build: migrate tarball integrity checksums from sha1 to sha512#1132
Draft
bhouse-nexthop wants to merge 4 commits into
Draft
build: migrate tarball integrity checksums from sha1 to sha512#1132bhouse-nexthop wants to merge 4 commits into
bhouse-nexthop wants to merge 4 commits into
Conversation
This was referenced Jul 9, 2026
11a3875 to
5f4768c
Compare
…sstool-NG 1.28 / uClibc-ng 1.0.54) Squashed content of PR opencomputeproject#1129, pulled in as a dependency. (The secure-boot stack -- shim 16.1, host pesign, grub SBAT -- is part of PR opencomputeproject#1128, which opencomputeproject#1129 in turn depends on, so it is transitively included here.)
…nfigs) Squashed content of PR opencomputeproject#1130 (delta over opencomputeproject#1129), pulled in as a dependency. Signed-off-by: Brad House <bhouse@nexthop.ai>
…, flashrom 1.7.0) Squashed content of PR opencomputeproject#1131 (delta over opencomputeproject#1129), pulled in as a dependency. Signed-off-by: Brad House <bhouse@nexthop.ai>
Replace the per-tarball sha1 integrity pins with sha512 (upstream asked
for sha512 rather than sha256).
- fetch-package: verify ${FILE}.sha512 with sha512sum (was sha1sum /
.sha1); the second argument is now the SHA512 directory.
- crosstool-ng.make: update the "how to pin a new package" comment to
sha512sum / .sha512.
- Convert every active upstream/*.sha1 to upstream/*.sha512 (hashes
computed from the verified tarballs) and drop all now-unused .sha1
pins for versions no longer referenced.
Every checksum was generated from a tarball first verified against its
previous sha1 pin, so the sha512 values correspond to exactly the bytes
ONIE already trusted.
Note: this also pins acpica-unix-20260408, libpcap-1.10.6 and
tcpdump-4.99.6, whose current-version checksums would otherwise be
absent.
Signed-off-by: Brad House <bhouse@nexthop.ai>
5f4768c to
b07a7b3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Targets
onie-modernization-2026. Migrates every tarball integrity pin from sha1 → sha512 (upstream requested sha512 rather than sha256).Depends on (merge first): #1129, #1130, #1131. This rewrites the entire
upstream/checksum set, so it needs the final tarball set from all the package/toolchain/kernel PRs. They're pulled in here as threedeps: PR #NNNNcommits (#1129 already contains #1125–#1128); once they merge I'll rebase and this narrows to the single checksum commit.What this does
fetch-package: verify${FILE}.sha512withsha512sum(wassha1sum/.sha1); second arg is now the SHA512 dir.crosstool-ng.make: update the "how to pin a new package" comment tosha512sum/.sha512.upstream/*.sha1→upstream/*.sha512(70 tarballs) and drop all now-unused.sha1pins (162 removed).Correctness
Every sha512 was computed from a tarball first verified against its existing sha1 pin, so each hash corresponds to exactly the bytes ONIE already trusted. (One kernel tarball on a mirror failed sha1 verification and was re-fetched from kernel.org to match.)
Also fixes three current-version tarballs — acpica-unix-20260408, libpcap-1.10.6, tcpdump-4.99.6 — whose checksums would otherwise be missing (their old+new
.sha1had both been present; only the stale ones should be dropped).The self-extracting installer's internal
sha1sumself-check (onie-mk-installer.sh/onie-mk-demo.sh) is a separate mechanism and is intentionally left unchanged.