Check sha256 digests of downloaded components

pypa · Apr 3, 2016 · 6c19b17 · 6c19b17
1 parent 8c21e9d
commit 6c19b17
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 5 deletions.
diff --git a/docker/build_scripts/build.sh b/docker/build_scripts/build.sh
@@ -11,6 +11,9 @@ CPYTHON_VERSIONS="2.6.9 2.7.11 3.3.6 3.4.4 3.5.1"
 # archive
 OPENSSL_ROOT=openssl-1.0.2g
 OPENSSL_HASH=b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33
+EPEL_RPM_HASH=0dcc89f9bf67a2a515bad64569b7a9615edc5e018f676a578d5fd0f17d3c81d4
+DEVTOOLS_HASH=a8ebeb4bed624700f727179e6ef771dafe47651131a00a78b342251415646acc
+PATCHELF_HASH=d9afdff4baeacfbc64861454f368b7f2c15c44d245293f7587bbf726bfe722fb
 
 # Dependencies for compiling Python that we want to remove from
 # the final image after compiling Python
@@ -24,10 +27,14 @@ MY_DIR=$(dirname "$BASH_SOURCE[0]}")
 source $MY_DIR/build_utils.sh
 
 # EPEL support
-yum -y install wget curl
+yum -y install curl
 curl -sLO https://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
+check_sha256sum epel-release-5-4.noarch.rpm $EPEL_RPM_HASH
+
 # Dev toolset (for LLVM and other projects requiring C++11 support)
-curl -sL http://people.centos.org/tru/devtools-2/devtools-2.repo > /etc/yum.repos.d/devtools-2.repo
+curl -sLO http://people.centos.org/tru/devtools-2/devtools-2.repo
+check_sha256sum devtools-2.repo $DEVTOOLS_HASH
+mv devtools-2.repo /etc/yum.repos.d/devtools-2.repo
 rpm -Uvh --replacepkgs epel-release-5*.rpm
 rm -f epel-release-5*.rpm
 
@@ -50,6 +57,7 @@ rm -rf /usr/local/ssl
 
 # Install patchelf and auditwheel (latest with unreleased bug fixes)
 curl -sLO https://nipy.bic.berkeley.edu/manylinux/patchelf-0.9njs2.tar.gz
+check_sha256sum patchelf-0.9njs2.tar.gz $PATCHELF_HASH
 tar -xzf patchelf-0.9njs2.tar.gz
 (cd patchelf-0.9njs2 && ./configure && make && make install)
 rm -rf patchelf-0.9njs2.tar.gz patchelf-0.9njs2

diff --git a/docker/build_scripts/build_utils.sh b/docker/build_scripts/build_utils.sh
@@ -89,16 +89,27 @@ function do_openssl_build {
 }
 
 
+function check_sha256sum {
+    local fname=$1
+    check_var $fname
+    local sha256=$2
+    check_var $sha256
+
+    echo "${sha256}  ${fname}" > ${fname}.sha256
+    sha256sum -c ${fname}.sha256
+    rm ${fname}.sha256
+}
+
+
 function build_openssl {
     local openssl_fname=$1
     check_var $openssl_fname
     local openssl_sha256=$2
     check_var $openssl_sha256
     check_var $OPENSSL_DOWNLOAD_URL
-    echo "${openssl_sha256}  ${openssl_fname}.tar.gz" > ${openssl_fname}.tar.gz.sha256
     curl -sLO $OPENSSL_DOWNLOAD_URL/${openssl_fname}.tar.gz
-    sha256sum -c ${openssl_fname}.tar.gz.sha256
+    check_sha256sum $openssl_fname.tar.gz $openssl_sha256
     tar -xzf ${openssl_fname}.tar.gz
     (cd ${openssl_fname} && do_openssl_build)
-    rm -rf ${openssl_fname} ${openssl_fname}.tar.gz ${openssl_fname}.tar.gz.sha256
+    rm -rf ${openssl_fname} ${openssl_fname}.tar.gz
 }