Control: tags -1 + patch Hi,
The attached patch is based on having libdebian-installer_bug856210_v3.patch applied: * libdebian-installer4-dev would not change its name * sum[1] is already empty/unusable * sum[0] would become the sha256 field Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff --git a/debian/changelog b/debian/changelog
index c73f96e..96b0eee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+cdebootstrap (0.7.7) UNRELEASED; urgency=medium
+
+ * Team upload.
+ * Implement SHA256 verification of .deb files (Closes: #856212).
+ * Implement SHA256 verification of Packages files.
+ - (Build-)Depend on libdebian-installer4-dev >= 0.109 which provides
+ those sha256 fields
+ * Remove support for SHA1 hashes, since they are no longer published
+ in Release files, and the full length of them was not previously
+ being checked against the expected values (Closes: #856213).
+ * Disallow fallback to MD5-only verification (Closes: #856215).
+
+ -- Steven Chamberlain <stev...@debian.org> Mon, 27 Feb 2017 15:53:40 +0000
+
cdebootstrap (0.7.6) unstable; urgency=medium
* Make generation of tar reproducible. (closes: #777737)
diff --git a/debian/control b/debian/control
index 49bb110..6996ce5 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Build-Depends:
libbz2-dev,
libcurl4-gnutls-dev,
libdebconfclient0-dev (>= 0.40),
- libdebian-installer4-dev (>= 0.81~),
+ libdebian-installer4-dev (>= 0.109~),
liblzma-dev,
pkg-config,
zlib1g-dev
diff --git a/src/check.c b/src/check.c
index 34e96da..c41d9e4 100644
--- a/src/check.c
+++ b/src/check.c
@@ -32,6 +32,9 @@
#include "frontend.h"
#include "suite.h"
+/* Length of a SHA256 hash in hex representation */
+#define SHA256_HEX_LENGTH 64
+
static int check_sum (const char *target, const char *exec, const char *sum, const char *message)
{
int ret;
@@ -51,14 +54,14 @@ static int check_sum (const char *target, const char *exec, const char *sum, con
if (ret)
return 1;
- if (!strncmp (buf, sum, 32))
+ if (!strncmp (buf, sum, SHA256_HEX_LENGTH))
return 0;
return 1;
}
int check_deb (const char *target, di_package *p, const char *message)
{
- return check_sum (target, "md5sum", p->md5sum, message);
+ return check_sum (target, "sha256sum", p->sha256, message);
}
int check_packages (const char *target, const char *ext, di_release *rel)
@@ -72,14 +75,12 @@ int check_packages (const char *target, const char *ext, di_release *rel)
snprintf (buf_file, sizeof (buf_file), "main/binary-%s/Packages%s", arch, ext);
key.string = (char *) buf_file;
key.size = strlen (buf_file);
- item = di_hash_table_lookup (rel->md5sum, &key);
+ item = di_hash_table_lookup (rel->sha256, &key);
if (!item)
log_text (DI_LOG_LEVEL_ERROR, "Can't find checksum for Packages file");
- if (item->sum[1])
- return check_sum (target, "sha1sum", item->sum[1], buf_name);
if (item->sum[0])
- return check_sum (target, "md5sum", item->sum[0], buf_name);
+ return check_sum (target, "sha256sum", item->sum[0], buf_name);
return 1;
}
signature.asc
Description: Digital signature
