From 4f325af99cb87ddaad28040ec78f39f58e8672f8 Mon Sep 17 00:00:00 2001
From: Matt Witherspoon <32485495+spoonincode@users.noreply.github.com>
Date: Mon, 25 Aug 2025 15:21:38 -0400
Subject: [PATCH] validate LLVM & cmake tarball hashes

---
 tools/reproducible.Dockerfile | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tools/reproducible.Dockerfile b/tools/reproducible.Dockerfile
index 4effbf8b77..91159ae4ed 100644
--- a/tools/reproducible.Dockerfile
+++ b/tools/reproducible.Dockerfile
@@ -50,7 +50,13 @@ RUN gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys CBA23971357C2E6590D9
                                                             D574BD5D1D0E98895E3BF90044F2485E45D59042
 
 RUN ls *.sig *.asc | xargs -n 1 gpg --verify && \
-    sha256sum -c --ignore-missing cmake-*-SHA-256.txt
+    sha256sum --strict -c --ignore-missing cmake-*-SHA-256.txt
+
+RUN sha256sum --strict -c - <<-EOF
+	0b58557a6d32ceee97c8d533a59b9212d87e0fc4d2833924eb6c611247db2f2a  llvm-project-${_SPRING_CLANG_VERSION}.src.tar.xz
+	74d2529159fd118c3eac6f90107b5611bccc6f647fdea104024183e8d5e25831  llvm-project-${_SPRING_LLVM_VERSION}.src.tar.xz
+	ef3056df528569e0e8956f6cf38806879347ac6de6a4ff7e4105dc4578732cfb  cmake-${_SPRING_CMAKE_VERSION}.tar.gz
+EOF
 
 RUN tar xf cmake-*.tar.gz && \
     cd cmake*[0-9] && \