apkg-csum, a script to compute and verify checksums for source files
This a proof-of-concept for adding checksum verification to apkg. I wrote the script with the intention of using it for verification for apkg and standalone for creating the checksum files. If one wants secutiry, that needs signatures, that is quite different :)
I understand that having functionality outside of the apkg script is not welcome, and I can try to integrate it if the basis is judged as sound and acceptable.
Basics of operation
- Only compute and verify checksums for downloaded tarballs, not for every file in the directory that holds the apkg. The integrity of the files downloaded by git is not in question :)
- Store the checksums on a
.checksum file inside the abuild dir, one line per-file.
- Use the full output of the checksum utility for every line. That means two columns, one that contains the checksum and one that contains the full name of the file. That needs more work originally but has advantages. Checking can be done by the the standard
-c argument of the checksum utilities, which produces usefull output without needing extra code.
# .checksum example
81ecbc9d9cd444d51d11264665620b689be58df00eb131715c6070a7 llvm-18.1.8.src.tar.xz
c062c3fe894eb8b264f470b624fa1509c2e16c9faa22d9432fd9f13c cmake-18.1.8.src.tar.xz
# example verification outputs
# Correct csums:
llvm-18.1.8.src.tar.xz: OK
cmake-18.1.8.src.tar.xz: OK
Correct checksum(s)!
# One csum wrong:
llvm-18.1.8.src.tar.xz: FAILED
cmake-18.1.8.src.tar.xz: OK
sha3sum: WARNING: 1 of 2 computed checksums did NOT match
error: Wrong checksum(s), see above!
- Easy way to change checksuming algorithm utilities - just change $CHECKSUM_CMD! The arguments and outputs are compatible between the busybox utils, coreutils and b3sumc.
The way forward
If the above basics are acceptable, I can adapt the code inside the apkg script. It can use -g for generating checksums and (削除) -c (削除ここまで) -v for checking. It will not be that hard and it will be less code then the current script.
## apkg-csum, a script to compute and verify checksums for source files
This a proof-of-concept for adding checksum verification to apkg. I wrote the script with the intention of using it for verification for apkg and standalone for creating the checksum files. If one wants secutiry, that needs signatures, that is quite different :)
I understand that having functionality outside of the apkg script is not welcome, and I can try to integrate it if the basis is judged as sound and acceptable.
### Basics of operation
- Only compute and verify checksums for downloaded tarballs, not for every file in the directory that holds the apkg. The integrity of the files downloaded by git is not in question :)
- Store the checksums on a `.checksum` file inside the abuild dir, one line per-file.
- Use the full output of the checksum utility for every line. That means two columns, one that contains the checksum and one that contains the full name of the file. That needs more work originally but has advantages. Checking can be done by the the standard `-c` argument of the checksum utilities, which produces usefull output without needing extra code.
```
# .checksum example
81ecbc9d9cd444d51d11264665620b689be58df00eb131715c6070a7 llvm-18.1.8.src.tar.xz
c062c3fe894eb8b264f470b624fa1509c2e16c9faa22d9432fd9f13c cmake-18.1.8.src.tar.xz
```
```
# example verification outputs
# Correct csums:
llvm-18.1.8.src.tar.xz: OK
cmake-18.1.8.src.tar.xz: OK
Correct checksum(s)!
# One csum wrong:
llvm-18.1.8.src.tar.xz: FAILED
cmake-18.1.8.src.tar.xz: OK
sha3sum: WARNING: 1 of 2 computed checksums did NOT match
error: Wrong checksum(s), see above!
```
- Easy way to change checksuming algorithm utilities - just change $CHECKSUM_CMD! The arguments and outputs are compatible between the busybox utils, coreutils and b3sumc.
### The way forward
If the above basics are acceptable, I can adapt the code inside the apkg script. It can use `-g` for generating checksums and ~`-c`~ `-v` for checking. It will not be that hard and it will be less code then the current script.