SHA-256 hash support for unverified upstream sources

Unverified upstream sources (those with `skip-check: true`) are inherently risky as they lack a verification method. Any changes to these sources could go undetected. To address this, we now calculate and store the SHA-256 hash of unverified sources. This hash is added to the `eext.yaml` file under the `src-sha256-hash` field. During the `create-srpm` command, the hash in `eext.yaml` will be compared with the hash of the downloaded sources.
aristanetworks · Dec 16, 2024 · 1a76c05 · 1a76c05
1 parent 2f083e0
commit 1a76c05
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 0 deletions.
diff --git a/impl/create_srpm.go b/impl/create_srpm.go
@@ -4,7 +4,9 @@
 package impl
 
 import (
+	"crypto/sha256"
 	"fmt"
+	"io"
 	"log"
 	"os"
 	"path/filepath"
@@ -74,6 +76,23 @@ func (bldr *srpmBuilder) clean() error {
 	return nil
 }
 
+// Generate SHA256 hash of file
+func generateSha256Hash(filePath string) (string, error) {
+	file, err := os.Open(filePath)
+	if err != nil {
+		return "", fmt.Errorf("errored with %s while creating file",
+			err)
+	}
+	defer file.Close()
+	hashComputer := sha256.New()
+	if _, err := io.Copy(hashComputer, file); err != nil {
+		return "", fmt.Errorf("errored with %s while generating hash",
+			err)
+	}
+	sha256Hash := fmt.Sprintf("%x", hashComputer.Sum(nil))
+	return sha256Hash, nil
+}
+
 // Fetch the upstream sources mentioned in the manifest.
 // Put them into downloadDir and populate bldr.upstreamSrc
 func (bldr *srpmBuilder) fetchUpstream() error {
@@ -98,6 +117,24 @@ func (bldr *srpmBuilder) fetchUpstream() error {
 		if err != nil {
 			return err
 		}
+
+		if upstreamSrcFromManifest.Signature.SkipCheck && upstreamSrcFromManifest.Signature.SrcSha256Hash != "" {
+			srcFilePath := filepath.Join(downloadDir, upstreamSrc.sourceFile)
+			sha256Hash, err := generateSha256Hash(srcFilePath)
+			if err != nil {
+				return fmt.Errorf("%sError '%s'",
+					bldr.errPrefix, err)
+			}
+			eextSha256Hash := upstreamSrcFromManifest.Signature.SrcSha256Hash
+			fmt.Printf("calculated SHA hash is `%s`, hash in eext-yaml file is `%s` \n", sha256Hash, eextSha256Hash)
+			if sha256Hash != eextSha256Hash {
+				return fmt.Errorf("%sError:SHA256 hash '%s'is not matching with eext.yaml sha hash '%s' for upstream file '%s', package '%s'",
+					bldr.errPrefix, sha256Hash, eextSha256Hash, srcFilePath, bldr.pkgSpec.Name)
+			} else {
+				fmt.Printf("SHA-256 hash matched successfully, unmodified upstream source found \n")
+			}
+		}
+
 		bldr.upstreamSrc = append(bldr.upstreamSrc, *upstreamSrc)
 	}
 

diff --git a/impl/create_srpm_from_others_test.go b/impl/create_srpm_from_others_test.go
@@ -42,3 +42,12 @@ func TestMatchTarballSignature(t *testing.T) {
 	t.Log("Test tarball Signatue Match")
 	testTarballSig(t, "matchTarball")
 }
+
+func TestUpstreamSourcesSHA256Hash(t *testing.T) {
+	pkg := "bandit"
+	cwd, _ := os.Getwd()
+	repo := filepath.Join(cwd, "testData/upstream-src-hash")
+	createSrpmErr := CreateSrpm(repo, pkg, CreateSrpmExtraCmdlineArgs{})
+	require.NotEqual(t, nil, createSrpmErr)
+	t.Log("TestupstreamSourcesSHA256Hash test passed")
+}
diff --git a/impl/testData/upstream-src-hash/eext.yaml b/impl/testData/upstream-src-hash/eext.yaml
@@ -0,0 +1,16 @@
+---
+package:
+  - name: bandit
+    upstream-sources:
+      - source-bundle:
+          name: srpm
+          override:
+            version: 1.7.7-1.fc40
+        signature:
+          skip-check: true
+          src-sha256-hash: c2b29c064e8c9dcf92fe21b416d2sfgsgsfg94d7850gbdfhghd
+    type: srpm
+    build:
+      repo-bundle:
+        - name: el9
+        - name: epel9
diff --git a/manifest/manifest.go b/manifest/manifest.go
@@ -109,6 +109,7 @@ type DetachedSignature struct {
 type Signature struct {
 	SkipCheck         bool              `yaml:"skip-check"`
 	DetachedSignature DetachedSignature `yaml:"detached-sig"`
+	SrcSha256Hash     string            `yaml:"src-sha256-hash"`
 }
 
 // SourceBundle spec