From 9f43b7a6b0d02b551b50130a4366c7e960dc57ec Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 14 Jan 2013 02:41:56 +0000
Subject: [PATCH] carl9170: Add and check SHA-256 sums for the toolchain
 tarballs

The sums for binutils and gcc are based on an HTTPS download (instead
of the default HTTP).

newlib doesn't seem to be available with any kind of signature, so I
compared a tarball and CVS checkout; let's hope they weren't both
compromised.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 carl9170fw/toolchain/Makefile   | 11 +++++++++++
 carl9170fw/toolchain/SHA256SUMS |  3 +++
 2 files changed, 14 insertions(+)
 create mode 100644 carl9170fw/toolchain/SHA256SUMS

diff --git a/carl9170fw/toolchain/Makefile b/carl9170fw/toolchain/Makefile
index 23843a7e..2b25ffe6 100644
--- a/carl9170fw/toolchain/Makefile
+++ b/carl9170fw/toolchain/Makefile
@@ -12,16 +12,27 @@ GCC_TAR=gcc-$(GCC_VER).tar.bz2
 
 BASEDIR=$(shell pwd)
 
+define checksum
+@if grep -q '  $(subst .,\.,$(1))$$' SHA256SUMS; then			\
+	grep '  $(subst .,\.,$(1))$$' SHA256SUMS | sha256sum -c;	\
+else									\
+	echo "WARNING: no checksum defined for $(1)";			\
+fi
+endef
+
 all: gcc
 
 src/$(BINUTILS_TAR):
 	wget -P src $(BINUTILS_URL)
+	$(call checksum,$@)
 
 src/$(NEWLIB_TAR):
 	wget -P src $(NEWLIB_URL)
+	$(call checksum,$@)
 
 src/$(GCC_TAR):
 	wget -P src $(GCC_URL)
+	$(call checksum,$@)
 
 src/binutils-$(BINUTILS_VER): src/$(BINUTILS_TAR)
 	tar -C src -xjf $<
diff --git a/carl9170fw/toolchain/SHA256SUMS b/carl9170fw/toolchain/SHA256SUMS
new file mode 100644
index 00000000..00c3911f
--- /dev/null
+++ b/carl9170fw/toolchain/SHA256SUMS
@@ -0,0 +1,3 @@
+6c7af8ed1c8cf9b4b9d6e6fe09a3e1d3d479fe63984ba8b9b26bf356b6313ca9  src/binutils-2.22.tar.bz2
+16093f6fa01732adf378d97fe338f113c933bdf56da22bf87c76beff13da406f  src/gcc-4.7.1.tar.bz2
+c644b2847244278c57bec2ddda69d8fab5a7c767f3b9af69aa7aa3da823ff692  src/newlib-1.20.0.tar.gz
-- 
GitLab