build: stricter hash validation on download

Check the hash after packing the checkout and fail the build if it does not match. Signed-off-by: Felix Fietkau <nbd@nbd.name>
2025-08-05 15:26:58 +02:00 · 2025-07-21 18:32:50 +02:00 · 2025-07-21 18:32:50 +02:00 · 042996b46b
commit 042996b46b
parent 9dddc0bed0
1 changed files with 11 additions and 1 deletions
--- a/include/download.mk
+++ b/include/download.mk
@ -154,7 +154,17 @@ endef
 # $(2): "PKG_" if <name> as in Download/<name> is "default", otherwise "Download/<name>:"
 # $(3): shell command sequence to do the download
 define wrap_mirror
-$(if $(if $(MIRROR),$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || ( $(3) ),$(3)) \
+$(if $(if $(MIRROR), \
+	$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || \
+		( $(3) ) \
+		$(if $(filter-out x,$(MIRROR_HASH)), && ( \
+			file_hash="$$$$($(MKHASH) sha256 "$(DL_DIR)/$(FILE)")"; \
+			[ "$$$$file_hash" = "$(MIRROR_HASH)" ] || { \
+				echo "Hash mismatch for file $(FILE): expected $(MIRROR_HASH), got $$$$file_hash"; \
+				false; \
+			}; \
+		)),
+	$(3)) \
 $(if $(filter check,$(1)), \
 	$(call check_hash,$(FILE),$(MIRROR_HASH),$(2)MIRROR_$(call hash_var,$(MIRROR_MD5SUM))) \
 	$(call check_md5,$(MIRROR_MD5SUM),$(2)MIRROR_MD5SUM,$(2)MIRROR_HASH) \