cosum: Checkout verification PoC

From: Max Laier <max_at_love2party.net> Date: Mon, 22 Sep 2008 22:33:25 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:35 UTC

Hi,

the attached script will generate md5 and sha256 checksums of a checkout and 
try to find the corresponding svn-revision.  This can help to verify that your 
checkout from cvsupX.yy.freebsd.org is authentic.  Not that there is reason to 
believe that we have compromised cvsup-servers.  This is just something I've 
been toying with and wanted to let you know to see if people find the idea 
interesting.  I'd also be interested in reviews of the concept (note that I 
know that https would be a good idea, I just cba to setup a certificate).

The coverage currently is head and stable/{6,7} svn revision 179451:183186 
(i.e. since the first svn commit up to "2008-09-19 16:51:41 +0200".  I don't 
yet have a cronjob in place to generate new checksums, so this will become 
less useful quick.  If people do find it interesting, however, I could 
certainly roll something.

As you can see, the script is ready to checksum cvs and svn checkouts.  If you 
obtain your checkout from some local git/hg/svk/... mirror you must modify the 
find excludes accordingly.

Let me know what you think.

-- 
/"\  Best regards,                      | mlaier_at_freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier_at_EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

#!/bin/sh

BASEURL="http://laiers.net/cosum/data/md5"

tempfoo=`basename $0`
TMPFILE=`mktemp -t ${tempfoo}` || exit 1

MD5SUM=`find -s . -type f -not -path "*/.svn/*" -not -path "*/CVS/*" \
    -exec cat {} + | md5`
SHA256SUM=`find -s . -type f -not -path "*/.svn/*" -not -path "*/CVS/*" \
    -exec cat {} + | sha256`

MD5DIR=`echo ${MD5SUM} | cut -c 1-2`

if ! fetch -o ${TMPFILE} ${BASEURL}/${MD5DIR}/${MD5SUM} ; then
	echo "No corresponding md5sum found, try again in a bit" >&2
	exit 1
fi

ORIG_MD5SUM=`cat ${TMPFILE} | grep ^md5 | cut -d":" -f 2`
ORIG_SHA256SUM=`cat ${TMPFILE} | grep ^sha256 | cut -d":" -f 2`

if [ "${MD5SUM}" != "${ORIG_MD5SUM}" ]; then
	echo "md5 mismatch - something went terribly wrong!" >&2
	exit 1
fi

if [ "${SHA256SUM}" != "${ORIG_SHA256SUM}" ]; then
	echo "sha256 mismatch, but same md5 - please report this!" >&2
	cat ${TMPFILE}
	exit 1
fi

echo "Your checkout seems to be:"
cat ${TMPFILE}