cosum: Checkout verification PoC
Max Laier
max at love2party.net
Mon Sep 22 20:33:28 UTC 2008
Hi,
the attached script will generate md5 and sha256 checksums of a checkout and
try to find the corresponding svn-revision. This can help to verify that your
checkout from cvsupX.yy.freebsd.org is authentic. Not that there is reason to
believe that we have compromised cvsup-servers. This is just something I've
been toying with and wanted to let you know to see if people find the idea
interesting. I'd also be interested in reviews of the concept (note that I
know that https would be a good idea, I just cba to setup a certificate).
The coverage currently is head and stable/{6,7} svn revision 179451:183186
(i.e. since the first svn commit up to "2008-09-19 16:51:41 +0200". I don't
yet have a cronjob in place to generate new checksums, so this will become
less useful quick. If people do find it interesting, however, I could
certainly roll something.
As you can see, the script is ready to checksum cvs and svn checkouts. If you
obtain your checkout from some local git/hg/svk/... mirror you must modify the
find excludes accordingly.
Let me know what you think.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
#!/bin/sh
BASEURL="http://laiers.net/cosum/data/md5"
tempfoo=`basename $0`
TMPFILE=`mktemp -t ${tempfoo}` || exit 1
MD5SUM=`find -s . -type f -not -path "*/.svn/*" -not -path "*/CVS/*" \
-exec cat {} + | md5`
SHA256SUM=`find -s . -type f -not -path "*/.svn/*" -not -path "*/CVS/*" \
-exec cat {} + | sha256`
MD5DIR=`echo ${MD5SUM} | cut -c 1-2`
if ! fetch -o ${TMPFILE} ${BASEURL}/${MD5DIR}/${MD5SUM} ; then
echo "No corresponding md5sum found, try again in a bit" >&2
exit 1
fi
ORIG_MD5SUM=`cat ${TMPFILE} | grep ^md5 | cut -d":" -f 2`
ORIG_SHA256SUM=`cat ${TMPFILE} | grep ^sha256 | cut -d":" -f 2`
if [ "${MD5SUM}" != "${ORIG_MD5SUM}" ]; then
echo "md5 mismatch - something went terribly wrong!" >&2
exit 1
fi
if [ "${SHA256SUM}" != "${ORIG_SHA256SUM}" ]; then
echo "sha256 mismatch, but same md5 - please report this!" >&2
cat ${TMPFILE}
exit 1
fi
echo "Your checkout seems to be:"
cat ${TMPFILE}
More information about the freebsd-hackers
mailing list