Commit 3f615d12 authored by Jérome Perrin's avatar Jérome Perrin

New integrity option to replace md5sum

This allow using stronger hashes
parent 1dc49d3e
...@@ -39,12 +39,22 @@ Supported options ...@@ -39,12 +39,22 @@ Supported options
Shared option is True or False Shared option is True or False
The package will be installed on path/name/hash of options. The package will be installed on path/name/hash of options.
``integrity``
Hashes for the package file. This is expressed in ``algorithm:hash`` format,
for example: ``sha256:5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03``
If specified, the checksum of the downloaded package will be compared to
this value and if the values do not match the execution of the recipe will
fail.
``md5sum`` ``md5sum``
MD5 checksum for the package file. If available the MD5 MD5 checksum for the package file. If available the MD5
checksum of the downloaded package will be compared to this value checksum of the downloaded package will be compared to this value
and if the values do not match the execution of the recipe will and if the values do not match the execution of the recipe will
fail. fail.
This option is deprecated and ``integrity`` should be preferred.
``make-binary`` ``make-binary``
...@@ -336,6 +346,120 @@ default build options. ...@@ -336,6 +346,120 @@ default build options.
As we can see the configure script was called with the ``--prefix`` As we can see the configure script was called with the ``--prefix``
option by default followed by calls to ``make`` and ``make install``. option by default followed by calls to ``make`` and ``make install``.
Verifying the download integrity
================================
With ``integrity`` option, we can specify the expected hash of the package.
With a correct hash, everything is OK:
>>> write('buildout.cfg',
... """
... [buildout]
... newest = false
... parts = packagex
...
... [packagex]
... recipe = slapos.recipe.cmmi
... url = file://%s
... integrity = sha256:32605be560ddfb4c3ff0542949e2953b4d126bd804e42c9667b95b255e6d3f82
... """ % package_path)
>>> print(system(buildout))
Uninstalling packagex.
Installing packagex.
configure --prefix=/sample_buildout/parts/packagex
building package
installing package
<BLANKLINE>
but when the hash does not match, an error occurs:
>>> write('buildout.cfg',
... """
... [buildout]
... newest = false
... parts = packagex
...
... [packagex]
... recipe = slapos.recipe.cmmi
... url = file://%s
... integrity = sha256:wronghash
... """ % package_path)
>>> print(system(buildout))
Uninstalling packagex.
Installing packagex.
While:
Installing packagex.
Error: Checksum mismatch for local resource at '/testdata/package-0.0.0.tar.gz'.
<BLANKLINE>
This replaces the old ``md5sum`` option:
>>> write('buildout.cfg',
... """
... [buildout]
... newest = false
... parts = packagex
...
... [packagex]
... recipe = slapos.recipe.cmmi
... url = file://%s
... md5sum = 6b94295c042a91ea3203857326bc9209
... """ % package_path)
>>> print(system(buildout))
Installing packagex.
configure --prefix=/sample_buildout/parts/packagex
building package
installing package
<BLANKLINE>
>>> write('buildout.cfg',
... """
... [buildout]
... newest = false
... parts = packagex
...
... [packagex]
... recipe = slapos.recipe.cmmi
... url = file://%s
... md5sum = wrong
... """ % package_path)
>>> print(system(buildout))
Uninstalling packagex.
Installing packagex.
While:
Installing packagex.
Error: MD5 checksum mismatch for local resource at '/testdata/package-0.0.0.tar.gz'.
<BLANKLINE>
when both are specified, ``integrity`` has priority:
>>> write('buildout.cfg',
... """
... [buildout]
... newest = false
... parts = packagex
...
... [packagex]
... recipe = slapos.recipe.cmmi
... url = file://%s
... md5sum = wrong
... integrity = sha256:32605be560ddfb4c3ff0542949e2953b4d126bd804e42c9667b95b255e6d3f82
... """ % package_path)
>>> print(system(buildout))
Installing packagex.
configure --prefix=/sample_buildout/parts/packagex
building package
installing package
<BLANKLINE>
Installing a Perl package Installing a Perl package
========================= =========================
......
...@@ -316,7 +316,12 @@ class Recipe(object): ...@@ -316,7 +316,12 @@ class Recipe(object):
shutil.rmtree(compile_dir) shutil.rmtree(compile_dir)
os.makedirs(compile_dir) os.makedirs(compile_dir)
try: try:
self.options.get('md5sum') # so that buildout does not complain "unused option md5sum" # Access options, so that buildout does not complain about
# unused options, because we copy the options for download.
# Note that if integrity exist, md5sum will be not used, so
# we don't get it in that case.
if not self.options.get('integrity'):
self.options.get('md5sum')
opt = self.options.copy() opt = self.options.copy()
opt['destination'] = compile_dir opt['destination'] = compile_dir
# no need to shared build for compile dir # no need to shared build for compile dir
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment