[Libguestfs] [PATCH 02/10] builder: create and use a new Checksums module

Pino Toscano ptoscano at redhat.com
Tue Jul 28 09:24:42 UTC 2015 

Introduce a new Checksums module to handle the check of checksums,
moving part of the Sigchecker code to it.

Adapt the rest of virt-builder to this new module.
---
 builder/Makefile.am     |  2 ++
 builder/builder.ml      |  2 +-
 builder/checksums.ml    | 51 +++++++++++++++++++++++++++++++++++++++++++++++++
 builder/checksums.mli   | 29 ++++++++++++++++++++++++++++
 builder/index_parser.ml |  4 +++-
 builder/sigchecker.ml   | 25 ------------------------
 builder/sigchecker.mli  |  6 ------
 po/POTFILES-ml          |  1 +
 8 files changed, 87 insertions(+), 33 deletions(-)
 create mode 100644 builder/checksums.ml
 create mode 100644 builder/checksums.mli

diff --git a/builder/Makefile.am b/builder/Makefile.am
index 2413217..28afeee 100644
--- a/builder/Makefile.am
+++ b/builder/Makefile.am
@@ -39,6 +39,7 @@ CLEANFILES = *~ *.annot *.cmi *.cmo *.cmx *.cmxa *.o virt-builder
 SOURCES_MLI = \
 	cache.mli \
 	downloader.mli \
+	checksums.mli \
 	index_parser.mli \
 	ini_reader.mli \
 	languages.mli \
@@ -52,6 +53,7 @@ SOURCES_ML = \
 	utils.ml \
 	pxzcat.ml \
 	setlocale.ml \
+	checksums.ml \
 	ini_reader.ml \
 	paths.ml \
 	languages.ml \
diff --git a/builder/builder.ml b/builder/builder.ml
index d40ad8f..e4f40ef 100644
--- a/builder/builder.ml
+++ b/builder/builder.ml
@@ -282,7 +282,7 @@ let main () =
     match entry with
     (* New-style: Using a checksum. *)
     | { Index_parser.checksum_sha512 = Some csum } ->
-      Sigchecker.verify_checksum sigchecker (Sigchecker.SHA512 csum) template
+      Checksums.verify_checksum (Checksums.SHA512 csum) template
 
     | { Index_parser.checksum_sha512 = None } ->
       (* Old-style: detached signature. *)
diff --git a/builder/checksums.ml b/builder/checksums.ml
new file mode 100644
index 0000000..73d541f
--- /dev/null
+++ b/builder/checksums.ml
@@ -0,0 +1,51 @@
+(* virt-builder
+ * Copyright (C) 2015 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *)
+
+open Common_gettext.Gettext
+open Common_utils
+
+open Utils
+
+open Printf
+
+type csum_t =
+| SHA512 of string
+
+let string_of_csum_t = function
+  | SHA512 _ -> "sha512"
+
+let string_of_csum = function
+  | SHA512 c -> c
+
+let verify_checksum csum filename =
+  let prog, csum_ref =
+    match csum with
+    | SHA512 c -> "sha512sum", c
+  in
+
+  let cmd = sprintf "%s %s" prog (quote filename) in
+  if verbose () then printf "%s\n%!" cmd;
+  let lines = external_command cmd in
+  match lines with
+  | [] ->
+    error (f_"%s did not return any output") prog
+  | line :: _ ->
+    let csum_actual = fst (string_split " " line) in
+    if csum_ref <> csum_actual then
+      error (f_"%s checksum of template did not match the expected checksum!\n  found checksum: %s\n  expected checksum: %s\nTry:\n - Use the '-v' option and look for earlier error messages.\n - Delete the cache: virt-builder --delete-cache\n - Check no one has tampered with the website or your network!")
+        (string_of_csum_t csum) csum_actual csum_ref
diff --git a/builder/checksums.mli b/builder/checksums.mli
new file mode 100644
index 0000000..6833879
--- /dev/null
+++ b/builder/checksums.mli
@@ -0,0 +1,29 @@
+(* virt-builder
+ * Copyright (C) 2015 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *)
+
+type csum_t =
+| SHA512 of string
+
+val verify_checksum : csum_t -> string -> unit
+(** Verify the checksum of the file. *)
+
+val string_of_csum_t : csum_t -> string
+(** Return a string representation of the checksum type. *)
+
+val string_of_csum : csum_t -> string
+(** Return a string representation of the checksum value. *)
diff --git a/builder/index_parser.ml b/builder/index_parser.ml
index aff0b00..abd685c 100644
--- a/builder/index_parser.ml
+++ b/builder/index_parser.ml
@@ -79,7 +79,9 @@ let print_entry chan (name, { printable_name = printable_name;
   );
   (match checksum_sha512 with
   | None -> ()
-  | Some uri -> fp "checksum[sha512]=%s\n" uri
+  | Some uri ->
+    fp "checksum[%s]=%s\n"
+      (Checksums.string_of_csum_t (Checksums.SHA512 uri)) uri
   );
   fp "revision=%d\n" revision;
   (match format with
diff --git a/builder/sigchecker.ml b/builder/sigchecker.ml
index 55db7af..cb9144f 100644
--- a/builder/sigchecker.ml
+++ b/builder/sigchecker.ml
@@ -180,28 +180,3 @@ and do_verify t args =
   if not (equal_fingerprints !fingerprint t.fingerprint) then
     error (f_"fingerprint of signature does not match the expected fingerprint!\n  found fingerprint: %s\n  expected fingerprint: %s")
       !fingerprint t.fingerprint
-
-type csum_t = SHA512 of string
-
-let verify_checksum t (SHA512 csum) filename =
-  let csum_file = Filename.temp_file "vbcsum" ".txt" in
-  unlink_on_exit csum_file;
-  let cmd = sprintf "sha512sum %s | awk '{print $1}' > %s"
-    (quote filename) (quote csum_file) in
-  if verbose () then printf "%s\n%!" cmd;
-  let r = Sys.command cmd in
-  if r <> 0 then
-    error (f_"could not run sha512sum command to verify checksum");
-
-  let csum_actual = read_whole_file csum_file in
-
-  let csum_actual =
-    let len = String.length csum_actual in
-    if len > 0 && csum_actual.[len-1] = '\n' then
-      String.sub csum_actual 0 (len-1)
-    else
-      csum_actual in
-
-  if csum <> csum_actual then
-    error (f_"checksum of template did not match the expected checksum!\n  found checksum: %s\n  expected checksum: %s\nTry:\n - Use the '-v' option and look for earlier error messages.\n - Delete the cache: virt-builder --delete-cache\n - Check no one has tampered with the website or your network!")
-      csum_actual csum
diff --git a/builder/sigchecker.mli b/builder/sigchecker.mli
index b670957..47bf2a3 100644
--- a/builder/sigchecker.mli
+++ b/builder/sigchecker.mli
@@ -26,9 +26,3 @@ val verify : t -> string -> unit
 val verify_detached : t -> string -> string option -> unit
 (** Verify the file is signed against the detached signature
     (if check_signature is true). *)
-
-type csum_t = SHA512 of string
-
-val verify_checksum : t -> csum_t -> string -> unit
-(** Verify the checksum of the file.  This is always verified even if
-    check_signature if false. *)
diff --git a/po/POTFILES-ml b/po/POTFILES-ml
index bfed0cf..ad52110 100644
--- a/po/POTFILES-ml
+++ b/po/POTFILES-ml
@@ -1,5 +1,6 @@
 builder/builder.ml
 builder/cache.ml
+builder/checksums.ml
 builder/cmdline.ml
 builder/downloader.ml
 builder/index_parser.ml
-- 
2.1.0

More information about the Libguestfs mailing list