IFS=$newline
|
||||||
|
|
||||||
|
# Generate checksums for all input files. This is a single
|
||||||
|
# call to the utility rather than one per file.
|
||||||
|
#
|
||||||
|
# The length of the checksum is set to 33 bytes to
|
||||||
|
# differentiate it from sha256 checksums.
|
||||||
|
_hash=$("$cmd_b3" -l 33 "$@") || die "Failed to generate checksums"
|
||||||
|
|
||||||
|
# Strip the filename from each element.
|
||||||
|
# '<checksum> ?<file>' -> '<checksum>'
|
||||||
|
for sum in $_hash; do
|
||||||
|
hash=$hash${hash:+"$newline"}${sum%% *}
|
||||||
|
done
|
||||||
|
|
||||||
|
printf '%s\n' "$hash"
|
||||||
|
unset IFS
|
||||||
|
}
|
||||||
|
|
||||||
sh256() {
|
sh256() {
|
||||||
# Higher level sh256 function which filters out non-existent
|
# Higher level sh256 function which filters out non-existent
|
||||||
# files (and also directories).
|
# files (and also directories).
|
||||||
@ -896,7 +931,7 @@ pkg_etcsums() {
|
|||||||
set -- "$pkg_dir/$repo_name/$etc" "$@"
|
set -- "$pkg_dir/$repo_name/$etc" "$@"
|
||||||
esac done < manifest
|
esac done < manifest
|
||||||
|
|
||||||
sh256 "$@" > etcsums
|
b3 "$@" > etcsums
|
||||||
}
|
}
|
||||||
|
|
||||||
pkg_tar() {
|
pkg_tar() {
|
||||||
@ -1125,7 +1160,7 @@ pkg_checksum_gen() {
|
|||||||
esac
|
esac
|
||||||
done < "$repo_dir/sources"
|
done < "$repo_dir/sources"
|
||||||
|
|
||||||
_sh256 "$@"
|
_b3 "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
pkg_verify() {
|
pkg_verify() {
|
||||||
@ -1145,6 +1180,13 @@ pkg_verify() {
|
|||||||
# Check that the first column (separated by whitespace) match in both
|
# Check that the first column (separated by whitespace) match in both
|
||||||
# checksum files. If any part of either file differs, mismatch. Abort.
|
# checksum files. If any part of either file differs, mismatch. Abort.
|
||||||
null "$1" || while read -r chk _ || ok "$1"; do
|
null "$1" || while read -r chk _ || ok "$1"; do
|
||||||
|
equ "${#chk}" 64 && {
|
||||||
|
log "$repo_name" "Detected sha256 checksums." ERROR
|
||||||
|
log "blake3 is the new checksum provider for kiss. Please run"
|
||||||
|
log "'kiss checksum $repo_name' to regenerate the checksums file."
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
printf '%s\n%s\n' "- ${chk:-missing}" "+ ${1:-no source}"
|
printf '%s\n%s\n' "- ${chk:-missing}" "+ ${1:-no source}"
|
||||||
|
|
||||||
equ "$1-${chk:-null}" "$chk-$1" ||
|
equ "$1-${chk:-null}" "$chk-$1" ||
|
||||||
@ -1378,10 +1420,13 @@ pkg_remove_files() {
|
|||||||
# functions allows us to stop duplicating code.
|
# functions allows us to stop duplicating code.
|
||||||
while read -r file; do
|
while read -r file; do
|
||||||
case $file in /etc/?*[!/])
|
case $file in /etc/?*[!/])
|
||||||
sh256 "$KISS_ROOT/$file" >/dev/null
|
|
||||||
|
|
||||||
read -r sum_pkg <&3 ||:
|
read -r sum_pkg <&3 ||:
|
||||||
|
|
||||||
|
case "${#sum_pkg}" in
|
||||||
|
64) sh256 "$KISS_ROOT/$file" >/dev/null ;;
|
||||||
|
66) b3 "$KISS_ROOT/$file" >/dev/null ;;
|
||||||
|
esac
|
||||||
|
|
||||||
equ "$hash" "$sum_pkg" || {
|
equ "$hash" "$sum_pkg" || {
|
||||||
printf 'Skipping %s (modified)\n' "$file"
|
printf 'Skipping %s (modified)\n' "$file"
|
||||||
continue
|
continue
|
||||||
@ -1413,13 +1458,16 @@ pkg_remove_files() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pkg_etc() {
|
pkg_etc() {
|
||||||
sh256 "$tar_dir/$_pkg$file" "$KISS_ROOT$file" >/dev/null
|
read -r sum_old <&3 2>/dev/null ||:
|
||||||
|
|
||||||
|
case "${#sum_old}" in
|
||||||
|
64) sh256 "$tar_dir/$_pkg$file" "$KISS_ROOT$file" >/dev/null ;;
|
||||||
|
66) b3 "$tar_dir/$_pkg$file" "$KISS_ROOT$file" >/dev/null ;;
|
||||||
|
esac
|
||||||
|
|
||||||
sum_new=${hash%%"$newline"*}
|
sum_new=${hash%%"$newline"*}
|
||||||
sum_sys=${hash#*"$newline"}
|
sum_sys=${hash#*"$newline"}
|
||||||
|
|
||||||
read -r sum_old <&3 2>/dev/null ||:
|
|
||||||
|
|
||||||
# Compare the three checksums to determine what to do.
|
# Compare the three checksums to determine what to do.
|
||||||
case ${sum_old:-null}${sum_sys:-null}${sum_new} in
|
case ${sum_old:-null}${sum_sys:-null}${sum_new} in
|
||||||
# old = Y, sys = X, new = Y
|
# old = Y, sys = X, new = Y
|
||||||
@ -2040,6 +2088,9 @@ main() {
|
|||||||
command -v llvm-readelf
|
command -v llvm-readelf
|
||||||
)"} || cmd_elf=ldd
|
)"} || cmd_elf=ldd
|
||||||
|
|
||||||
|
# b3sum is, for now, the only supported blake3 digest utility.
|
||||||
|
cmd_b3=b3sum
|
||||||
|
|
||||||
# Figure out which sha256 utility is available.
|
# Figure out which sha256 utility is available.
|
||||||
cmd_sha=${KISS_CHK:-"$(
|
cmd_sha=${KISS_CHK:-"$(
|
||||||
command -v openssl ||
|
command -v openssl ||
|
||||||
@ -2047,7 +2098,7 @@ main() {
|
|||||||
command -v sha256 ||
|
command -v sha256 ||
|
||||||
command -v shasum ||
|
command -v shasum ||
|
||||||
command -v digest
|
command -v digest
|
||||||
)"} || die "No sha256 utility found"
|
)"} || war "No sha256 utility found"
|
||||||
|
|
||||||
# Figure out which download utility is available.
|
# Figure out which download utility is available.
|
||||||
cmd_get=${KISS_GET:-"$(
|
cmd_get=${KISS_GET:-"$(
|
||||||
|
Loading…
Reference in New Issue
Block a user