From 5a1bc70ec063b414694b31a1bf39deeed008e688 Mon Sep 17 00:00:00 2001 From: Jan Tojnar Date: Thu, 30 Jan 2020 21:08:55 +0100 Subject: common-updater-scripts: Support SRI-style hash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some fetcher functions support SRI-style `hash` attribute in addition to legacy type-specific attributes. When `hash` is used `outputHashAlgo` is null so let’s complain when SRI-style hash value was not detected. Such attributes match the form ${type}${separator}${hash}: True SRI uses dash as a separator and only supports base64, whereas Nix’s SRI-style format uses a colon and supports all the same encodings like regular hashes (16/32/64). To keep this program reasonably simple, we will upgrade Nix’s SRI-like format to pure SRI instead of preserving it. --- pkgs/common-updater/scripts/update-source-version | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'pkgs/common-updater') diff --git a/pkgs/common-updater/scripts/update-source-version b/pkgs/common-updater/scripts/update-source-version index a0077ee9f01..77245a1b1aa 100755 --- a/pkgs/common-updater/scripts/update-source-version +++ b/pkgs/common-updater/scripts/update-source-version @@ -132,7 +132,19 @@ if [ -n "$newUrl" ]; then fi fi +if [[ "$oldHash" =~ ^(sha256|sha512)[:-] ]]; then + # Handle the possible SRI-style hash attribute (in the form ${type}${separator}${hash}) + # True SRI uses dash as a separator and only supports base64, whereas Nix’s SRI-style format uses a colon and supports all the same encodings like regular hashes (16/32/64). + # To keep this program reasonably simple, we will upgrade Nix’s format to SRI. + oldHashAlgo="${BASH_REMATCH[1]}" + sri=true +elif [[ "$oldHashAlgo" = "null" ]]; then + # Some fetcher functions support SRI-style `hash` attribute in addition to legacy type-specific attributes. When `hash` is used `outputHashAlgo` is null so let’s complain when SRI-style hash value was not detected. + die "Unable to figure out hashing scheme from '$oldHash' in '$attr'!" +fi + case "$oldHashAlgo" in + # Lengths of hex-encoded hashes sha256) hashLength=64 ;; sha512) hashLength=128 ;; *) die "Unhandled hash algorithm '$oldHashAlgo' in '$attr'!" ;; @@ -141,6 +153,12 @@ esac # Make a temporary all-zeroes hash of $hashLength characters tempHash=$(printf '%0*d' "$hashLength" 0) +if [[ -n "$sri" ]]; then + # SRI hashes only support base64 + # SRI hashes need to declare the hash type as part of the hash + tempHash="$(nix to-sri --type "$oldHashAlgo" "$tempHash")" +fi + sed -i "$nixFile" -re "s|\"$oldHash\"|\"$tempHash\"|" if cmp -s "$nixFile" "$nixFile.bak"; then die "Failed to replace source hash of '$attr' to a temporary hash!" @@ -153,6 +171,11 @@ if [ -z "$newHash" ]; then newHash=$(egrep -v "killing process|dependencies couldn't be built|wanted: " "$attr.fetchlog" | tail -n2 | sed "s~output path .* has .* hash ‘\(.*\)’ when .* was expected\|fixed-output derivation produced path '.*' with .* hash '\(.*\)' instead of the expected hash '.*'\| got: .*:\(.*\)~\1\2\3~" | head -n1) fi +if [[ -n "$sri" ]]; then + # nix-build preserves the hashing scheme so we can just convert the result to SRI using the old type + newHash="$(nix to-sri --type "$oldHashAlgo" "$newHash")" +fi + if [ -z "$newHash" ]; then cat "$attr.fetchlog" >&2 die "Couldn't figure out new hash of '$attr.src'!" -- cgit 1.4.1