Thanks, applied as 064c8a896d0eaf5e67543e0256c1b0fdd4f78e56. Michael
[sent from post-receive hook] On Mon, 18 May 2026 09:54:21 +0200, Philipp Zabel <[email protected]> wrote: > Add support for <PKG>_SHA256 variables as an alternative to <PKG>_MD5, > using sha256sum to check source packages. Plumb SHA256 package checksum > through reporting and add ptx/config-sha256 for packages with checksums > in PTXCONF. > > Signed-off-by: Philipp Zabel <[email protected]> > Message-Id: <[email protected]> > [mol: fix handling empty and 'none' checksums] > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git a/configure.ac b/configure.ac > index 37a0c4bd6c7c..c6ad34fa647b 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -159,6 +159,7 @@ GNU_TOOL(readlink, coreutils) > GNU_TOOL(realpath, coreutils) > GNU_TOOL(rm, coreutils) > GNU_TOOL(rmdir, coreutils) > +GNU_TOOL(sha256sum, coreutils) > GNU_TOOL(sort, coreutils) > GNU_TOOL(stat, coreutils) > GNU_TOOL(touch, coreutils) > diff --git a/doc/ref_make_variables.rst b/doc/ref_make_variables.rst > index 64cc343660cf..f965a1b38c50 100644 > --- a/doc/ref_make_variables.rst > +++ b/doc/ref_make_variables.rst > @@ -158,6 +158,15 @@ Package Definition > new version. This check helps to ensure that all developers work with the > same source code. > > + This is the legacy alternative to ``<PKG>_SHA256``. > + > +``<PKG>_SHA256`` > + The sha256 checksum of the source archive. PTXdist calculates the checksum > + before extracting the archive and will abort if does not match. Upstream > + project occasionally change the content of an archive without releasing a > + new version. This check helps to ensure that all developers work with the > + same source code. > + > ``<PKG>_SUFFIX`` > The archive suffix without the leading '.', e.g. 'tar.gz' or 'zip'. This > is only used locally to define ``<PKG>_URL`` and ``<PKG>_SOURCE``. > diff --git a/rules/post/ptxd_make_world_common.make > b/rules/post/ptxd_make_world_common.make > index 30cc555d86ad..4368a5843fd3 100644 > --- a/rules/post/ptxd_make_world_common.make > +++ b/rules/post/ptxd_make_world_common.make > @@ -95,6 +95,8 @@ world/env/impl = \ > pkg_srcs="$(call ptx/escape,$($(1)_SOURCES))" > \ > pkg_md5s="$(call ptx/escape,$(foreach s,$($(1)_PARTS),$($(s)_MD5):))" > \ > pkg_md5="$(call ptx/escape,$($(1)_MD5))" > \ > + pkg_sha256s="$(call ptx/escape,$(foreach > s,$($(1)_PARTS),$($(s)_SHA256):))" \ > + pkg_sha256="$(call ptx/escape,$($(1)_SHA256))" > \ > pkg_url="$(call ptx/escape,$($(1)_URL))" > \ > pkg_cfghash="$(call ptx/escape,$($(1)_CFGHASH))" > \ > pkg_srchash="$(call ptx/escape,$($(1)_EXTRACT_CFGHASH))" > \ > diff --git a/rules/post/ptxd_make_world_get.make > b/rules/post/ptxd_make_world_get.make > index 92dd8a44d8c0..007af2a525a4 100644 > --- a/rules/post/ptxd_make_world_get.make > +++ b/rules/post/ptxd_make_world_get.make > @@ -58,7 +58,7 @@ get = \ > ptxd_make_get "$($(strip $(1))_SOURCE)" "$($(strip $(1))_URL)" > > check_src = \ > - ptxd_make_check_src "$($(strip $(1))_SOURCE)" "$($(strip $(1))_MD5)" > + ptxd_make_check_src "$($(strip $(1))_SOURCE)" "$($(strip $(1))_MD5)" > "$($(strip $(1))_SHA256)" > > getdev = \ > ptxd_make_get_nofail=y \ > diff --git a/rules/pre/000-option-disabled.make > b/rules/pre/000-option-disabled.make > index 9a068b39ce83..646b949a6af9 100644 > --- a/rules/pre/000-option-disabled.make > +++ b/rules/pre/000-option-disabled.make > @@ -197,4 +197,20 @@ define ptx/config-md5 > $(call ptx/config-foo,$(strip $(1)),$(if $(strip $(2)),$(strip > $(2))_MD5,$(strip $(1))_MD5),$(PTXCONF_SETUP_CHECK)) > endef > > + > +# > +# $(call ptx/config-sha256, PTXCONF_SYMBOL,PTXCONF_SYMBOL2) returns: > +# - if PTXCONF_SYMBOL is defined: > +# - $(PTXCONF_SYMBOL2_SHA256) without quotes if it's not empty > +# - fails with an error otherwise > +# - 'undefined if PTXCONF_SYMBOL is not defined > +# If PTXCONF_SYMBOL2 is empty then PTXCONF_SYMBOL_SHA256 is used instead. > +# > +# This makes it easy to ensure, that the sha256 sum of a package is defined > if > +# the package is enabled. > +# > +define ptx/config-sha256 > +$(call ptx/config-foo,$(strip $(1)),$(if $(strip $(2)),$(strip > $(2))_SHA256,$(strip $(1))_SHA256),$(PTXCONF_SETUP_CHECK)) > +endef > + > # vim: syntax=make > diff --git a/scripts/lib/ptxd_lib_dgen.awk b/scripts/lib/ptxd_lib_dgen.awk > index 2292741eb432..635fe5a22221 100644 > --- a/scripts/lib/ptxd_lib_dgen.awk > +++ b/scripts/lib/ptxd_lib_dgen.awk > @@ -441,6 +441,7 @@ function write_vars_pkg_all(this_PKG, this_pkg, prefix, > dir_prefix) { > print this_PKG " = " dir_prefix "$(" target_PKG ")" > > DGEN_DEPS_PRE; > print this_PKG "_VERSION = $(" target_PKG "_VERSION)" > > DGEN_DEPS_PRE; > print this_PKG "_MD5 = $(" target_PKG "_MD5)" > > DGEN_DEPS_PRE; > + print this_PKG "_SHA256 = $(" target_PKG "_SHA256)" > > DGEN_DEPS_PRE; > print this_PKG "_SOURCE = $(" target_PKG "_SOURCE)" > > DGEN_DEPS_PRE; > print this_PKG "_URL = $(" target_PKG "_URL)" > > DGEN_DEPS_PRE; > print this_PKG "_DIR = $(addprefix $(" PREFIX \ > diff --git a/scripts/lib/ptxd_make_check_src.sh > b/scripts/lib/ptxd_make_check_src.sh > index 2a25fdcb96cf..191cc69f0d8f 100644 > --- a/scripts/lib/ptxd_make_check_src.sh > +++ b/scripts/lib/ptxd_make_check_src.sh > @@ -9,11 +9,14 @@ > # > # $1: filename of the source archive to check > # $2: md5sum of the source archive to check > +# $3: sha256sum of the source archive to check > # > ptxd_make_check_src_impl() { > local src="${1}" > local md5="${2}" > + local sha256="${3}" > local md5sum > + local sha256sum > > if [ -z "${src}" ]; then > ptxd_bailout "ptxd_make_check_src called without source file." > @@ -27,13 +30,13 @@ ptxd_make_check_src_impl() { > return > ;; > notempty) > - [ -z "${md5}" ] && return > + [ -z "${md5}" -a -z "${sha256}" ] && return > ;; > esac > # for some packages setting the md5sum in the makefile is not possible > # e.g. for the kernel with its variable version number. Use "none" to > # disable the check. > - if [ "${md5}" = "none" ]; then > + if [ "${md5}" = "none" -o "${sha256}" = "none" ]; then > return > fi > > @@ -41,6 +44,9 @@ ptxd_make_check_src_impl() { > for md5sum in ${md5}; do > echo "${md5sum} ${src}" | md5sum --check > /dev/null 2>&1 && return > done > + for sha256sum in ${sha256}; do > + echo "${sha256sum} ${src}" | sha256sum --check > /dev/null 2>&1 && > return > + done > return 1 > } > export -f ptxd_make_check_src_impl > @@ -51,7 +57,7 @@ export -f ptxd_make_check_src_impl > ptxd_make_check_src() { > ptxd_make_check_src_impl "$@" && return > > - if [ -z "${2}" ]; then > + if [ -z "${2}" -a -z "${3}" ]; then > ptxd_bailout "Checksum for '${1}' missing." > else > ptxd_bailout "Wrong checksum for '${1}'" > diff --git a/scripts/lib/ptxd_make_world_check_src.sh > b/scripts/lib/ptxd_make_world_check_src.sh > index 044b1872fd0c..cb368c1932dd 100644 > --- a/scripts/lib/ptxd_make_world_check_src.sh > +++ b/scripts/lib/ptxd_make_world_check_src.sh > @@ -60,3 +60,10 @@ ptxd_make_world_update_md5() { > ptxd_make_world_update_checksum md5sum MD5 > } > export -f ptxd_make_world_update_md5 > + > +# try to update the sha256sum of the current package > +# this only works if the makefile contains a "<PKG>_SHA256 := ..." line. > +ptxd_make_world_update_sha256() { > + ptxd_make_world_update_checksum sha256sum SHA256 > +} > +export -f ptxd_make_world_update_sha256 > diff --git a/scripts/lib/ptxd_make_world_get.sh > b/scripts/lib/ptxd_make_world_get.sh > index 8c0bb0546150..da7400bff3cb 100644 > --- a/scripts/lib/ptxd_make_world_get.sh > +++ b/scripts/lib/ptxd_make_world_get.sh > @@ -22,11 +22,15 @@ ptxd_make_world_get() { > if [ -n "${pkg_src}" ]; then > ptxd_make_get "${pkg_src}" "${pkg_url}" && > > - ptxd_make_check_src_impl "${pkg_src}" "${pkg_md5}" && return > + ptxd_make_check_src_impl "${pkg_src}" "${pkg_md5}" "${pkg_sha256}" && > return > > if [ "${PTXCONF_SETUP_CHECK}" = "update" ]; then > - ptxd_make_world_update_md5 > - elif [ -z "${pkg_md5}" ]; then > + if [ -z "${pkg_sha256}" ]; then > + ptxd_make_world_update_md5 > + else > + ptxd_make_world_update_sha256 > + fi > + elif [ -z "${pkg_md5}" ] && [ -z "${pkg_sha256}" ]; then > ptxd_bailout "Checksum for '${pkg_label}' (${pkg_src}) missing." > else > ptxd_bailout "Wrong checksum for '${pkg_label}' (${pkg_src})" > diff --git a/scripts/lib/ptxd_make_world_license.sh > b/scripts/lib/ptxd_make_world_license.sh > index 5aa416672d14..6e9d13fea452 100644 > --- a/scripts/lib/ptxd_make_world_license.sh > +++ b/scripts/lib/ptxd_make_world_license.sh > @@ -125,6 +125,7 @@ ptxd_make_world_license_write() { > local pkg_chapter="$(ptxd_make_latex_escape ${pkg_label})" > local packages_url="${pkg_url}" > local packages_md5="${pkg_md5}" > + local packages_sha256="${pkg_sha256}" > local -a flags=( "${!pkg_license_flags[@]}" ) > local -a index=( "${!pkg_license_flags[@]}" ) > flags=( "${flags[@]/#/\\nameref${brl}}" ) > @@ -139,6 +140,7 @@ ptxd_make_world_license_write() { > pkg_chapter="${pkg_chapter} *** Proprietary License!" > packages_url="*not available*" > packages_md5="*not available*" > + packages_sha256="*not available*" > ;; > *unknown*) > pkg_chapter="${pkg_chapter} *** Unknown License!" > @@ -160,6 +162,7 @@ ptxd_make_world_license_write() { > \item[Flags:] $(ptxd_make_latex_escape "${flags[*]}") > \item[URL:] \begin{flushleft}$(ptxd_make_latex_escape > "${packages_url}")\end{flushleft} > \item[MD5:] {\ttfamily ${packages_md5}} > + \item[SHA256:] {\ttfamily ${packages_sha256}} > \fi > \end{description} > EOF > diff --git a/scripts/lib/ptxd_make_world_package_info.sh > b/scripts/lib/ptxd_make_world_package_info.sh > index 46e104d25ffe..1d94e9139bd6 100644 > --- a/scripts/lib/ptxd_make_world_package_info.sh > +++ b/scripts/lib/ptxd_make_world_package_info.sh > @@ -54,6 +54,7 @@ ptxd_make_world_package_info() { > > do_echo "source:" "$(ptxd_print_path "${pkg_src}")" > do_echo "md5:" "${pkg_md5}" > + do_echo "sha256:" "${pkg_sha256}" > do_echo "url:" "${pkg_url}" > do_echo "${pkg_src}${pkg_url}" > > diff --git a/scripts/lib/ptxd_make_world_report.sh > b/scripts/lib/ptxd_make_world_report.sh > index 3cb4eb0f93e8..1f3ea9e0d365 100644 > --- a/scripts/lib/ptxd_make_world_report.sh > +++ b/scripts/lib/ptxd_make_world_report.sh > @@ -63,6 +63,7 @@ ptxd_make_world_report_yaml_fragment() { > do_echo " version:" "${pkg_version}" > do_list " url:" "${pkg_url}" > do_echo " md5:" "${pkg_md5}" > + do_echo " sha256:" "${pkg_sha256}" > do_echo " source:" "${pkg_src}" > do_list " cve-product:" "${pkg_cve_product}" > do_echo " cve-version:" "${pkg_cve_version}" > @@ -96,11 +97,16 @@ ptxd_make_world_report_yaml() { > do_echo "version:" "${pkg_version}" > do_list "url:" "${pkg_url}" > do_echo "md5:" "${pkg_md5}" > + do_echo "sha256:" "${pkg_sha256}" > do_echo "source:" "${pkg_src}" > if [ -n "${pkg_md5s}" -a "${pkg_md5s}" != ":" ]; then > echo "md5s:" > awk "BEGIN { RS=\" *:\\\\s*\"; FS=\":\" } { if (\$1) print \"- '\" \$1 > \"'\" }" <<<"${pkg_md5s}" > fi > + if [ -n "${pkg_sha256s}" -a "${pkg_sha256s}" != ":" ]; then > + echo "sha256s:" > + awk "BEGIN { RS=\" *:\\\\s*\"; FS=\":\" } { if (\$1) print \"- '\" \$1 > \"'\" }" <<<"${pkg_sha256s}" > + fi > do_list "sources:" "${pkg_srcs}" > if [ -e "${tmp_report}" ]; then > echo "source-packages:"
