From 67a0e8d70f0caf8b85e0cf2031333236b2a3dcdf Mon Sep 17 00:00:00 2001 From: Boris Kolpackov Date: Sun, 24 Jan 2016 14:46:19 +0200 Subject: Add checksum verification --- bpkg/cfg-fetch.cxx | 57 +++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 46 insertions(+), 11 deletions(-) (limited to 'bpkg/cfg-fetch.cxx') diff --git a/bpkg/cfg-fetch.cxx b/bpkg/cfg-fetch.cxx index c261863..d90ab93 100644 --- a/bpkg/cfg-fetch.cxx +++ b/bpkg/cfg-fetch.cxx @@ -58,10 +58,26 @@ namespace bpkg r->fetched = true; // Mark as being fetched. - // Load the 'repositories' file and use it to populate the - // prerequisite and complement repository sets. + // Load the 'packages' file. We do this first so that we can get and + // verify the checksum of the 'repositories' file which below. // - repository_manifests rms (fetch_repositories (co, rl, true)); + package_manifests pms (fetch_packages (co, rl, true)); + + // Load the 'repositories' file and use it to populate the prerequisite and + // complement repository sets. + // + repository_manifests rms; + + try + { + rms = fetch_repositories (co, rl, pms.sha256sum, true); + } + catch (const checksum_mismatch&) + { + fail << "repository files checksum mismatch for " + << rl.canonical_name () << + info << "try again"; + } for (repository_manifest& rm: rms) { @@ -150,13 +166,6 @@ namespace bpkg } } - // Load the 'packages' file. - // - // @@ We need to check that that 'repositories' file hasn't - // changed since. - // - package_manifests pms (fetch_packages (co, rl, true)); - // "Suspend" session while persisting packages to reduce memory // consumption. // @@ -178,6 +187,27 @@ namespace bpkg p = make_shared (move (pm)); persist = true; } + else + { + // Make sure this is the same package. + // + assert (p->sha256sum && !p->locations.empty ()); // Can't be transient. + + if (*pm.sha256sum != *p->sha256sum) + { + // All the previous repositories that contain this package have the + // same checksum (since they passed this test), so we can pick any + // to show to the user. + // + const string& r1 (rl.canonical_name ()); + const string& r2 (p->locations[0].repository.object_id ()); + + fail << "checksum mismatch for " << pm.name << " " << pm.version << + info << r1 << " has " << *pm.sha256sum << + info << r2 << " has " << *p->sha256sum << + info << "consider reporting this to the repository maintainers"; + } + } // This repository shouldn't already be in the location set since // that would mean it has already been loaded and we shouldn't be @@ -251,7 +281,12 @@ namespace bpkg // their packages. // for (const lazy_shared_ptr& lp: ua) - cfg_fetch (o, t, lp.load (), root, ""); // No reason (user-added). + { + shared_ptr r (lp.load ()); + + if (!r->fetched) // Can already be loaded as a prerequisite/complement. + cfg_fetch (o, t, r, root, ""); // No reason (user-added). + } size_t rcount, pcount; if (verb) -- cgit v1.1