Meta: Add support for verifying downloaded files with their SHA-256 hash

Author: https://github.com/trflynn89 Commit: ec63f442f9 Pull-request: https://github.com/SerenityOS/serenity/pull/24407 Issue: https://github.com/SerenityOS/serenity/issues/24401 Reviewed-by: https://github.com/nico ✅
2025-09-22 09:18:55 +00:00 · 2024-05-23 12:04:02 -04:00 · 2024-05-23 12:04:02 -04:00 · ec63f442f9 · 2024-07-18 00:34:07 +09:00
commit ec63f442f9
parent 473f840142
3 changed files with 50 additions and 10 deletions
--- a/Meta/gn/build/download_file.py
+++ b/Meta/gn/build/download_file.py
@ -8,6 +8,7 @@ It's intended to be used for files that are cached between runs.
 """

 import argparse
+import hashlib
 import os
 import pathlib
 import shutil
@ -16,10 +17,24 @@ import tempfile
 import urllib.request


+def compute_sha256(path):
+    sha256 = hashlib.sha256()
+
+    with open(path, 'rb') as file:
+        while True:
+            data = file.read(256 << 10)
+            if not data:
+                break
+
+            sha256.update(data)
+
+    return sha256.hexdigest()
+
+
 def main():
    parser = argparse.ArgumentParser(
-                 epilog=__doc__,
-                 formatter_class=argparse.RawDescriptionHelpFormatter)
+        epilog=__doc__,
+        formatter_class=argparse.RawDescriptionHelpFormatter)
    parser.add_argument('url', help='input url')
    parser.add_argument('-o', '--output', required=True,
                        help='output file')
@ -29,6 +44,8 @@ def main():
                        help='filesystem location to cache version')
    parser.add_argument('-c', "--cache-path", required=False,
                        help='path for cached files to clear on version mismatch')
+    parser.add_argument('-s', "--sha256", required=False,
+                        help='expected SHA-256 hash of the downloaded file')
    args = parser.parse_args()

    version_from_file = ''
@ -41,23 +58,30 @@ def main():
        return 0

    # Fresh build or version mismatch, delete old cache
-    if (args.cache_path):
+    if args.cache_path:
        cache_path = pathlib.Path(args.cache_path)
        shutil.rmtree(cache_path, ignore_errors=True)
        cache_path.mkdir(parents=True)

-    print(f"Downloading version {args.version} of {args.output}...", end='')
+    output_file = pathlib.Path(args.output)
+    print(f"Downloading file {output_file} from {args.url}")

    with urllib.request.urlopen(args.url) as f:
        try:
-            with tempfile.NamedTemporaryFile(delete=False,
-                                             dir=pathlib.Path(args.output).parent) as out:
+            with tempfile.NamedTemporaryFile(delete=False, dir=output_file.parent) as out:
                out.write(f.read())
-                os.rename(out.name, args.output)
+                os.rename(out.name, output_file)
        except IOError:
            os.unlink(out.name)

-    print("done")
+    if args.sha256:
+        actual_sha256 = compute_sha256(output_file)
+
+        if args.sha256 != actual_sha256:
+            print(f"SHA-256 mismatch for downloaded file {output_file}")
+            print(f"Expected: {args.sha256}")
+            print(f"Actual:   {actual_sha256}")
+            return 1

    with open(version_file, 'w') as f:
        f.write(args.version)