← Back to team overview

linaro-pkg team mailing list archive

Bug#820454: linaro-image-tools: enable sha256 hash check support

 

Package: linaro-image-tools
Version: 2014.11-1
Severity: important
Tags: patch

Dear maintainers,

  With recent APT (>= 1.1~exp12) md5sum is no longer considered a usable hash,
  when creating a hwpack, the Packages file only includes support for md5sum,
  which turns out to fail on the image building part due to checksum mismatch

  Get:1 file:/tmp/tmp.XXXXdSXHcN/unpacked/pkgs ./ sensible-utils 0.0.9 [11.0 kB]
  Err:1 file:/tmp/tmp.XXXXdSXHcN/unpacked/pkgs ./ sensible-utils 0.0.9
    Hash Sum mismatch

  If sha256 hash is added to hwpack Packages files, then everything runs back
  as it used to.

  I am attaching a patch that solves this issue for me.

Regards
  

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (500, 'buildd-unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 4.4.0-1-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linaro-image-tools depends on:
ii  apt-utils                              1.2.9
ii  dosfstools                             3.0.28-2
ii  gdisk                                  1.0.1-1
ii  libpython2.7-stdlib [python-argparse]  2.7.11-7
ii  parted                                 3.2-15
ii  python                                 2.7.11-1
ii  python-dbus                            1.2.4-1
ii  python-debian                          0.1.27
ii  python-linaro-image-tools              2014.11-1
ii  python-parted                          3.10.7-2+b1
ii  python-yaml                            3.11-3+b1
ii  sudo                                   1.8.15-1.1
ii  u-boot-tools                           2016.03+dfsg1-2

Versions of packages linaro-image-tools recommends:
ii  btrfs-tools        4.4-1
ii  command-not-found  0.2.38-3
ii  qemu-user-static   1:2.5+dfsg-5
ii  udisks             1.0.5-1+b1

linaro-image-tools suggests no packages.

-- no debconf information
Description: add support for sha256 hashes in Packages file
 Since APT disabled MD5sum support, linaro-hwpack-install fails with
 checksum mismatch errors as it is unable to verify package integrity
 using md5 hash. The following implements sha256 hash support.
 .
 linaro-image-tools (2014.11-1.1) UNRELEASED; urgency=medium
 .
   * Allow sha256 hashes on Packages file.
Author: Héctor Orón Martínez <zumbi@xxxxxxxxxx>

--- linaro-image-tools-2014.11.orig/linaro_image_tools/hwpack/packages.py
+++ linaro-image-tools-2014.11/linaro_image_tools/hwpack/packages.py
@@ -87,6 +87,7 @@ def get_packages_file(packages, extra_te
         if package.breaks:
             parts.append('Breaks: %s' % package.breaks)
         parts.append('MD5sum: %s' % package.md5)
+        parts.append('SHA256: %s' % package.sha256)
         content += "\n".join(parts)
         content += "\n\n"
     return content
@@ -295,6 +296,9 @@ class FetchedPackage(object):
     :ivar md5: the hex representation of the md5sum of the contents of
         the package.
     :type md5: str
+    :ivar sha256: the hex representation of the sha256sum of the contents of
+        the package.
+    :type sha256: str
     :ivar architecture: the architecture that the package is for, may be
         'all'.
     :type architecture: str
@@ -331,7 +335,7 @@ class FetchedPackage(object):
     :type breaks: str or None
     """
 
-    def __init__(self, name, version, filename, size, md5,
+    def __init__(self, name, version, filename, size, md5, sha256,
                  architecture, depends=None, pre_depends=None,
                  multi_arch=None, conflicts=None, recommends=None,
                  provides=None, replaces=None, breaks=None):
@@ -344,6 +348,7 @@ class FetchedPackage(object):
         self.filename = filename
         self.size = size
         self.md5 = md5
+        self.sha256 = sha256
         self.architecture = architecture
         self.depends = depends
         self.pre_depends = pre_depends
@@ -389,7 +394,7 @@ class FetchedPackage(object):
         provides = ", ".join([a[0] for a in pkg._cand.provides_list]) or None
         pkg = cls(
             pkg.package.name, pkg.version, filename, pkg.size,
-            pkg.md5, pkg.architecture, depends=depends,
+            pkg.md5, pkg.sha256, pkg.architecture, depends=depends,
             pre_depends=pre_depends, multi_arch=multi_arch,
             conflicts=conflicts, recommends=recommends, provides=provides,
             replaces=replaces, breaks=breaks)
@@ -406,6 +411,7 @@ class FetchedPackage(object):
         filename = os.path.basename(deb_file_path)
         size = os.path.getsize(deb_file_path)
         md5sum = hashlib.md5(open(deb_file_path).read()).hexdigest()
+        sha256sum = hashlib.sha256(open(deb_file_path).read()).hexdigest()
         architecture = debcontrol['Architecture']
         depends = debcontrol.get('Depends')
         pre_depends = debcontrol.get('Pre-Depends')
@@ -416,8 +422,8 @@ class FetchedPackage(object):
         replaces = debcontrol.get('Replaces')
         breaks = debcontrol.get('Breaks')
         pkg = cls(
-            name, version, filename, size, md5sum, architecture, depends,
-            pre_depends, multi_arch, conflicts, recommends, provides,
+            name, version, filename, size, md5sum, sha256sum, architecture,
+            depends, pre_depends, multi_arch, conflicts, recommends, provides,
             replaces, breaks)
         pkg.content = open(deb_file_path)
         pkg._file_path = deb_file_path
@@ -434,6 +440,7 @@ class FetchedPackage(object):
         'filename',
         'size',
         'md5',
+        'sha256',
         'architecture',
         'depends',
         'pre_depends',
@@ -774,7 +781,7 @@ class PackageFetcher(object):
             result_package = fetched[package.name]
             destfile = os.path.join(self.cache.tempdir, base)
             acqfile = apt_pkg.AcquireFile(
-                acq, candidate.uri, candidate.md5, candidate.size,
+                acq, candidate.uri, candidate.sha256, candidate.size,
                 base, destfile=destfile)
             acqfiles.append((acqfile, result_package, destfile))
             # check if we have a private key in the pkg url