Verified Commit eaeb2342 authored by Karel Koci's avatar Karel Koci 🤘
Browse files

lib/updater: fix invalid hash check for SHA256

This is major problem as packages were not verified thanks to this
error.

This also adds warning for packages not correctly verified.
parent e6358368
Pipeline #62452 passed with stage
in 2 minutes and 39 seconds
......@@ -106,17 +106,30 @@ function prepare(entrypoint)
local ok, data = task.real_uri:get()
if ok then
INFO("Queue install of " .. task.name .. "/" .. task.package.repo.name .. "/" .. task.package.Version)
local verified = false
if task.package.MD5Sum then
local sum = md5(data)
if sum ~= task.package.MD5Sum then
error(utils.exception("corruption", "The md5 sum of " .. task.name .. " does not match"))
end
verified = true
end
if task.package.SHA256Sum then
local sum = sha256(data)
if sum ~= task.package.SHA256Sum then
error(utils.exception("corruption", "The sha256 sum of " .. task.name .. " does not match"))
end
verified = true
end
if task.package.SHA256sum then
local sum = sha256(data)
if sum ~= task.package.SHA256sum then
error(utils.exception("corruption", "The sha256 sum of " .. task.name .. " does not match"))
end
verified = true
end
if not verified then
WARN("Package has no hash in index to verify it: " + task.name)
end
transaction.queue_install_downloaded(data, task.name, task.package.Version, task.modifier)
else
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment