Automatic SHA 512 checksum generation
ᴀɴᴛᴏɴ ɴᴏᴠᴏᴊɪʟᴏᴠ edited this page Nov 29, 2022
·
2 revisions
Rpm build infrastructure and tools do not provide ways to verify an intruder did not replace source files. Since version 2.5.0 rpmbuilder
provides automatic SHA-512 checksum generation for all sources used for the build. This feature could help to avoid MITM attacks and using a patched version of sources.
In first you should define a new global macro which will help us to check files checksums:
%global crc_check pushd ../SOURCES ; sha512sum -c %{SOURCE100} ; popd
Then add a new source with the name checksum.sha512
:
Source100: checksum.sha512
If a file with this name will be defined in sources, rpmbuilder
automatically calculates checksums for all files and save them to this file.
Next, we should run our checksum check macro on %prep
stage:
%prep
%{crc_check}
All done! If source files replaced by a new one, our check on prep stage will fail.