Skip to content

Commit 01938b2

Browse files
mlschroemlschroe
committed
Verify checksums of downloaded apk binaries
1 parent 69dcea6 commit 01938b2

File tree

1 file changed

+13
-1
lines changed

1 file changed

+13
-1
lines changed

PBuild/RemoteRepo.pm

+13-1
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ use Digest::MD5 ();
2929
use Build;
3030
use Build::Rpmmd;
3131
use Build::Archrepo;
32+
use Build::Apk;
3233
use Build::Apkrepo;
3334
use Build::Debrepo;
3435
use Build::Deb;
@@ -466,7 +467,7 @@ sub querybinary {
466467
my $data;
467468
my $leadsigmd5;
468469
die("$dir/$file: no hdrmd5\n") unless Build::queryhdrmd5("$dir/$file", \$leadsigmd5);
469-
$data = Build::query("$dir/$file", 'evra' => 1, 'conflicts' => 1, 'weakdeps' => 1, 'addselfprovides' => 1, 'filedeps' => 1, 'normalizedeps' => 1);
470+
$data = Build::query("$dir/$file", 'evra' => 1, 'conflicts' => 1, 'weakdeps' => 1, 'addselfprovides' => 1, 'filedeps' => 1, 'normalizedeps' => 1, 'apkdatachksum' => 1);
470471
die("$dir/$file: query failed\n") unless $data;
471472
PBuild::Verify::verify_nevraquery($data);
472473
$data->{'leadsigmd5'} = $leadsigmd5 if $leadsigmd5;
@@ -481,8 +482,19 @@ sub querybinary {
481482
sub fetchbinaries_replace {
482483
my ($repodir, $tmpname, $binname, $bin) = @_;
483484
Build::Download::checkfiledigest("$repodir/$tmpname", $bin->{'checksum'}) if $bin->{'checksum'};
485+
my $apkdataoff;
486+
if ($bin->{'apkchksum'}) {
487+
die("Unsupported apk checksum bin->{'apkchksum'}\n") unless $bin->{'apkchksum'} =~ /^Q1/;
488+
my ($apkchksum, @offs) = Build::Apk::calcapkchksum("$repodir/$tmpname", 'Q1');
489+
die("downloaded binary $binname does not match apk checksum: $bin->{'apkchksum'} != $apkchksum\n") if $bin->{'apkchksum'} ne $apkchksum;
490+
$apkdataoff = $offs[1];
491+
}
484492
my $q = querybinary($repodir, $tmpname);
485493
$bin->{'arch'} = $q->{'arch'} if $binname =~ /\.apk$/; # see comment in calc_binname
494+
if ($q->{'apkdatachksum'}) {
495+
my $apkdatachksum = Build::Apk::calcapkdatachecksum("$repodir/$tmpname", $apkdataoff);
496+
die("downloaded binary $binname does not match apk data checksum: $q->{'apkdatachksum'} != $apkdatachksum\n") if $q->{'apkdatachksum'} ne $apkdatachksum;
497+
}
486498
die("downloaded binary $binname does not match repository metadata\n") unless is_matching_binary($bin, $q);
487499
rename("$repodir/$tmpname", "$repodir/$binname") || die("rename $repodir/$tmpname $repodir/$binname\n");
488500
$q->{'filename'} = $binname;

0 commit comments

Comments
 (0)