3
26
Fork
You've already forked mere
1

Verify archive_hash before caching downloaded packages #87

Merged
jhuntwork merged 1 commit from verify-archive-hash-before-extract into main 2026年07月03日 14:49:06 +02:00

prefetchMissingPackageArchives and ensurePackageArchiveCached both
downloaded package archives with DownloadOptions{} - no expected_hash -
even though the signed repo db already carries the correct archive_hash
for every package. A tampered mirror or corrupted transfer would be
silently cached and later extracted; the eventual content_hash check
during store admission happens only after extraction has already run.

Pass expected_hash = pkg.archive_hash at both call sites. The
underlying hash verification in download.downloadFile/downloadBatch
already existed and was already tested - this was purely a wiring gap.

Two existing tests used placeholder hashes ("a" * 64 / "b" * 64) that
didn't match their dummy archive bodies; fixed them to use the real
hash of the body now that it's actually checked. Added a regression
test that a tampered archive gets rejected before it's cached.

prefetchMissingPackageArchives and ensurePackageArchiveCached both downloaded package archives with DownloadOptions{} - no expected_hash - even though the signed repo db already carries the correct archive_hash for every package. A tampered mirror or corrupted transfer would be silently cached and later extracted; the eventual content_hash check during store admission happens only after extraction has already run. Pass expected_hash = pkg.archive_hash at both call sites. The underlying hash verification in download.downloadFile/downloadBatch already existed and was already tested - this was purely a wiring gap. Two existing tests used placeholder hashes ("a" * 64 / "b" * 64) that didn't match their dummy archive bodies; fixed them to use the real hash of the body now that it's actually checked. Added a regression test that a tampered archive gets rejected before it's cached.
Verify archive_hash before caching downloaded packages
All checks were successful
/ test (pull_request) Successful in 6m32s
3858051761
prefetchMissingPackageArchives and ensurePackageArchiveCached both
downloaded package archives with DownloadOptions{} - no expected_hash -
even though the signed repo db already carries the correct archive_hash
for every package. A tampered mirror or corrupted transfer would be
silently cached and later extracted; the eventual content_hash check
during store admission happens only after extraction has already run.
Pass expected_hash = pkg.archive_hash at both call sites. The
underlying hash verification in download.downloadFile/downloadBatch
already existed and was already tested - this was purely a wiring gap.
Two existing tests used placeholder hashes ("a" * 64 / "b" * 64) that
didn't match their dummy archive bodies; fixed them to use the real
hash of the body now that it's actually checked. Added a regression
test that a tampered archive gets rejected before it's cached.
jhuntwork deleted branch verify-archive-hash-before-extract 2026年07月03日 14:49:06 +02:00
Sign in to join this conversation.
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
merelinux/mere!87
Reference in a new issue
merelinux/mere
No description provided.
Delete branch "verify-archive-hash-before-extract"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?