[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)
Michal Novotný
notifications at github.com
Tue Mar 24 12:31:59 UTC 2020
Hello @voxik, `sha256sum` etc. are in coreutils, which I bet rpm already requires...i mean coreutils should be present on any system anyway.
An interesting idea with `%(sha512sum -c sources)` but I wouldn't bring the sources file into the picture because it is used to fetch files from dist-git before rpmbuild even happens and checksums are checked at that stage. All urls that are now pointing to upstream would need to change to point to dist-git lookaside cache if the rpm mechanism for downloading should be used instead of the fedpkg one.
We could use a bit of bash code `%([ "$(sha256sum <path_to_source_filename> | cut -d " " -f 1)" = <checksum> ])` to do the verification per downloaded source but i think `<path_to_source_filename>` might be slightly tricky unless rpm exposes enviroment variable like 'SOURCES'. Also maybe it would be more pleasant to have the support for this in rpm than to put those snippets into spec.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-603211487
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20200324/6c7b1de7/attachment.html>
More information about the Rpm-maint
mailing list