From 67a0e8d70f0caf8b85e0cf2031333236b2a3dcdf Mon Sep 17 00:00:00 2001
From: Boris Kolpackov <boris@codesynthesis.com>
Date: Sun, 24 Jan 2016 14:46:19 +0200
Subject: Add checksum verification

---
 bpkg/pkg-fetch.cxx | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'bpkg/pkg-fetch.cxx')

diff --git a/bpkg/pkg-fetch.cxx b/bpkg/pkg-fetch.cxx
index 3032eda..a57059d 100644
--- a/bpkg/pkg-fetch.cxx
+++ b/bpkg/pkg-fetch.cxx
@@ -11,6 +11,7 @@
 #include <bpkg/package>
 #include <bpkg/package-odb>
 #include <bpkg/utility>
+#include <bpkg/checksum>
 #include <bpkg/database>
 #include <bpkg/diagnostics>
 #include <bpkg/manifest-utility>
@@ -23,7 +24,6 @@ using namespace butl;
 
 namespace bpkg
 {
-
   static shared_ptr<selected_package>
   pkg_fetch (dir_path c,
              transaction& t,
@@ -218,6 +218,20 @@ namespace bpkg
     path a (fetch_archive (co, pl->repository->location, pl->location, c));
     auto_rm arm (a);
 
+    // We can't be fetching an archive for a transient object.
+    //
+    assert (ap->sha256sum);
+
+    const string& sha256sum (sha256 (co, a));
+    if (sha256sum != *ap->sha256sum)
+    {
+      fail << "checksum mismatch for " << n << " " << v <<
+        info << pl->repository->name << " has " << *ap->sha256sum <<
+        info << "fetched archive has " << sha256sum <<
+        info << "try again, if problem persists, consider reporting this to "
+           << "the repository maintainer";
+    }
+
     shared_ptr<selected_package> p (
       pkg_fetch (c,
                  t,
-- 
cgit v1.1