Skip to content

build: migrate tarball integrity checksums from sha1 to sha512#1132

Draft
bhouse-nexthop wants to merge 4 commits into
opencomputeproject:onie-modernization-2026from
bhouse-nexthop:bhouse.checksums-sha512
Draft

build: migrate tarball integrity checksums from sha1 to sha512#1132
bhouse-nexthop wants to merge 4 commits into
opencomputeproject:onie-modernization-2026from
bhouse-nexthop:bhouse.checksums-sha512

Conversation

@bhouse-nexthop

Copy link
Copy Markdown

⚠️ Draft — stacked PR. Kept as a draft to signal it depends on #1129, #1130, and #1131. It will be marked ready for review once those merge into onie-modernization-2026 (and I rebase so this PR's diff narrows to only the checksum commit).

Targets onie-modernization-2026. Migrates every tarball integrity pin from sha1 → sha512 (upstream requested sha512 rather than sha256).

Depends on (merge first): #1129, #1130, #1131. This rewrites the entire upstream/ checksum set, so it needs the final tarball set from all the package/toolchain/kernel PRs. They're pulled in here as three deps: PR #NNNN commits (#1129 already contains #1125#1128); once they merge I'll rebase and this narrows to the single checksum commit.

What this does

  • fetch-package: verify ${FILE}.sha512 with sha512sum (was sha1sum / .sha1); second arg is now the SHA512 dir.
  • crosstool-ng.make: update the "how to pin a new package" comment to sha512sum/.sha512.
  • Convert every active upstream/*.sha1upstream/*.sha512 (70 tarballs) and drop all now-unused .sha1 pins (162 removed).

Correctness

Every sha512 was computed from a tarball first verified against its existing sha1 pin, so each hash corresponds to exactly the bytes ONIE already trusted. (One kernel tarball on a mirror failed sha1 verification and was re-fetched from kernel.org to match.)

Also fixes three current-version tarballs — acpica-unix-20260408, libpcap-1.10.6, tcpdump-4.99.6 — whose checksums would otherwise be missing (their old+new .sha1 had both been present; only the stale ones should be dropped).

The self-extracting installer's internal sha1sum self-check (onie-mk-installer.sh / onie-mk-demo.sh) is a separate mechanism and is intentionally left unchanged.

…sstool-NG 1.28 / uClibc-ng 1.0.54)

Squashed content of PR opencomputeproject#1129, pulled in as a dependency.  (The secure-boot
stack -- shim 16.1, host pesign, grub SBAT -- is part of PR opencomputeproject#1128, which
opencomputeproject#1129 in turn depends on, so it is transitively included here.)
…nfigs)

Squashed content of PR opencomputeproject#1130 (delta over opencomputeproject#1129), pulled in as a dependency.

Signed-off-by: Brad House <bhouse@nexthop.ai>
…, flashrom 1.7.0)

Squashed content of PR opencomputeproject#1131 (delta over opencomputeproject#1129), pulled in as a dependency.

Signed-off-by: Brad House <bhouse@nexthop.ai>
Replace the per-tarball sha1 integrity pins with sha512 (upstream asked
for sha512 rather than sha256).

  - fetch-package: verify ${FILE}.sha512 with sha512sum (was sha1sum /
    .sha1); the second argument is now the SHA512 directory.
  - crosstool-ng.make: update the "how to pin a new package" comment to
    sha512sum / .sha512.
  - Convert every active upstream/*.sha1 to upstream/*.sha512 (hashes
    computed from the verified tarballs) and drop all now-unused .sha1
    pins for versions no longer referenced.

Every checksum was generated from a tarball first verified against its
previous sha1 pin, so the sha512 values correspond to exactly the bytes
ONIE already trusted.

Note: this also pins acpica-unix-20260408, libpcap-1.10.6 and
tcpdump-4.99.6, whose current-version checksums would otherwise be
absent.

Signed-off-by: Brad House <bhouse@nexthop.ai>
@bhouse-nexthop bhouse-nexthop force-pushed the bhouse.checksums-sha512 branch from 5f4768c to b07a7b3 Compare July 13, 2026 20:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant