forked from the-distro/channel-scripts
* Verify whether downloaded NARs have the right hash. This prevents
propagating corrupt store paths. git-svn-id: https://nixos.org/repos/nix/release/trunk/channels@24985 70bd8c7a-acb8-0310-9f0d-9cc1c95dcdbb
This commit is contained in:
parent
93e0016e7a
commit
c850f595bc
1 changed files with 9 additions and 3 deletions
|
@ -8,7 +8,7 @@
|
|||
# job.
|
||||
|
||||
use strict;
|
||||
use readmanifest;
|
||||
use NixManifest;
|
||||
use GeneratePatches;
|
||||
use File::Basename;
|
||||
use File::stat;
|
||||
|
@ -40,7 +40,6 @@ die "$patchesPath doesn't exist\n" unless -d $patchesPath;
|
|||
my $manifestPath = "$dstChannelPath/MANIFEST";
|
||||
|
||||
my $tmpDir = tempdir("nix-mirror-XXXXXXX", TMPDIR => 1, CLEANUP => 1);
|
||||
print STDERR "$tmpDir\n";
|
||||
|
||||
|
||||
open LOCK, ">$dstChannelPath/.lock" or die;
|
||||
|
@ -108,7 +107,14 @@ while (my ($storePath, $files) = each %narFiles) {
|
|||
print "downloading $srcURL\n";
|
||||
my $dstFileTmp = "$narPath/.tmp.$$.nar.$dstName";
|
||||
system("$curl '$srcURL' > $dstFileTmp") == 0 or die "failed to download `$srcURL'";
|
||||
system("bunzip2 -t $dstFileTmp &> /dev/null") == 0 or die "downloaded file is not a bzip2 file!";
|
||||
|
||||
# Verify whether the downloaded file is a bzipped NAR file
|
||||
# that matches the NAR hash given in the manifest.
|
||||
system("bunzip2 < $dstFileTmp > $tmpDir/out") == 0 or die "downloaded file is not a bzip2 file!";
|
||||
my $hash = `nix-hash --type sha256 --flat $tmpDir/out`;
|
||||
chomp $hash;
|
||||
die "hash mismatch in downloaded file `$srcURL'" if "sha256:$hash" ne $file->{narHash};
|
||||
|
||||
rename($dstFileTmp, $dstFile) or die "cannot rename $dstFileTmp";
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue