From: Ben Hutchings Date: Mon, 14 Jan 2013 02:41:56 +0000 (+0000) Subject: carl9170: Add and check SHA-256 sums for the toolchain tarballs X-Git-Tag: 1.9.8~28 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=76aedd9fe4f12876375a8e1d212584a00a08bd03;p=carl9170fw.git carl9170: Add and check SHA-256 sums for the toolchain tarballs The sums for binutils and gcc are based on an HTTPS download (instead of the default HTTP). newlib doesn't seem to be available with any kind of signature, so I compared a tarball and CVS checkout; let's hope they weren't both compromised. Signed-off-by: Ben Hutchings Signed-off-by: Christian Lamparter --- diff --git a/toolchain/Makefile b/toolchain/Makefile index db473e5..b012760 100644 --- a/toolchain/Makefile +++ b/toolchain/Makefile @@ -12,16 +12,27 @@ GCC_URL="http://mirrors.kernel.org/gnu/gcc/gcc-$(GCC_VER)/$(GCC_TAR)" BASEDIR=$(shell pwd) +define checksum +@if grep -q ' $(subst .,\.,$(1))$$' SHA256SUMS; then \ + grep ' $(subst .,\.,$(1))$$' SHA256SUMS | sha256sum -c; \ +else \ + echo "WARNING: no checksum defined for $(1)"; \ +fi +endef + all: gcc src/$(BINUTILS_TAR): wget -P src $(BINUTILS_URL) + $(call checksum,$@) src/$(NEWLIB_TAR): wget -P src $(NEWLIB_URL) + $(call checksum,$@) src/$(GCC_TAR): wget -P src $(GCC_URL) + $(call checksum,$@) src/binutils-$(BINUTILS_VER): src/$(BINUTILS_TAR) tar -C src -xf $< diff --git a/toolchain/SHA256SUMS b/toolchain/SHA256SUMS new file mode 100644 index 0000000..d1b7896 --- /dev/null +++ b/toolchain/SHA256SUMS @@ -0,0 +1,7 @@ +6c7af8ed1c8cf9b4b9d6e6fe09a3e1d3d479fe63984ba8b9b26bf356b6313ca9 src/binutils-2.22.tar.bz2 +16093f6fa01732adf378d97fe338f113c933bdf56da22bf87c76beff13da406f src/gcc-4.7.1.tar.bz2 +c644b2847244278c57bec2ddda69d8fab5a7c767f3b9af69aa7aa3da823ff692 src/newlib-1.20.0.tar.gz +2ab2e5b03e086d12c6295f831adad46b3e1410a3a234933a2e8fac66cb2e7a19 src/binutils-2.23.1.tar.bz2 +8a9283d7010fb9fe5ece3ca507e0af5c19412626384f8a5e9434251ae100b084 src/gcc-4.7.2.tar.bz2 +49c29e9129325e7c3b221aa829743ddcd796d024440e47c80fc0d6769af72d8a src/newlib-2.0.0.tar.gz +