Subject: Using multiple digest algorithms in pkgsrc
To: None <tech-pkg@netbsd.org>
From: Alistair Crooks <agc@pkgsrc.org>
List: tech-security
Date: 02/16/2005 14:06:55
--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Following on from
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
I've made some modifications to bsd.pkg.mk so that a number of digest
algorithms can be specified for dist files and dist patches. I have
kept the digests of our included patch files to be simply sha1 for
just now, since they are really meant to indicate whether a file has
changed, and are not used to guarantee file integrity - in short, if
someone can modify the patch file, they can modify the distinfo file
holding its information.
I have extended the DIGEST_ALGORITHM definition (which is set by ?=
in bsd.pkg.mk) to be a whitespace-separated list of algorithms which
are used in "makedistinfo" to generate the distinfo files.
The modifications produce distinfo files which look like this:
[14:00:06] agc@sys3 ...pkgsrc/misc/libutf 107 > cat distinfo
$NetBSD: distinfo,v 1.3 2002/12/23 08:03:03 jmmv Exp $
SHA1 (libutf-2.10.tar.gz) = 8dd0f6873112deaa5b5bf2a0554e28f9d8d4ddda
RMD160 (libutf-2.10.tar.gz) = f7be9f311440fe68654ce0312e869dc6a94dc47f
Size (libutf-2.10.tar.gz) = 55099 bytes
SHA1 (patch-aa) = 13ed8cf7d011e10f207d0d95a9d033b41251be44
SHA1 (patch-ab) = 993fa48a26c1111fbbcd5464eae1b6ea07cb4ffc
[14:00:09] agc@sys3 ...pkgsrc/misc/libutf 108 >
and produce the following output:
[11:58:46] agc@sys3 ...pkgsrc/misc/libutf 25 > make checksum
===> do-fetch [libutf-2.10nb3] ===> Checking for vulnerabilities in libutf-2.10nb3
=> Checksum SHA1 OK for libutf-2.10.tar.gz.
=> Checksum RMD160 OK for libutf-2.10.tar.gz.
[11:59:32] agc@sys3 ...pkgsrc/misc/libutf 26 >
Existing distinfo files work just fine:
[12:00:14] agc@sys3 ...pkgsrc/editors/ssam 6 > make checksum
===> do-fetch [ssam-1.9nb1] ===> Checking for vulnerabilities in ssam-1.9nb1
=> Checksum SHA1 OK for ssam-1.9.tar.gz.
[12:01:01] agc@sys3 ...pkgsrc/editors/ssam 7 >
and modifying a single digit of one checksum will still detect
the fiddling:
[12:24:48] agc@sys3 ...pkgsrc/misc/libutf 44 > make
===> do-fetch [libutf-2.10nb2] ===> Checking for vulnerabilities in libutf-2.10nb2
=> Checksum SHA1 OK for libutf-2.10.tar.gz.
=> Checksum RMD160 mismatch for libutf-2.10.tar.gz.
Make sure the Makefile and checksum file (/usr/sandbox/current/usr/pkgsrc/misc/libutf/distinfo)
are up to date. If you want to override this check, type
I'm just running a bulk build right now with the changes incorporated,
and some distinfo files updated to use multiple digests.
Regards,
Alistair
--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="multi-digest.diff"
Index: bsd.pkg.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bsd.pkg.mk,v
retrieving revision 1.1590
diff -u -r1.1590 bsd.pkg.mk
--- bsd.pkg.mk 16 Feb 2005 11:01:03 -0000 1.1590
+++ bsd.pkg.mk 16 Feb 2005 14:02:48 -0000
@@ -125,7 +125,7 @@
CONFIGURE_SCRIPT?= ./configure
DEPENDS?= # empty
DESCR_SRC?= ${PKGDIR}/DESCR
-DIGEST_ALGORITHM?= SHA1
+DIGEST_ALGORITHM?= SHA1 RMD160
DISTFILES?= ${DISTNAME}${EXTRACT_SUFX}
DISTINFO_FILE?= ${PKGDIR}/distinfo
EXTRACT_ONLY?= ${DISTFILES}
@@ -137,6 +137,7 @@
MAINTAINER?= tech-pkg@NetBSD.org
MAKE_FLAGS?= # empty
MAKEFILE?= Makefile
+PATCH_DIGEST_ALGORITHM?=SHA1
PKG_SUFX?= .tgz
PKGFILE?= ${PKGREPOSITORY}/${PKGNAME}${PKG_SUFX}
PKGREPOSITORY?= ${PACKAGES}/${PKGREPOSITORYSUBDIR}
@@ -1271,7 +1272,7 @@
if [ -n "${FAILOVER_FETCH}" -a -f ${DISTINFO_FILE} -a -f ${_DISTDIR}/$$bfile ]; then \
alg=`${AWK} 'NF == 4 && $$2 == "('$$file')" && $$3 == "=" {print $$1;}' ${DISTINFO_FILE}`; \
if [ -z "$$alg" ]; then \
- alg=${DIGEST_ALGORITHM};\
+ alg=${PATCH_DIGEST_ALGORITHM};\
fi; \
CKSUM=`${DIGEST} $$alg < ${_DISTDIR}/$$bfile`; \
CKSUM2=`${AWK} '$$1 == "'$$alg'" && $$2 == "('$$file')" {print $$4;}' <${DISTINFO_FILE}`; \
@@ -3687,12 +3688,18 @@
cd ${DISTDIR}; \
for sumfile in "" ${_CKSUMFILES}; do \
if [ "X$$sumfile" = "X" ]; then continue; fi; \
- ${DIGEST} ${DIGEST_ALGORITHM} $$sumfile >> $$newfile; \
+ for a in "" ${DIGEST_ALGORITHM}; do \
+ if [ "X$$a" = "X" ]; then continue; fi; \
+ ${DIGEST} $$a $$sumfile >> $$newfile; \
+ done; \
${WC} -c $$sumfile | ${AWK} '{ print "Size (" $$2 ") = " $$1 " bytes" }' >> $$newfile; \
done; \
for ignore in "" ${_IGNOREFILES}; do \
if [ "X$$ignore" = "X" ]; then continue; fi; \
- ${ECHO} "${DIGEST_ALGORITHM} ($$ignore) = IGNORE" >> $$newfile; \
+ for a in "" ${DIGEST_ALGORITHM}; do \
+ if [ "X$$a" = "X" ]; then continue; fi; \
+ ${ECHO} "$$a ($$ignore) = IGNORE" >> $$newfile; \
+ done; \
done; \
if [ -f ${DISTINFO_FILE} ]; then \
${AWK} '$$2 ~ /\(patch-[a-z0-9]+\)/ { print $$0 }' < ${DISTINFO_FILE} >> $$newfile; \
@@ -3725,7 +3732,7 @@
case $$sumfile in \
patch-local-*) ;; \
*.orig|*.rej|*~) continue ;; \
- *) ${ECHO} "${DIGEST_ALGORITHM} ($$sumfile) = `${SED} -e '/\$$NetBSD.*/d' $$sumfile | ${DIGEST} ${DIGEST_ALGORITHM}`" >> $$newfile;; \
+ *) ${ECHO} "${PATCH_DIGEST_ALGORITHM} ($$sumfile) = `${SED} -e '/\$$NetBSD.*/d' $$sumfile | ${DIGEST} ${PATCH_DIGEST_ALGORITHM}`" >> $$newfile;; \
esac; \
done); \
fi; \
@@ -3758,23 +3765,25 @@
for file in "" ${_CKSUMFILES}; do \
if [ "X$$file" = X"" ]; then continue; fi; \
alg=`${AWK} 'NF == 4 && $$2 == "('$$file')" && $$3 == "=" {print $$1;}' ${DISTINFO_FILE}`; \
- if [ "X$$alg" = "X" ]; then \
- ${ECHO_MSG} "=> No checksum recorded for $$file."; \
- OK="false"; \
- else \
- CKSUM=`${DIGEST} $$alg < $$file`; \
- CKSUM2=`${AWK} '$$1 == "'$$alg'" && $$2 == "('$$file')"{print $$4;}' ${DISTINFO_FILE}`; \
- if [ "$$CKSUM2" = "IGNORE" ]; then \
- ${ECHO_MSG} "=> Checksum for $$file is set to IGNORE in checksum file even though"; \
- ${ECHO_MSG} " the file is not in the "'$$'"{IGNOREFILES} list."; \
+ for a in $$alg; do \
+ if [ "X$$alg" = "X" ]; then \
+ ${ECHO_MSG} "=> No checksum recorded for $$file."; \
OK="false"; \
- elif [ "$$CKSUM" = "$$CKSUM2" ]; then \
- ${ECHO_MSG} "=> Checksum OK for $$file."; \
else \
- ${ECHO_MSG} "=> Checksum mismatch for $$file."; \
- OK="false"; \
+ CKSUM=`${DIGEST} $$a < $$file`; \
+ CKSUM2=`${AWK} '$$1 == "'$$a'" && $$2 == "('$$file')"{print $$4;}' ${DISTINFO_FILE}`; \
+ if [ "$$CKSUM2" = "IGNORE" ]; then \
+ ${ECHO_MSG} "=> Checksum for $$file is set to IGNORE in checksum file even though"; \
+ ${ECHO_MSG} " the file is not in the "'$$'"{IGNOREFILES} list."; \
+ OK="false"; \
+ elif [ "$$CKSUM" = "$$CKSUM2" ]; then \
+ ${ECHO_MSG} "=> Checksum $$a OK for $$file."; \
+ else \
+ ${ECHO_MSG} "=> Checksum $$a mismatch for $$file."; \
+ OK="false"; \
+ fi; \
fi; \
- fi; \
+ done; \
done; \
for file in "" ${_IGNOREFILES}; do \
if [ "X$$file" = X"" ]; then continue; fi; \
--Dxnq1zWXvFF0Q93v--