verify checksums

2026-02-14 14:00:07 +01:00
parent 03d20665b4
commit b4564fa5bb
16 changed files with 206 additions and 21 deletions
--- a/.clang-tidy
+++ b/.clang-tidy
@@ -1 +1 @@
-Checks: '*,clang-analyzer-*,-llvmlibc-*,-fuchsia-*,-altera-*,-abseil-*,-android-*,-modernize-use-trailing-return-type,-readability-identifier-length,-*-readability-todo,-*-magic-numbers,-readability-function-cognitive-complexity,-*-easily-swappable-parameters,-*-non-private-member-variables-in-classes,-*-no-recursion,-concurrency-mt-unsafe'
+Checks: '*,clang-analyzer-*,-llvmlibc-*,-fuchsia-*,-altera-*,-abseil-*,-android-*,-modernize-use-trailing-return-type,-readability-identifier-length,-*-readability-todo,-*-magic-numbers,-readability-function-cognitive-complexity,-*-easily-swappable-parameters,-*-non-private-member-variables-in-classes,-*-no-recursion,-concurrency-mt-unsafe,-*-runtime-int,-*-non-const-global-variables'
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 /.cache
 /build
-hash.py
-docker.sh
+/*.py
+docker.sh
+/curl
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,9 +1,32 @@
 cmake_minimum_required(VERSION 3.16)
 project(shrap)

+include(FetchContent)
 set(CMAKE_CXX_STANDARD 20)
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)

+FetchContent_Declare(
+  blake3
+  GIT_REPOSITORY https://github.com/BLAKE3-team/BLAKE3.git
+  GIT_TAG        1.8.3
+)
+FetchContent_MakeAvailable(blake3)
+
+add_library(blake3_lib STATIC
+    ${blake3_SOURCE_DIR}/c/blake3.c
+    ${blake3_SOURCE_DIR}/c/blake3_dispatch.c
+    ${blake3_SOURCE_DIR}/c/blake3_portable.c
+)
+target_compile_definitions(blake3_lib PRIVATE 
+    BLAKE3_NO_SSE2 
+    BLAKE3_NO_SSE41 
+    BLAKE3_NO_AVX2 
+    BLAKE3_NO_AVX512
+)
+target_include_directories(blake3_lib PUBLIC ${blake3_SOURCE_DIR}/c)
+
 add_executable(${PROJECT_NAME} src/main.cc)

-target_link_libraries(${PROJECT_NAME} PRIVATE -static)
+target_link_libraries(${PROJECT_NAME} PRIVATE blake3_lib)
+
+set_target_properties(${PROJECT_NAME} PROPERTIES LINK_FLAGS "-static")
--- a/packages/emacs.shrap
+++ b/packages/emacs.shrap
@@ -0,0 +1,11 @@
+(package
+    (name "emacs")
+    (version "30.2")
+    (homepage "https://www.gnu.org/software/emacs/")
+    (dependencies "libncurses" "libgnutls")
+    (src (tar
+        (url "https://mirror.netcologne.de/gnu/emacs/emacs-30.2.tar.gz")
+        (dir "emacs-30.2")
+        (blake3 "31dab4d0c43d7494eb347787147a0572d470767e8b066625d9e99c43fc970d47")))
+    (build
+        (configure_make)))
--- a/packages/libffi.shrap
+++ b/packages/libffi.shrap
@@ -0,0 +1,10 @@
+(package
+    (name "libffi")
+    (version "3.4.5")
+    (homepage "https://sourceware.org/libffi/")
+    (src (tar
+        (url "https://github.com/libffi/libffi/releases/download/v3.4.5/libffi-3.4.5.tar.gz")
+        (dir "libffi-3.4.5")
+        (blake3 "f9a2cfe1d2ac8d211c18c99f9cfafe5537925101bfb92c2d44d844680dd82264")))
+    (build
+        (configure_make)))
--- a/packages/libgmp.shrap
+++ b/packages/libgmp.shrap
@@ -0,0 +1,11 @@
+(package
+    (name "libgmp")
+    (version "6.3.0")
+    (homepage "https://gmplib.org/")
+    (dependencies "xz" "m4")
+    (src (tar
+        (url "https://gmplib.org/download/gmp/gmp-6.3.0.tar.xz")
+        (dir "gmp-6.3.0")
+        (blake3 "fffe4996713928ae19331c8ef39129e46d3bf5b7182820656fd4639435cd83a4")))
+    (build
+        (configure_make)))
--- a/packages/libgnutls.shrap
+++ b/packages/libgnutls.shrap
@@ -0,0 +1,12 @@
+(package
+    (name "libgnutls")
+    (version "3.8.12")
+    (homepage "https://gnutls.org/")
+    (dependencies "xz" "pkg-config" "libnettle" "libp11-kit")
+    (src (tar
+        (url "https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.12.tar.xz")
+        (dir "gnutls-3.8.12")
+        (blake3 "d60d32619210c02b3b280a79e32c8323a7fd556ae77e1b461d69744bc93f05d5")))
+    (build
+        (configure_make
+            (configure_flags "--with-included-libtasn1 --with-included-unistring --disable-doc --disable-tests --disable-tools"))))
--- a/packages/libncurses.shrap
+++ b/packages/libncurses.shrap
@@ -1,11 +1,11 @@
 (package
-    (name "ncurses")
+    (name "libncurses")
    (version "6.6")
    (homepage "https://invisible-island.net/ncurses/")
    (src (tar
        (url "https://invisible-mirror.net/archives/ncurses/ncurses-6.6.tar.gz")
        (dir "ncurses-6.6")
-        (blake3 "")))
+        (blake3 "fbec55697a01f99b9cc3f25be55e73ae7091f4c53e5d81a1ea15734c4e5b7238")))
    (build
        (configure_make
            (configure_flags "--disable-widec --without-tests --without-progs --without-manpages"))))
--- a/packages/libnettle.shrap
+++ b/packages/libnettle.shrap
@@ -0,0 +1,12 @@
+(package
+    (name "libnettle")
+    (version "3.10")
+    (homepage "https://www.lysator.liu.se/~nisse/nettle/")
+    (dependencies "libgmp")
+    (src (tar
+        (url "https://ftp.gnu.org/gnu/nettle/nettle-3.10.tar.gz")
+        (dir "nettle-3.10")
+        (blake3 "c2b37a2c9500b6eea1b186ccd525c7c7f82abb2039bd0ff6ba1c0232329832d0")))
+    (build
+        (configure_make
+            (configure_flags "--libdir=/usr/lib"))))
--- a/packages/libp11-kit.shrap
+++ b/packages/libp11-kit.shrap
@@ -0,0 +1,12 @@
+(package
+    (name "libp11-kit")
+    (version "0.26.2")
+    (homepage "https://p11-glue.github.io/p11-glue/p11-kit.html")
+    (dependencies "xz" "libffi")
+    (src (tar
+        (url "https://github.com/p11-glue/p11-kit/releases/download/0.26.2/p11-kit-0.26.2.tar.xz")
+        (dir "p11-kit-0.26.2")
+        (blake3 "93de717427982d3904905b0ea2997345c06dd35456c281ef3aa7bae2fd9242ed")))
+    (build
+        (configure_make
+            (configure_flags "--without-libtasn1"))))
--- a/packages/m4.shrap
+++ b/packages/m4.shrap
@@ -0,0 +1,10 @@
+(package
+    (name "m4")
+    (version "1.4.21")
+    (homepage "https://www.gnu.org/software/m4/")
+    (src (tar
+        (url "https://ftp.gnu.org/gnu/m4/m4-1.4.21.tar.gz")
+        (dir "m4-1.4.21")
+        (blake3 "9dcdc6d7bcdd49d6d10431cca2e8f763012741b187fbaef4eff43bae12a51063")))
+    (build
+        (configure_make)))
--- a/packages/pkg-config.shrap
+++ b/packages/pkg-config.shrap
@@ -0,0 +1,11 @@
+(package
+    (name "pkg-config")
+    (version "0.29")
+    (homepage "www.freedesktop.org/wiki/Software/pkg-config/")
+    (src (tar
+        (url "https://pkgconfig.freedesktop.org/releases/pkg-config-0.29.tar.gz")
+        (dir "pkg-config-0.29")
+        (blake3 "16d375630d2b8f41086e9d00cd207ec9e2a74d7bfc57510ea088071840522f06")))
+    (build
+        (configure_make
+            (configure_flags "CFLAGS=-Wno-format-nonliteral --with-internal-glib"))))
--- a/packages/vim.shrap
+++ b/packages/vim.shrap
@@ -6,6 +6,6 @@
    (src (tar
        (url "https://github.com/vim/vim/archive/refs/tags/v9.1.2148.tar.gz")
        (dir "vim-9.1.2148")
-        (blake3 "")))
+        (blake3 "1bc0bbf9da0fa156df66aeb716cfa1310101bdb0cca9aa60f241351fc8d13d8e")))
    (build
        (configure_make)))
--- a/packages/xz.shrap
+++ b/packages/xz.shrap
@@ -0,0 +1,11 @@
+(package
+    (name "xz")
+    (version "5.8.2")
+    (homepage "https://tukaani.org/xz/")
+    (src (tar
+        (url "https://github.com/tukaani-project/xz/releases/download/v5.8.2/xz-5.8.2.tar.gz")
+        (dir "xz-5.8.2")
+        (blake3 "e63d8cbda1ba9e21d36c951a6c67a81cadadfdf4e9a1895c1f278265e8d6f8ad")))
+    (build
+        (configure_make
+            (configure_flags "--disable-shared --disable-doc --disable-nls"))))
--- a/src/main.cc
+++ b/src/main.cc
@@ -1,13 +1,15 @@
 #include "parser.h"
 #include "util.h"
-#include <fstream>
-#include <iostream>
 #include <span>
-#include <stdexcept>
 #include <sys/stat.h>
 #include <thread>

+static bool flag_raw = false;
+
 void install_package(const std::string &name) {
+  // TODO: get this by the name field not filename
+  // TODO: actually resolve dependency tree
+  // TODO: track installed packages
  std::ifstream file("packages/" + name + ".shrap");
  if (!file) {
    std::cerr << "Package " << name << "not found.\n";
@@ -16,11 +18,13 @@ void install_package(const std::string &name) {

  Expr pkg = Expr::parse(file);

-  try {
-    for (const auto &dep : pkg.get("dependencies").children) {
-      install_package(dep.value);
+  if (!flag_raw) {
+    try {
+      for (const auto &dep : pkg.get("dependencies").children) {
+        install_package(dep.value);
+      }
+    } catch (std::out_of_range &) {
    }
-  } catch (std::out_of_range &) {
  }

  Expr src = pkg.get("src").children[0];
@@ -31,10 +35,18 @@ void install_package(const std::string &name) {
  if (src_type == "tar") {
    std::string archive_path = "/tmp/shrap/" + Util::basename(src_url);

-    // TODO: replace wget with a library for zero runtime dependencies
-    Util::shell_command("wget -O " + archive_path + " " + src_url);
+    // TODO: ship ca certificates
+    Util::shell_command("./curl -k -L -o " + archive_path + " " + src_url);

-    // TODO: check archive hash from src.get("blake3").children[0].value
+    std::string expected_hash = src.get("blake3").children[0].value;
+    std::string hash = Util::hash_file(archive_path);
+
+    if (expected_hash != hash) {
+      std::cerr << "Checksum check failed.\n";
+      std::cerr << "Expected: " << expected_hash << "\n";
+      std::cerr << "Got:      " << hash << "\n";
+      std::exit(1);
+    }

    Util::shell_command("tar xf " + archive_path + " -C /tmp/shrap/");
  } else {
@@ -72,10 +84,27 @@ int main(int argc, char **argv) {
  }
  Util::shell_command("mkdir -p /tmp/shrap");

-  try {
-    install_package(args[1]);
-  } catch (std::exception &e) {
-    std::cerr << "ERROR: " << e.what() << std::endl;
+  std::vector<std::string> packages;
+  for (size_t i = 1; i < args.size(); ++i) {
+    std::string arg = args[i];
+    if (arg == "-r") {
+      flag_raw = true;
+    } else {
+      packages.push_back(arg);
+    }
+  }
+
+  if (packages.empty()) {
+    std::cerr << "Usage: " << args[0] << " [-r] package1 [package2 ...]\n";
    return 1;
  }
+
+  for (const auto &pkg : packages) {
+    try {
+      install_package(pkg);
+    } catch (std::exception &e) {
+      std::cerr << "ERROR: " << e.what() << std::endl;
+      return 1;
+    }
+  }
 }
--- a/src/util.h
+++ b/src/util.h
@@ -1,9 +1,15 @@
 #pragma once

+#include "blake3.h"
+#include <array>
+#include <fstream>
+#include <iomanip>
 #include <iostream>
+#include <sstream>
 #include <string>
 #include <sys/wait.h>
 #include <unistd.h>
+#include <vector>

 namespace Util {

@@ -47,4 +53,30 @@ static std::string basename(const std::string &path) {
  return path.substr(pos + 1);
 }

+static std::string hash_file(const std::string &path) {
+  blake3_hasher hasher;
+  blake3_hasher_init(&hasher);
+
+  std::ifstream file(path, std::ios::binary);
+  if (!file) {
+    throw std::runtime_error("failed to open file");
+  }
+
+  std::vector<char> buffer(65536);
+  while (file.read(buffer.data(), static_cast<long>(buffer.size())) ||
+         file.gcount() > 0) {
+    blake3_hasher_update(&hasher, buffer.data(), file.gcount());
+  }
+
+  std::array<uint8_t, BLAKE3_OUT_LEN> output{};
+  blake3_hasher_finalize(&hasher, output.data(), BLAKE3_OUT_LEN);
+
+  std::stringstream ss;
+  ss << std::hex << std::setfill('0');
+  for (const auto &byte : output) {
+    ss << std::setw(2) << static_cast<int>(byte);
+  }
+  return ss.str();
+}
+
 }; // namespace Util