From 042996b46bd41292ef1fa2d58e3b824a547f4c55 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Mon, 21 Jul 2025 18:32:50 +0200
Subject: [PATCH] build: stricter hash validation on download

Check the hash after packing the checkout and fail the build if it
does not match.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 include/download.mk | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/include/download.mk b/include/download.mk
index 518a14e035..be0c9a31f1 100644
--- a/include/download.mk
+++ b/include/download.mk
@@ -154,7 +154,17 @@ endef
 # $(2): "PKG_" if <name> as in Download/<name> is "default", otherwise "Download/<name>:"
 # $(3): shell command sequence to do the download
 define wrap_mirror
-$(if $(if $(MIRROR),$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || ( $(3) ),$(3)) \
+$(if $(if $(MIRROR), \
+	$(filter-out x,$(MIRROR_HASH))),$(SCRIPT_DIR)/download.pl "$(DL_DIR)" "$(FILE)" "$(MIRROR_HASH)" "" || \
+		( $(3) ) \
+		$(if $(filter-out x,$(MIRROR_HASH)), && ( \
+			file_hash="$$$$($(MKHASH) sha256 "$(DL_DIR)/$(FILE)")"; \
+			[ "$$$$file_hash" = "$(MIRROR_HASH)" ] || { \
+				echo "Hash mismatch for file $(FILE): expected $(MIRROR_HASH), got $$$$file_hash"; \
+				false; \
+			}; \
+		)),
+	$(3)) \
 $(if $(filter check,$(1)), \
 	$(call check_hash,$(FILE),$(MIRROR_HASH),$(2)MIRROR_$(call hash_var,$(MIRROR_MD5SUM))) \
 	$(call check_md5,$(MIRROR_MD5SUM),$(2)MIRROR_MD5SUM,$(2)MIRROR_HASH) \