FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Pacman Development

 
 
LinkBack Thread Tools
 
Old 05-30-2008, 08:33 PM
"Dan McGee"
 
Default Use openssl for checksum verification instead of *sum utilities

On Fri, May 30, 2008 at 2:52 PM, Sebastian Nowicki <sebnow@gmail.com> wrote:
> md5sum, sha1sum, etc, do not exist on BSD systems by default. Openssl is
> a good portable alternative, but it does not support sha256, sha384, or
> sha512. This also brings in a dependency for openssl.
>
> Signed-off-by: Sebastian Nowicki <sebnow@gmail.com>
> ---
> doc/makepkg.conf.5.txt | 2 +-
> etc/makepkg.conf.in | 2 +-
> scripts/makepkg.sh.in | 8 ++++----
> 3 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/doc/makepkg.conf.5.txt b/doc/makepkg.conf.5.txt
> index 113ad14..c662568 100644
> --- a/doc/makepkg.conf.5.txt
> +++ b/doc/makepkg.conf.5.txt
> @@ -126,7 +126,7 @@ Options
> **INTEGRITY_CHECK=(**check1 ...**)**::
> File integrity checks to use. Multiple checks may be specified; this
> affects both generation and checking. The current valid options are:
> - `md5`, `sha1`, `sha256`, `sha384`, and `sha512`.
> + `md5` and `sha1`.
>
> **DOC_DIRS=(**usr/{,share/}{info,doc} ...**)**::
> If "!docs" is specified in the OPTIONS array, this variable will
> diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
> index 47ed0a4..62dc496 100644
> --- a/etc/makepkg.conf.in
> +++ b/etc/makepkg.conf.in
> @@ -69,7 +69,7 @@ BUILDENV=(fakeroot !distcc color !ccache !xdelta)
> #
> OPTIONS=(strip !docs libtool emptydirs zipman)
>
> -#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
> +#-- File integrity checks to use. Valid: md5, sha1
> INTEGRITY_CHECK=(md5)
> #-- Info and doc directories to remove (if option set correctly above)
> DOC_DIRS=(usr/{,share/}{info,doc,gtk-doc} opt/*/{info,doc,gtk-doc})
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 6e2f1ad..aaf1ad6 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -474,7 +474,7 @@ generate_checksums() {
> for integ in ${INTEGRITY_CHECK[@]}; do
> integ="$(echo $integ | tr [:upper:] [:lower:])"
> case "$integ" in
> - md5|sha1|sha256|sha384|sha512) : ;;
> + md5|sha1) : ;;
> *)
> error "$(gettext "Invalid integrity algorithm '%s' specified.")" "$integ"
> exit 1;; # $E_CONFIG_ERROR
> @@ -510,7 +510,7 @@ generate_checksums() {
> fi
> fi
>
> - local sum="$(${integ}sum "$file" | cut -d ' ' -f 1)"
> + local sum="$(openssl dgst -${integ} "$file" | awk '{print $2}')"
> [ $ct -gt 0 ] && echo -n "$indent"
> echo -n "'$sum'"
> ct=$(($ct+1))
> @@ -526,7 +526,7 @@ check_checksums() {
> for integ in ${INTEGRITY_CHECK[@]}; do
> integ="$(echo $integ | tr [:upper:] [:lower:])"
> case "$integ" in
> - md5|sha1|sha256|sha384|sha512) : ;;
> + md5|sha1) : ;;
> *)
> error "$(gettext "Invalid integrity algorithm '%s' specified")" "$integ"
> exit 1;; # $E_CONFIG_ERROR
> @@ -557,7 +557,7 @@ check_checksums() {
> fi
> fi
>
> - if echo "${integrity_sums[$idx]} $file" | ${integ}sum --status -c - &>/dev/null; then
> + if [ "${integrity_sums[$idx]}" = "$(openssl dgst -${integ} "$file" | awk '{print $2}')" ]; then
> echo "$(gettext "Passed")" >&2
> else
> echo "$(gettext "FAILED")" >&2
> --
Ok, can we take a slightly different approach to this in order to not
reduce functionality? How about we check for the existence of the
${integ}sum programs first (or at least the one we need), and then
somehow fall back to the openssl binary if necessary? If we have an
array of sha256 sums, then we would spit a big warning saying we could
not verify these sums due to us not having a program to verify them.

Of course, I have no idea how easy this is, but I'm really against
loosing functionality.

-Dan

_______________________________________________
pacman-dev mailing list
pacman-dev@archlinux.org
http://archlinux.org/mailman/listinfo/pacman-dev
 
Old 05-31-2008, 06:34 AM
"Roman Kyrylych"
 
Default Use openssl for checksum verification instead of *sum utilities

2008/5/30 Dan McGee <dpmcgee@gmail.com>:
> On Fri, May 30, 2008 at 2:52 PM, Sebastian Nowicki <sebnow@gmail.com> wrote:
>> md5sum, sha1sum, etc, do not exist on BSD systems by default. Openssl is
>> a good portable alternative, but it does not support sha256, sha384, or
>> sha512. This also brings in a dependency for openssl.
>>
>> Signed-off-by: Sebastian Nowicki <sebnow@gmail.com>
>> ---
>> doc/makepkg.conf.5.txt | 2 +-
>> etc/makepkg.conf.in | 2 +-
>> scripts/makepkg.sh.in | 8 ++++----
>> 3 files changed, 6 insertions(+), 6 deletions(-)
>>
>> diff --git a/doc/makepkg.conf.5.txt b/doc/makepkg.conf.5.txt
>> index 113ad14..c662568 100644
>> --- a/doc/makepkg.conf.5.txt
>> +++ b/doc/makepkg.conf.5.txt
>> @@ -126,7 +126,7 @@ Options
>> **INTEGRITY_CHECK=(**check1 ...**)**::
>> File integrity checks to use. Multiple checks may be specified; this
>> affects both generation and checking. The current valid options are:
>> - `md5`, `sha1`, `sha256`, `sha384`, and `sha512`.
>> + `md5` and `sha1`.
>>
>> **DOC_DIRS=(**usr/{,share/}{info,doc} ...**)**::
>> If "!docs" is specified in the OPTIONS array, this variable will
>> diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
>> index 47ed0a4..62dc496 100644
>> --- a/etc/makepkg.conf.in
>> +++ b/etc/makepkg.conf.in
>> @@ -69,7 +69,7 @@ BUILDENV=(fakeroot !distcc color !ccache !xdelta)
>> #
>> OPTIONS=(strip !docs libtool emptydirs zipman)
>>
>> -#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
>> +#-- File integrity checks to use. Valid: md5, sha1
>> INTEGRITY_CHECK=(md5)
>> #-- Info and doc directories to remove (if option set correctly above)
>> DOC_DIRS=(usr/{,share/}{info,doc,gtk-doc} opt/*/{info,doc,gtk-doc})
>> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
>> index 6e2f1ad..aaf1ad6 100644
>> --- a/scripts/makepkg.sh.in
>> +++ b/scripts/makepkg.sh.in
>> @@ -474,7 +474,7 @@ generate_checksums() {
>> for integ in ${INTEGRITY_CHECK[@]}; do
>> integ="$(echo $integ | tr [:upper:] [:lower:])"
>> case "$integ" in
>> - md5|sha1|sha256|sha384|sha512) : ;;
>> + md5|sha1) : ;;
>> *)
>> error "$(gettext "Invalid integrity algorithm '%s' specified.")" "$integ"
>> exit 1;; # $E_CONFIG_ERROR
>> @@ -510,7 +510,7 @@ generate_checksums() {
>> fi
>> fi
>>
>> - local sum="$(${integ}sum "$file" | cut -d ' ' -f 1)"
>> + local sum="$(openssl dgst -${integ} "$file" | awk '{print $2}')"
>> [ $ct -gt 0 ] && echo -n "$indent"
>> echo -n "'$sum'"
>> ct=$(($ct+1))
>> @@ -526,7 +526,7 @@ check_checksums() {
>> for integ in ${INTEGRITY_CHECK[@]}; do
>> integ="$(echo $integ | tr [:upper:] [:lower:])"
>> case "$integ" in
>> - md5|sha1|sha256|sha384|sha512) : ;;
>> + md5|sha1) : ;;
>> *)
>> error "$(gettext "Invalid integrity algorithm '%s' specified")" "$integ"
>> exit 1;; # $E_CONFIG_ERROR
>> @@ -557,7 +557,7 @@ check_checksums() {
>> fi
>> fi
>>
>> - if echo "${integrity_sums[$idx]} $file" | ${integ}sum --status -c - &>/dev/null; then
>> + if [ "${integrity_sums[$idx]}" = "$(openssl dgst -${integ} "$file" | awk '{print $2}')" ]; then
>> echo "$(gettext "Passed")" >&2
>> else
>> echo "$(gettext "FAILED")" >&2
>> --
> Ok, can we take a slightly different approach to this in order to not
> reduce functionality? How about we check for the existence of the
> ${integ}sum programs first (or at least the one we need), and then
> somehow fall back to the openssl binary if necessary? If we have an
> array of sha256 sums, then we would spit a big warning saying we could
> not verify these sums due to us not having a program to verify them.
>
> Of course, I have no idea how easy this is, but I'm really against
> loosing functionality.
>

Oops, sorry about my previous message. I haven't read this one first
(because of gmail's way of sorting messages by threads).
Falling back to openssl only when *sum are not available seems more
better to me.

--
Roman Kyrylych (*оман Кирилич)
_______________________________________________
pacman-dev mailing list
pacman-dev@archlinux.org
http://archlinux.org/mailman/listinfo/pacman-dev
 
Old 05-31-2008, 06:35 AM
Sebastian Nowicki
 
Default Use openssl for checksum verification instead of *sum utilities

Good news, it turns out that openssl does support sha256, sha386 and
sha512, it just wasn't documented in the man page. `openssl dgst --help`
does document them, and the are available on BSD and Linux, so that's
great. In the previous patch I forgot to remove the check for the
existence *sum program. Makepkg now checks if openssl exists.

The only downside I can see is that openssl is a ~7mb dependency, but at
least it's in core.

_______________________________________________
pacman-dev mailing list
pacman-dev@archlinux.org
http://archlinux.org/mailman/listinfo/pacman-dev
 
Old 05-31-2008, 01:21 PM
"Dan McGee"
 
Default Use openssl for checksum verification instead of *sum utilities

On Sat, May 31, 2008 at 1:35 AM, Sebastian Nowicki <sebnow@gmail.com> wrote:
> md5sum, sha1sum, etc, do not exist on BSD systems by default. Openssl is
> a good portable alternative. This also brings in a dependency for
> openssl.
>
> Closes FS#10530.
>
> Signed-off-by: Sebastian Nowicki <sebnow@gmail.com>
> ---
> scripts/makepkg.sh.in | 12 ++++++------
> 1 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 6e2f1ad..cb55dea 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -480,8 +480,8 @@ generate_checksums() {
> exit 1;; # $E_CONFIG_ERROR
> esac
>
> - if [ ! $(type -p "${integ}sum") ]; then
> - error "$(gettext "Cannot find the '%s' program.")" "${integ}sum"
> + if [ ! $(type -p "openssl") ]; then
> + error "$(gettext "Cannot find openssl.")"
> exit 1 # $E_MISSING_PROGRAM
> fi
>
> @@ -510,7 +510,7 @@ generate_checksums() {
> fi
> fi
>
> - local sum="$(${integ}sum "$file" | cut -d ' ' -f 1)"
> + local sum="$(openssl dgst -${integ} "$file" | awk '{print $2}')"
> [ $ct -gt 0 ] && echo -n "$indent"
> echo -n "'$sum'"
> ct=$(($ct+1))
> @@ -532,8 +532,8 @@ check_checksums() {
> exit 1;; # $E_CONFIG_ERROR
> esac
>
> - if [ ! $(type -p "${integ}sum") ]; then
> - error "$(gettext "Cannot find the '%s' program.")" "${integ}sum"
> + if [ ! $(type -p "openssl") ]; then
> + error "$(gettext "Cannot find openssl.")"
> exit 1 # $E_MISSING_PROGRAM
> fi
>
> @@ -557,7 +557,7 @@ check_checksums() {
> fi
> fi
>
> - if echo "${integrity_sums[$idx]} $file" | ${integ}sum --status -c - &>/dev/null; then
> + if [ "${integrity_sums[$idx]}" = "$(openssl dgst -${integ} "$file" | awk '{print $2}')" ]; then
> echo "$(gettext "Passed")" >&2
> else
> echo "$(gettext "FAILED")" >&2
> --
Code go boom:
$ openssl dgst -md5 'file with spaces'
MD5(file with spaces)= d41d8cd98f00b204e9800998ecf8427e
$ openssl dgst -md5 'file with spaces' | awk '{print $2}'
with

Try awk '{print $NF}' (NF is number of fields, so it will always print
the last field) instead and it should always work.

-Dan

_______________________________________________
pacman-dev mailing list
pacman-dev@archlinux.org
http://archlinux.org/mailman/listinfo/pacman-dev
 

Thread Tools




All times are GMT. The time now is 09:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org