diff options
| author | Jan Tojnar <jtojnar@gmail.com> | 2020-01-30 21:08:55 +0100 |
|---|---|---|
| committer | Jan Tojnar <jtojnar@gmail.com> | 2020-02-04 06:25:37 +0100 |
| commit | 5a1bc70ec063b414694b31a1bf39deeed008e688 (patch) | |
| tree | 68879e26ac422e4569d5059d5f5efdfa17324751 /pkgs/common-updater | |
| parent | ea9da648ef8df7fdec3efb3e2efc170e68776869 (diff) | |
| download | nixpkgs-5a1bc70ec063b414694b31a1bf39deeed008e688.tar nixpkgs-5a1bc70ec063b414694b31a1bf39deeed008e688.tar.gz nixpkgs-5a1bc70ec063b414694b31a1bf39deeed008e688.tar.bz2 nixpkgs-5a1bc70ec063b414694b31a1bf39deeed008e688.tar.lz nixpkgs-5a1bc70ec063b414694b31a1bf39deeed008e688.tar.xz nixpkgs-5a1bc70ec063b414694b31a1bf39deeed008e688.tar.zst nixpkgs-5a1bc70ec063b414694b31a1bf39deeed008e688.zip | |
common-updater-scripts: Support SRI-style hash
Some fetcher functions support SRI-style `hash` attribute in addition to legacy type-specific attributes. When `hash` is used `outputHashAlgo` is null so let’s complain when SRI-style hash value was not detected.
Such attributes match the form ${type}${separator}${hash}: True SRI uses dash as a separator and only supports base64, whereas Nix’s SRI-style format uses a colon and supports all the same encodings like regular hashes (16/32/64).
To keep this program reasonably simple, we will upgrade Nix’s SRI-like format to pure SRI instead of preserving it.
Diffstat (limited to 'pkgs/common-updater')
| -rwxr-xr-x | pkgs/common-updater/scripts/update-source-version | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/pkgs/common-updater/scripts/update-source-version b/pkgs/common-updater/scripts/update-source-version index a0077ee9f01..77245a1b1aa 100755 --- a/pkgs/common-updater/scripts/update-source-version +++ b/pkgs/common-updater/scripts/update-source-version @@ -132,7 +132,19 @@ if [ -n "$newUrl" ]; then fi fi +if [[ "$oldHash" =~ ^(sha256|sha512)[:-] ]]; then + # Handle the possible SRI-style hash attribute (in the form ${type}${separator}${hash}) + # True SRI uses dash as a separator and only supports base64, whereas Nix’s SRI-style format uses a colon and supports all the same encodings like regular hashes (16/32/64). + # To keep this program reasonably simple, we will upgrade Nix’s format to SRI. + oldHashAlgo="${BASH_REMATCH[1]}" + sri=true +elif [[ "$oldHashAlgo" = "null" ]]; then + # Some fetcher functions support SRI-style `hash` attribute in addition to legacy type-specific attributes. When `hash` is used `outputHashAlgo` is null so let’s complain when SRI-style hash value was not detected. + die "Unable to figure out hashing scheme from '$oldHash' in '$attr'!" +fi + case "$oldHashAlgo" in + # Lengths of hex-encoded hashes sha256) hashLength=64 ;; sha512) hashLength=128 ;; *) die "Unhandled hash algorithm '$oldHashAlgo' in '$attr'!" ;; @@ -141,6 +153,12 @@ esac # Make a temporary all-zeroes hash of $hashLength characters tempHash=$(printf '%0*d' "$hashLength" 0) +if [[ -n "$sri" ]]; then + # SRI hashes only support base64 + # SRI hashes need to declare the hash type as part of the hash + tempHash="$(nix to-sri --type "$oldHashAlgo" "$tempHash")" +fi + sed -i "$nixFile" -re "s|\"$oldHash\"|\"$tempHash\"|" if cmp -s "$nixFile" "$nixFile.bak"; then die "Failed to replace source hash of '$attr' to a temporary hash!" @@ -153,6 +171,11 @@ if [ -z "$newHash" ]; then newHash=$(egrep -v "killing process|dependencies couldn't be built|wanted: " "$attr.fetchlog" | tail -n2 | sed "s~output path .* has .* hash ‘\(.*\)’ when .* was expected\|fixed-output derivation produced path '.*' with .* hash '\(.*\)' instead of the expected hash '.*'\| got: .*:\(.*\)~\1\2\3~" | head -n1) fi +if [[ -n "$sri" ]]; then + # nix-build preserves the hashing scheme so we can just convert the result to SRI using the old type + newHash="$(nix to-sri --type "$oldHashAlgo" "$newHash")" +fi + if [ -z "$newHash" ]; then cat "$attr.fetchlog" >&2 die "Couldn't figure out new hash of '$attr.src'!" |