Add SHA256 checking for downloads.

Since we're downloading arbitrary executable code from websites and
running it, we should at least have some confidence it's the right
thing we're running.

chocpkg/chocpkg_functions.sh

@@ -27,3 +27,19 @@ error_exit() {
     exit 1
 }
 
+sha256() {
+    if have_tool shasum; then
+        shasum -a 256 "$@"
+    elif have_tool sha256sum; then
+        sha256sum "$@"
+    else
+        error_exit "No sha256 tool installed."
+    fi
+}
+
+sha256_digest() {
+    sha256 -b "$@" | while read digest rest; do
+        echo "$digest"
+    done
+}
+

chocpkg/modules/fetch_download.sh

@@ -1,11 +1,28 @@
 
 fetch_download::init() {
     PACKAGE_URL=$1
+    PACKAGE_SHA256_DIGEST=$2
     PACKAGE_FILENAME=$(basename "$PACKAGE_URL")
     PACKAGE_DIR_NAME="${PACKAGE_FILENAME/.tar.gz/}"
     IS_TAR_BOMB=false
 }
 
+check_sha256_digest() {
+    local filename="$1" dldigest
+    dldigest=$(sha256_digest "$filename")
+    # For development purposes only.
+    if [ "$PACKAGE_SHA256_DIGEST" = "ignore-checksum" ]; then
+        echo "SHA256 digest of downloaded $PACKAGE_FILENAME:"
+        echo "    $dldigest"
+        return
+    fi
+    if [ "$dldigest" != "$PACKAGE_SHA256_DIGEST" ]; then
+        error_exit "sha256 checksum incorrect for $PACKAGE_FILENAME." \
+                   "expected: $PACKAGE_SHA256_DIGEST" \
+                   "checksum: $dldigest"
+    fi
+}
+
 download_package_file() {
     local dlfile="$PACKAGES_DIR/$PACKAGE_FILENAME"
     if [ ! -e "$dlfile" ]; then
@@ -13,6 +30,7 @@ download_package_file() {
         if ! chocurl "$PACKAGE_URL" > $tmpfile; then
             error_exit "Failed to download $PACKAGE_URL"
         fi
+        check_sha256_digest "$tmpfile"
         mv "$tmpfile" "$dlfile"
     fi
 }

pkgdef/SDL2.sh

@@ -1,7 +1,9 @@
 description "Simple DirectMedia Layer"
 check_pkgconfig sdl2
 
-variant stable fetch_download https://www.libsdl.org/release/SDL2-2.0.4.tar.gz
+variant stable fetch_download \
+    https://www.libsdl.org/release/SDL2-2.0.4.tar.gz \
+    da55e540bf6331824153805d58b590a29c39d2d506c6d02fa409aedeab21174b
 variant latest fetch_hg https://hg.libsdl.org/SDL/
 
 config_options=

pkgdef/SDL2_image.sh

@@ -3,7 +3,8 @@ dependencies SDL2
 check_pkgconfig SDL2_image
 
 variant stable fetch_download \
-    https://www.libsdl.org/projects/SDL_image/release/SDL2_image-2.0.1.tar.gz
+    https://www.libsdl.org/projects/SDL_image/release/SDL2_image-2.0.1.tar.gz \
+    3a3eafbceea5125c04be585373bfd8b3a18f259bd7eae3efc4e6d8e60e0d7f64
 variant latest fetch_hg https://hg.libsdl.org/SDL_image/
 
 # SDL2_image supports lots of different file formats but we only care

pkgdef/SDL2_mixer.sh

@@ -3,7 +3,8 @@ dependencies SDL2
 check_pkgconfig SDL2_mixer
 
 variant stable fetch_download \
-    https://www.libsdl.org/projects/SDL_mixer/release/SDL2_mixer-2.0.1.tar.gz
+    https://www.libsdl.org/projects/SDL_mixer/release/SDL2_mixer-2.0.1.tar.gz \
+    5a24f62a610249d744cbd8d28ee399d8905db7222bf3bdbc8a8b4a76e597695f
 variant latest fetch_hg https://hg.libsdl.org/SDL_mixer
 
 # Disable dependencies on external libraries for sound file formats:

pkgdef/SDL2_net.sh

@@ -2,6 +2,7 @@ description "SDL networking library"
 dependencies SDL2
 check_pkgconfig SDL2_net
 variant stable fetch_download \
-    https://www.libsdl.org/projects/SDL_net/release/SDL2_net-2.0.1.tar.gz
+    https://www.libsdl.org/projects/SDL_net/release/SDL2_net-2.0.1.tar.gz \
+    15ce8a7e5a23dafe8177c8df6e6c79b6749a03fff1e8196742d3571657609d21
 variant latest fetch_hg https://hg.libsdl.org/SDL_net
 build_autotools

pkgdef/autoconf.sh

@@ -1,4 +1,5 @@
 description "Scripts for generating configure scripts"
 check_tool autoconf
-fetch_download https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz
+fetch_download https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz \
+               954bd69b391edc12d6a4a51a2dd1476543da5c6bbf05a95b59dc0dd6fd4c2969
 build_autotools

pkgdef/automake.sh

@@ -1,5 +1,6 @@
 description "Scripts for generating Makefile.in files"
 dependencies autoconf libtool
 check_tool automake
-fetch_download https://ftp.gnu.org/gnu/automake/automake-1.15.tar.gz
+fetch_download https://ftp.gnu.org/gnu/automake/automake-1.15.tar.gz \
+               7946e945a96e28152ba5a6beb0625ca715c6e32ac55f2e353ef54def0c8ed924
 build_autotools

pkgdef/directx-devel.sh

@@ -1,5 +1,6 @@
 description "Extra header files for compiling DirectX applications"
-fetch_download https://www.libsdl.org/extras/win32/common/directx-devel.tar.gz
+fetch_download https://www.libsdl.org/extras/win32/common/directx-devel.tar.gz \
+               75595621b9e3da390435cbc762bd7f24f711ef06b3338a34e350622da624b360
 IS_TAR_BOMB=true
 
 do_build() {

pkgdef/flac.sh

@@ -1,7 +1,8 @@
 description "Library for encoding/decoding .flac lossless audio files"
 check_pkgconfig flac
 # We use a repacked mirror since flac is released as .xz rather than .gz:
-fetch_download https://www.chocolate-doom.org/depends/flac-1.3.1.tar.gz
+fetch_download https://www.chocolate-doom.org/depends/flac-1.3.1.tar.gz \
+               4ae2c8ee48b3ae52635e543b1e64b58f5dcb8d69e1e18257da82f800cb754861
 
 # Compile problems :(
 build_autotools --disable-asm-optimizations

pkgdef/fluidsynth.sh

@@ -1,5 +1,6 @@
 description "Real-time sound font software synthesizer"
 check_pkgconfig fluidsynth
-fetch_download https://www.chocolate-doom.org/depends/fluidsynth-1.1.6.tar.gz
+fetch_download https://www.chocolate-doom.org/depends/fluidsynth-1.1.6.tar.gz \
+               50853391d9ebeda9b4db787efb23f98b1e26b7296dd2bb5d0d96b5bccee2171c
 dependencies glib
 build_autotools

pkgdef/gettext.sh

@@ -1,4 +1,5 @@
 description "gettext localization library"
 check_tool gettext
-fetch_download https://ftp.gnu.org/pub/gnu/gettext/gettext-0.19.7.tar.gz
+fetch_download https://ftp.gnu.org/pub/gnu/gettext/gettext-0.19.7.tar.gz \
+               5386d2a40500295783c6a52121adcf42a25519e2d23675950619c9e69558c23f
 build_autotools --disable-java

pkgdef/glib.sh

@@ -1,5 +1,6 @@
 description "GNOME glib core utility library"
 check_pkgconfig glib
-fetch_download https://www.chocolate-doom.org/depends/glib-2.47.6.tar.gz
+fetch_download https://www.chocolate-doom.org/depends/glib-2.47.6.tar.gz \
+               da87bea88da06f60d6e7618c574c67b9fd109ee07fc78074dede473dde8f8196
 dependencies libffi gettext zlib
 build_autotools --with-pcre=internal

pkgdef/libffi.sh

@@ -1,4 +1,5 @@
 description "Foreign function interface library"
 check_pkgconfig libffi
-fetch_download https://www.mirrorservice.org/sites/sourceware.org/pub/libffi/libffi-3.2.tar.gz
+fetch_download https://www.mirrorservice.org/sites/sourceware.org/pub/libffi/libffi-3.2.tar.gz \
+               6b2680fbf6ae9c2381d381248705857de22e05bae191889298f8e6bfb2ded4ef
 build_autotools

pkgdef/libogg.sh

@@ -1,4 +1,5 @@
 description "Library for reading .ogg container files"
 check_pkgconfig ogg
-fetch_download http://downloads.xiph.org/releases/ogg/libogg-1.3.2.tar.gz
+fetch_download http://downloads.xiph.org/releases/ogg/libogg-1.3.2.tar.gz \
+               e19ee34711d7af328cb26287f4137e70630e7261b17cbe3cd41011d73a654692
 build_autotools

pkgdef/libpng.sh

@@ -2,5 +2,6 @@ description "Library for reading/writing .png image files"
 dependencies zlib
 check_pkgconfig libpng
 # We maintain a mirror since libpng is only downloadable via Sourceforge:
-fetch_download https://www.chocolate-doom.org/depends/libpng-1.6.10.tar.gz
+fetch_download https://www.chocolate-doom.org/depends/libpng-1.6.10.tar.gz \
+               b0206a22b49c91fc5521b2cfb1c251433a37aed0a645bc504ab3d061f27e4d51
 build_autotools

pkgdef/libsamplerate.sh

@@ -1,4 +1,5 @@
 description "Library for high quality audio resampling"
 check_pkgconfig samplerate
-fetch_download http://www.mega-nerd.com/SRC/libsamplerate-0.1.8.tar.gz
+fetch_download http://www.mega-nerd.com/SRC/libsamplerate-0.1.8.tar.gz \
+               93b54bdf46d5e6d2354b7034395fe329c222a966790de34520702bb9642f1c06
 build_autotools

pkgdef/libtool.sh

@@ -1,4 +1,5 @@
 description "Library compilation support script"
 check_tool libtool
-fetch_download https://ftp.gnu.org/gnu/libtool/libtool-2.4.6.tar.gz
+fetch_download https://ftp.gnu.org/gnu/libtool/libtool-2.4.6.tar.gz \
+               e3bd4d5d3d025a36c21dd6af7ea818a2afcd4dfc1ea5a17b39d7854bcd0c06e3
 build_autotools

pkgdef/libvorbis.sh

@@ -1,5 +1,6 @@
 description "Library for decoding Ogg Vorbis codec files"
 dependencies libogg
 check_pkgconfig vorbis
-fetch_download http://downloads.xiph.org/releases/vorbis/libvorbis-1.3.5.tar.gz
+fetch_download http://downloads.xiph.org/releases/vorbis/libvorbis-1.3.5.tar.gz \
+               6efbcecdd3e5dfbf090341b485da9d176eb250d893e3eb378c428a2db38301ce
 build_autotools

pkgdef/pkg-config.sh

@@ -1,5 +1,6 @@
 description "Development tool for locating installed packages and libraries"
 check_tool pkg-config
-fetch_download https://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz
+fetch_download https://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz \
+               6b6eb31c6ec4421174578652c7e141fdaae2dabad1021f420d8713206ac1f845
 build_autotools --with-internal-glib
 

pkgdef/zlib.sh

@@ -1,6 +1,7 @@
 description "Library for compressing/decompressing GZIP files"
 check_pkgconfig zlib
-fetch_download http://zlib.net/zlib-1.2.8.tar.gz
+fetch_download http://zlib.net/zlib-1.2.8.tar.gz \
+               36658cb768a54c1d4dec43c3116c27ed893e88b02ecfcb44f2166f9c0b7f2a0d
 build_autotools
 
 # zlib's configure script is hand-rolled and doesn't support the normal