On Thu, Jan 19, 2023 at 9:18 AM Alex Kiernan via lists.openembedded.org <[email protected]> wrote: > > On Thu, Jan 19, 2023 at 8:53 AM Alexander Kanavin > <[email protected]> wrote: > > > > I think Cargo.lock contains those checksums and that forces cargo to > > verify them? Can you check that verification happens and fails when it > > should by e.g. patching it to have bogus checksums? > > > > Ah, yes... I'll check. >
Crates which are required by the main artefact are checked, errors turn up like this: | NOTE: cargo build -v --target x86_64-poky-linux-gnu --release --manifest-path=/home/alexk/poky/build/tmp/work/core2-64-poky-linux/binary-security-check/1.2.7-r0/binary-security-check-1.2.7//Cargo.toml | error: checksum for `goblin v0.6.0` changed between lock files | | this could be indicative of a few possible errors: | | * the lock file is corrupt | * a replacement source in use (e.g., a mirror) returned a different checksum | * the source itself may be corrupt in one way or another | | unable to verify that `goblin v0.6.0` is the same as when the lockfile was generated | | WARNING: exit code 101 from a shell command. But if you list a crate as the primary source, rather than pulling it from git, something like this: LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=d426d11f66aaa533f62910f3bd79dfb6" SRC_URI = "crate://crates.io/binary-security-check/1.2.7" inherit cargo cargo-update-recipe-crates require binary-security-check-crates.inc You end up down this code path (https://git.openembedded.org/bitbake/tree/lib/bb/fetch2/crate.py#n100) and the checksum isn't verified. So not terrible, but could do with fixing at some point since the crate binary starting point is clearly the "tarball" starting point. -- Alex Kiernan
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176181): https://lists.openembedded.org/g/openembedded-core/message/176181 Mute This Topic: https://lists.openembedded.org/mt/96373035/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
