[DRE-commits] [gem2deb] 01/03: verify checksums and remove checksums.yaml.gz upon extraction of the gem

Cédric Boutillier boutil at moszumanska.debian.org
Mon Aug 11 13:29:14 UTC 2014


This is an automated email from the git hooks/post-receive script.

boutil pushed a commit to branch checksums
in repository gem2deb.

commit 41bf9d9f89a0582187ce4fb279539e27b620136c
Author: Cédric Boutillier <boutil at debian.org>
Date:   Sat Aug 9 22:01:41 2014 +0200

    verify checksums and remove checksums.yaml.gz upon extraction of the gem
---
 lib/gem2deb/gem2tgz.rb | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/lib/gem2deb/gem2tgz.rb b/lib/gem2deb/gem2tgz.rb
index 53092a6..1d2800f 100644
--- a/lib/gem2deb/gem2tgz.rb
+++ b/lib/gem2deb/gem2tgz.rb
@@ -15,6 +15,9 @@
 
 require 'fileutils'
 require 'tmpdir'
+require 'digest'
+require 'yaml'
+require 'zlib'
 
 require 'gem2deb'
 include Gem2Deb
@@ -79,6 +82,7 @@ module Gem2Deb
     def extract_gem_contents
       Dir.chdir(@target_dir) do
         run('tar', 'xfm', gem_full_path)
+        verify_and_strip_checksums if File.exist?('checksums.yaml.gz')
         run 'tar xzfm data.tar.gz'
         FileUtils.rm_f('data.tar.gz')
         run "zcat metadata.gz > metadata.yml"
@@ -102,5 +106,29 @@ module Gem2Deb
       FileUtils.rm_rf(@tmp_dir)
     end
 
+    def verify_and_strip_checksums
+      checksums = read_checksums
+      [Digest::SHA1, Digest::SHA512].each do |digest|
+        hash_name = digest.name.sub(/^Digest::/,'')
+        ["data.tar.gz", "metadata.gz"].each do |f|
+          unless correct_checksum?(digest, f, checksums[hash_name][f])
+            puts "E: (#{gem}) the #{hash_name} checksum for #{f} is inconsistent with the one recorded in checksums.yaml.gz"
+            exit(1)
+          end
+        end
+      end
+      FileUtils.rm_f('checksums.yaml.gz')
+    end
+
+    def read_checksums
+      Zlib::GzipReader.open('checksums.yaml.gz') do |checksums_file|
+        YAML.load(checksums_file.read)
+      end
+    end
+
+    def correct_checksum?(digest, f, checksum)
+      digest.file(f).hexdigest == checksum
+    end
+
   end
 end

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/gem2deb.git



More information about the Pkg-ruby-extras-commits mailing list