[PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

Lukas Fleischer cgit at cryptocrack.de
Sat Mar 7 16:59:26 CET 2015


On Sat, 07 Mar 2015 at 15:46:41, John Keeping wrote:
> This requires that we save the downloaded file explicitly rather than
> piping it straight to tar, but that is advisable anyway since it allows
> us to check the exit status of curl and make sure that we have
> downloaded the file successfully.
> 
> Also add a test to make sure we don't forget to update the file when
> updating our Git version in the future.
> 
> Signed-off-by: John Keeping <john at keeping.me.uk>
> ---
>  Makefile                             |  8 ++++++--
>  git.sha256sum                        |  1 +
>  tests/t0001-validate-git-versions.sh | 11 +++++++++++
>  3 files changed, 18 insertions(+), 2 deletions(-)
>  create mode 100644 git.sha256sum
> [...]

I like the idea, however, sha256sum is not available on all platforms.
This breaks `make get-git` under OpenBSD, for example (OpenBSD has a
utility called sha256 with a different command line interface). Maybe we
can make the check optional, though?

On a related note, can we download a signature and use `gpg --verify`
instead (should probably be optional as well, to avoid a dependency on
GnuPG)?


More information about the CGit mailing list