Currently it's assumed, that already downloaded tarballs are always
fine, so no checksum checking is performed and the tarball is used even
if it might be corrupted.
From now on, we're going to always check the downloaded tarballs before
considering them valid.
Steps to reproduce:
1. Remove cached tarball
rm dl/libubox-2020-08-06-
9e52171d.tar.xz
2. Download valid tarball again
make package/libubox/download
3. Invalidate the tarball
sed -i 's/PKG_MIRROR_HASH:=../PKG_MIRROR_HASH:=ff/' package/libs/libubox/Makefile
4. Now compile with corrupt tarball source
make package/libubox/{clean,compile}
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
4e19cbc553350b8146985367ba46514cf50e3393)
clean-build: host-clean-build
endif
+ $(DL_DIR)/$(FILE): FORCE
+
$(_host_target)host-prepare: $(HOST_STAMP_PREPARED)
$(_host_target)host-configure: $(HOST_STAMP_CONFIGURED)
$(_host_target)host-compile: $(HOST_STAMP_BUILT) $(HOST_STAMP_INSTALLED)
$(call Build/Autoclean)
$(call DefaultTargets)
+ $(DL_DIR)/$(FILE): FORCE
+
download:
$(foreach hook,$(Hooks/Download),
$(call $(hook))$(sep)
push @mirrors, 'https://librecmc.org/librecmc/downloads/sources/v1.5';
+if (-f "$target/$filename") {
+ $hash_cmd and do {
+ if (system("cat '$target/$filename' | $hash_cmd > '$target/$filename.hash'")) {
+ die "Failed to generate hash for $filename\n";
+ }
+
+ my $sum = `cat "$target/$filename.hash"`;
+ $sum =~ /^(\w+)\s*/ or die "Could not generate file hash\n";
+ $sum = $1;
+
+ exit 0 if $sum eq $file_hash;
+
+ die "Hash of the local file $filename does not match (file: $sum, requested: $file_hash) - deleting download.\n";
+ unlink "$target/$filename";
+ cleanup();
+ };
+}
+
while (!-f "$target/$filename") {
my $mirror = shift @mirrors;
$mirror or die "No more mirrors to try - giving up.\n";