[Buildroot] [PATCH v3] ca-certificates: new package
Peter Korsgaard
jacmet at uclibc.org
Sun Jan 12 08:38:12 UTC 2014
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
Hi,
> It's a pity we can't get that from a trusted channel (ie. https instead
> of plain http). Sigh... :-(
> I know we do not do that for the other packages, but I'd like that we
> check the authenticity of that specific one. There's no point in adding
> a security-related package that we can validate in the first place.
> I'd suggest we do that with a _POST_DOWNLOAD_HOOKS, something like:
> CA_CERTIFICATES_CHECKSUM = SHA1-hash
> define CA_CERTIFICATES_VERIFY_CHECKSUM
> hash=$$( sha1sum $(DL_DIR)/$(CA_CERTIFICATES_SOURCE) |cut -d ' ' -f 1 )
> if [ ! $${hash} = $(CA_CERTIFICATES_CHECKSUM) ]; then
> printf "ERROR: $(CA_CERTIFICATES_SOURCE) has wrong SHA1\n"
> printf "ERROR: Maybe the download was MITMed\n"
> exit 1
> fi
> endef
> CA_CERTIFICATES_POST_DOWNLOAD_HOOKS += CA_CERTIFICATES_VERIFY_CHECKSUM
> I don't know what others think of it. Peter, Thomas, others?
If we want to do something like this, then I would much prefer to move
it into the package infrastructure and do it for all packages (but not
require it, similar to how we're progressively adding licensing info to
packages).
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list