Bug#325161: [dpatch-maintainers] Bug#325161: dpatch-get-origtargz has not a mechanism to verify md5sum/sha1sum when downloading origtargz

Sat, 27 Aug 2005 02:09:31 -0700 

On Saturday 27 August 2005 04:38, Junichi Uekawa wrote:
> Hi,
>
> > dpatch-get-origtargz should provide a way to do sum checking
> > (md5, sha1) to ensire that the contents of upstream file was has not been
> > silently changed for some reason keeping the same file name.
> >
> > I suggest that dpatch-get-origtargz accept options for exact url to
> > download the tarball from (since the one provided in watch file might not
> > be reliable when patterned) and checksum to verify against.
>
> Patch welcome.
> Shouldn't be too hard ti implement what you say; but I am doubtful if it's
> really feasible or easy to maintain the hash sum on developer side.

Patch is attached. Not tested at all. But you'll get the idea. The man page 
needs to be fixed if this one is accepted.

-- 
pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>
fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB 

--- dpatch-get-origtargz.orig	2005-07-19 18:46:32.000000000 +0300
+++ dpatch-get-origtargz	2005-08-27 11:41:32.355351242 +0300
@@ -11,11 +11,48 @@
 # Usage: dpatch-get-origtargz origtardir
 
 ORIGTARDIR="$1"
+ORIGTARURL="$2"
+ORIGTARSUM="$3"
+#$4 NULL 
+
+usage() {
 shift
 if [ -z "$ORIGTARDIR" ] || [ -n "$1" ]; then
   echo >&2 "${DPGO_BASENAME}: Usage: dpatch-get-origtargz <origtardir>"
   exit 1
 fi
+}
+
+gettarhashed() {
+  FILENAME=`echo "$2" | sed -e "s/\// /g" | awk '{print $NF}'`
+
+  if [ ! -f $FILENAME ] ; then 
+      curl  "$2" > $FILENAME ; 
+  else 
+      echo -e "Upstream source tarball have been already downloaded\n" ; 
+  fi
+  
+  MD5CURRENT=`md5sum $(FILENAME) | awk '{print $1}'`  
+  
+  if [ "$(MD5CURRENT)" != "$3" ] ; then 
+     echo -e "Upstream source tarball md5sum mismatch!\n" ; 
+     exit 1 ; 
+  else
+   echo "md5sum is ok!";
+  fi
+}
+
+# if ORIGTARURL and ORIGTARSUM are supplied get the tarball and verify the hash
+if [ "$3" != "" ] && [ "$4" = "" ]; then
+  gettarhashed
+  exit 0
+else
+  usage
+
+fi
+
+
+usage
 
 PACKAGENAME="$(dpkg-parsechangelog | sed -n '/^Source:/{s/^Source:[[:space:]]\+\(.*\)/\1/;p;q}')"
 UPSTREAMVERSION="$(dpkg-parsechangelog | sed -n '/^Version:/{s/^Version:[[:space:]]\+\([^-]\+\).*/\1/;p;q}')"

Reply via email to