From 75dfbd3a0bd498fb926013b774b51f81555c4411 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Wed, 15 May 2019 15:30:27 -0400
Subject: [PATCH] Fail explicitly on hash mismatch at build-time

Before, build would fail due to absence of wheels in the /var/securedrop/wheelhouse, at a later step.
---
 .../tasks/build_securedrop_app_code_deb.yml                  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml
index 7394c9ddcac..5369f24883d 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml
@@ -24,8 +24,13 @@
       --requirement {{ securedrop_pip_requirements }} \
       --wheel-dir {{ securedrop_wheelhouse }} 2>&1 | tee /tmp/w.out
       ! grep -i --quiet 'Failed to build' /tmp/w.out
+  register: wheel_build_output
   tags: pip
 
+- name: Ensure source hash sums matched at wheel build-time
+  fail: msg="Source hash sum mismatch, build cannot continue."
+  failed_when: "'THESE PACKAGES DO NOT MATCH THE HASHES' in wheel_build_output.stdout"
+
 # Here we need to regenerate a new securedrop-app-code-requirements.txt file
 # *without* hashes to bundle in the .deb package, for reasons that follow:
 # If requirements hashes are in the requirments file, pip will automatically