Skip to content

Automatic SHA 512 checksum generation

Jump to bottom Edit New page
ᴀɴᴛᴏɴ ɴᴏᴠᴏᴊɪʟᴏᴠ edited this page Nov 29, 2022 · 2 revisions

Rpm build infrastructure and tools do not provide ways to verify an intruder did not replace source files. Since version 2.5.0 rpmbuilder provides automatic SHA-512 checksum generation for all sources used for the build. This feature could help to avoid MITM attacks and using a patched version of sources.

Usage example

In first you should define a new global macro which will help us to check files checksums:

%global crc_check pushd ../SOURCES ; sha512sum -c %{SOURCE100} ; popd

Then add a new source with the name checksum.sha512:

Source100: checksum.sha512

If a file with this name will be defined in sources, rpmbuilder automatically calculates checksums for all files and save them to this file.

Next, we should run our checksum check macro on %prep stage:

%prep
%{crc_check}

All done! If source files replaced by a new one, our check on prep stage will fail.

Add a custom footer
Add a custom sidebar
Clone this wiki locally