SHA-256 hash support for unverified upstream sources

Unverified upstream sources (those with `skip-check: true`) are inherently risky as they lack a verification method. Any changes to these sources could go undetected. To address this, we now calculate and store the SHA-256 hash of unverified sources. This hash is added to the `eext.yaml` file under the `src-sha256-hash` field. During the `create-srpm` command, the hash in `eext.yaml` will be compared with the hash of the downloaded sources.
aristanetworks · Dec 23, 2024 · 7ca1e86 · 7ca1e86
1 parent 2f083e0
commit 7ca1e86
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 0 deletions.
diff --git a/impl/create_srpm_for_others.go b/impl/create_srpm_for_others.go
@@ -50,6 +50,19 @@ func (bldr *srpmBuilder) getUpstreamSourceForOthers(upstreamSrcFromManifest mani
 	}
 	bldr.log("downloaded")
 
+	if upstreamSrcFromManifest.Sha256 != "" {
+		srcFilePath := filepath.Join(downloadDir, upstreamSrc.sourceFile)
+		sha256Hash, err := util.GenerateSha256Hash(srcFilePath)
+		if err != nil {
+			return nil, fmt.Errorf("%s SHA256 generation failed with '%s'", bldr.errPrefix, err)
+		}
+		sha256InManifest := upstreamSrcFromManifest.Sha256
+		if sha256Hash != sha256InManifest {
+			return nil, fmt.Errorf("%s bad SHA256: '%s' expected: '%s'",
+				bldr.errPrefix, sha256Hash, sha256InManifest)
+		}
+	}
+
 	upstreamSrc.skipSigCheck = upstreamSrcFromManifest.Signature.SkipCheck
 	pubKey := upstreamSrcFromManifest.Signature.DetachedSignature.PubKey
 

diff --git a/impl/create_srpm_from_others_test.go b/impl/create_srpm_from_others_test.go
@@ -42,3 +42,11 @@ func TestMatchTarballSignature(t *testing.T) {
 	t.Log("Test tarball Signatue Match")
 	testTarballSig(t, "matchTarball")
 }
+
+func TestUpstreamSourcesSHA256Hash(t *testing.T) {
+	pkg := "bandit"
+	cwd, _ := os.Getwd()
+	repo := filepath.Join(cwd, "testData/upstream-hash-check-bad")
+	createSrpmErr := CreateSrpm(repo, pkg, CreateSrpmExtraCmdlineArgs{})
+	require.NotEqual(t, nil, createSrpmErr)
+}
diff --git a/impl/testData/upstream-hash-check-bad/eext.yaml b/impl/testData/upstream-hash-check-bad/eext.yaml
@@ -0,0 +1,16 @@
+---
+package:
+  - name: bandit
+    upstream-sources:
+      - source-bundle:
+          name: srpm
+          override:
+            version: 1.7.7-1.fc40
+        signature:
+          skip-check: true
+        Sha256: c2b29c064e8c9dcf92fe21b416d2sfgsgsfg94d7850gbdfhghd
+    type: srpm
+    build:
+      repo-bundle:
+        - name: el9
+        - name: epel9
diff --git a/manifest/manifest.go b/manifest/manifest.go
@@ -131,6 +131,7 @@ type UpstreamSrc struct {
 	FullURL      string       `yaml:"full-url"`
 	GitBundle    GitBundle    `yaml:"git"`
 	Signature    Signature    `yaml:"signature"`
+	Sha256       string       `yaml:"Sha256"`
 }
 
 // Package spec

diff --git a/util/util.go b/util/util.go
@@ -4,6 +4,7 @@
 package util
 
 import (
+	"crypto/sha256"
 	"fmt"
 	"io"
 	"os"
@@ -161,3 +162,18 @@ func GetRepoDir(repo string) string {
 	}
 	return repoDir
 }
+
+// Generate SHA256 hash of file
+func GenerateSha256Hash(filePath string) (string, error) {
+	file, err := os.Open(filePath)
+	if err != nil {
+		return "", fmt.Errorf("GenerateSha256Hash: %s", err)
+	}
+	defer file.Close()
+	hashComputer := sha256.New()
+	if _, err := io.Copy(hashComputer, file); err != nil {
+		return "", fmt.Errorf("GenerateSha256Hash: %s", err)
+	}
+	sha256Hash := fmt.Sprintf("%x", hashComputer.Sum(nil))
+	return sha256Hash, nil
+}