kiss: switch to blake3 checksums (#72)

As discussed in kiss-community/repo#100 and #39, we seem to be in favor of switching to blake3.

The following changes are made:
- All newly generated checksums are blake3
- The user is prompted to generate blake3 checksums if sha256 sums are present (maybe this should be automatic)
- For installed packages, we can fall back to sha256 to check etcsums

This includes a name change of the `checksums` and `etcsums` files -- I'm not sure of any better way to detect whether sha256 sums are in use, as blake3 sums are the same length.

Feedback is appreciated

Co-authored-by: Owen Rafferty <owen@owenrafferty.com>
Reviewed-on: https://codeberg.org/kiss-community/kiss/pulls/72
This commit is contained in:
ioraff 2022-09-28 19:15:17 +02:00
parent d31dcf585e
commit 51768ad4c3

67
kiss
View File

@ -198,6 +198,41 @@ decompress() {
esac < "$1" esac < "$1"
} }
b3() {
# Higher level blake3 function which filters out non-existent
# files (and also directories).
for f do shift
[ -d "$f" ] || [ ! -e "$f" ] || set -- "$@" "$f"
done
_b3 "$@"
}
_b3() {
unset hash
# Skip generation if no arguments.
! equ "$#" 0 || return 0
IFS=$newline
# Generate checksums for all input files. This is a single
# call to the utility rather than one per file.
#
# The length of the checksum is set to 33 bytes to
# differentiate it from sha256 checksums.
_hash=$("$cmd_b3" -l 33 "$@") || die "Failed to generate checksums"
# Strip the filename from each element.
# '<checksum> ?<file>' -> '<checksum>'
for sum in $_hash; do
hash=$hash${hash:+"$newline"}${sum%% *}
done
printf '%s\n' "$hash"
unset IFS
}
sh256() { sh256() {
# Higher level sh256 function which filters out non-existent # Higher level sh256 function which filters out non-existent
# files (and also directories). # files (and also directories).
@ -896,7 +931,7 @@ pkg_etcsums() {
set -- "$pkg_dir/$repo_name/$etc" "$@" set -- "$pkg_dir/$repo_name/$etc" "$@"
esac done < manifest esac done < manifest
sh256 "$@" > etcsums b3 "$@" > etcsums
} }
pkg_tar() { pkg_tar() {
@ -1125,7 +1160,7 @@ pkg_checksum_gen() {
esac esac
done < "$repo_dir/sources" done < "$repo_dir/sources"
_sh256 "$@" _b3 "$@"
} }
pkg_verify() { pkg_verify() {
@ -1145,6 +1180,13 @@ pkg_verify() {
# Check that the first column (separated by whitespace) match in both # Check that the first column (separated by whitespace) match in both
# checksum files. If any part of either file differs, mismatch. Abort. # checksum files. If any part of either file differs, mismatch. Abort.
null "$1" || while read -r chk _ || ok "$1"; do null "$1" || while read -r chk _ || ok "$1"; do
equ "${#chk}" 64 && {
log "$repo_name" "Detected sha256 checksums." ERROR
log "blake3 is the new checksum provider for kiss. Please run"
log "'kiss checksum $repo_name' to regenerate the checksums file."
return 1
}
printf '%s\n%s\n' "- ${chk:-missing}" "+ ${1:-no source}" printf '%s\n%s\n' "- ${chk:-missing}" "+ ${1:-no source}"
equ "$1-${chk:-null}" "$chk-$1" || equ "$1-${chk:-null}" "$chk-$1" ||
@ -1378,10 +1420,13 @@ pkg_remove_files() {
# functions allows us to stop duplicating code. # functions allows us to stop duplicating code.
while read -r file; do while read -r file; do
case $file in /etc/?*[!/]) case $file in /etc/?*[!/])
sh256 "$KISS_ROOT/$file" >/dev/null
read -r sum_pkg <&3 ||: read -r sum_pkg <&3 ||:
case "${#sum_pkg}" in
64) sh256 "$KISS_ROOT/$file" >/dev/null ;;
66) b3 "$KISS_ROOT/$file" >/dev/null ;;
esac
equ "$hash" "$sum_pkg" || { equ "$hash" "$sum_pkg" || {
printf 'Skipping %s (modified)\n' "$file" printf 'Skipping %s (modified)\n' "$file"
continue continue
@ -1413,13 +1458,16 @@ pkg_remove_files() {
} }
pkg_etc() { pkg_etc() {
sh256 "$tar_dir/$_pkg$file" "$KISS_ROOT$file" >/dev/null read -r sum_old <&3 2>/dev/null ||:
case "${#sum_old}" in
64) sh256 "$tar_dir/$_pkg$file" "$KISS_ROOT$file" >/dev/null ;;
66) b3 "$tar_dir/$_pkg$file" "$KISS_ROOT$file" >/dev/null ;;
esac
sum_new=${hash%%"$newline"*} sum_new=${hash%%"$newline"*}
sum_sys=${hash#*"$newline"} sum_sys=${hash#*"$newline"}
read -r sum_old <&3 2>/dev/null ||:
# Compare the three checksums to determine what to do. # Compare the three checksums to determine what to do.
case ${sum_old:-null}${sum_sys:-null}${sum_new} in case ${sum_old:-null}${sum_sys:-null}${sum_new} in
# old = Y, sys = X, new = Y # old = Y, sys = X, new = Y
@ -2040,6 +2088,9 @@ main() {
command -v llvm-readelf command -v llvm-readelf
)"} || cmd_elf=ldd )"} || cmd_elf=ldd
# b3sum is, for now, the only supported blake3 digest utility.
cmd_b3=b3sum
# Figure out which sha256 utility is available. # Figure out which sha256 utility is available.
cmd_sha=${KISS_CHK:-"$( cmd_sha=${KISS_CHK:-"$(
command -v openssl || command -v openssl ||
@ -2047,7 +2098,7 @@ main() {
command -v sha256 || command -v sha256 ||
command -v shasum || command -v shasum ||
command -v digest command -v digest
)"} || die "No sha256 utility found" )"} || war "No sha256 utility found"
# Figure out which download utility is available. # Figure out which download utility is available.
cmd_get=${KISS_GET:-"$( cmd_get=${KISS_GET:-"$(