base: add actual sha256sum checking.

Compare SHA-256 hash sum for each downloaded archive file against
previously known SHA-256 values to ensure files are what they are
supposed to be.

This impacts how new modules are introduced, as they are required to
define the expected SHA-256 along with the installation procedure,
preferably on the adequade *_versions.sh files.

Author: marcofilho

base/install-functions.sh

@@ -15,8 +15,9 @@ download_from_github() {
     github_org=$1
     module_name=$2
     commit=$3
+    sha=$4
 
-    lnls-get-n-unpack -l https://github.com/$github_org/$module_name/archive/$commit.tar.gz
+    lnls-get-n-unpack -l https://github.com/$github_org/$module_name/archive/$commit.tar.gz $sha
 
     # GitHub tarballs for tags starting with 'v' don't include that 'v'
     commit=${commit#v}
@@ -66,7 +67,8 @@ install_from_github() {
     dependency_name=$3
     tag=$4
     release_content="$5"
+    sha=$6
 
-    download_from_github $github_org $module_name $tag
+    download_from_github $github_org $module_name $tag $sha
     install_module $flag_ioc $module_name $dependency_name "$release_content"
 }

base/install_area_detector.sh

@@ -104,7 +104,7 @@ make clean
 
 cd ..
 
-download_from_github cnpem ssc-pimega $LIBSSCPIMEGA_VERSION
+download_from_github cnpem ssc-pimega $LIBSSCPIMEGA_VERSION $LIBSSCPIMEGA_SHA256
 make -C ssc-pimega/c install
 rm -rf ssc-pimega
 
@@ -113,4 +113,5 @@ EPICS_BASE
 ASYN
 AREA_DETECTOR
 ADCORE
-"
+" \
+$NDSSCPIMEGA_SHA256

base/install_cagateway.sh

@@ -7,10 +7,12 @@ set -ex
 
 install_from_github epics-modules pcas PCAS $PCAS_VERSION "
 EPICS_BASE
-"
+" \
+$PCAS_SHA256
 
 install_from_github epics-extensions ca-gateway CA_GATEWAY $CA_GATEWAY_VERSION "
 EPICS_BASE
 PCAS
 CAPUTLOG
-"
+" \
+$CA_GATEWAY_SHA256

base/install_epics.sh

@@ -5,7 +5,7 @@ set -ex
 . $EPICS_IN_DOCKER/install-functions.sh
 . $EPICS_IN_DOCKER/epics_versions.sh
 
-lnls-get-n-unpack -l https://epics-controls.org/download/base/base-${EPICS_BASE_VERSION}.tar.gz
+lnls-get-n-unpack -l https://epics-controls.org/download/base/base-${EPICS_BASE_VERSION}.tar.gz $EPICS_BASE_SHA256
 mv base-${EPICS_BASE_VERSION} ${EPICS_BASE_PATH}
 
 patch -d ${EPICS_BASE_PATH} -Np1 < $EPICS_IN_DOCKER/epics-base-static-linking.patch

base/install_modules.sh

@@ -7,9 +7,10 @@ set -ex
 
 install_from_github epics-base pvxs PVXS $PVXS_VERSION "
 EPICS_BASE
-"
+" \
+$PVXS_SHA256
 
-download_from_github epics-base p4p $P4P_VERSION
+download_from_github epics-base p4p $P4P_VERSION $P4P_SHA256
 echo PYTHON=python3 >> p4p/configure/CONFIG_SITE
 install_module p4p P4P "
 EPICS_BASE
@@ -19,44 +20,52 @@ echo 'python3*/linux*/' > p4p/.lnls-keep-paths
 
 install_from_github epics-modules sequencer SNCSEQ $SEQUENCER_VERSION "
 EPICS_BASE
-"
+" \
+$SEQUENCER_SHA256
 
 install_from_github epics-modules calc CALC $CALC_VERSION "
 EPICS_BASE
-"
+" \
+$CALC_SHA256
 
 # Build asyn without seq since it's only needed for testIPServer
 install_from_github epics-modules asyn ASYN $ASYN_VERSION "
 EPICS_BASE
 CALC
-"
+" \
+$ASYN_SHA256
 
 install_from_github epics-modules modbus MODBUS $MODBUS_VERSION "
 EPICS_BASE
 ASYN
-"
+" \
+$MODBUS_SHA256
 
 install_from_github paulscherrerinstitute StreamDevice STREAM $STREAMDEVICE_VERSION "
 EPICS_BASE
 ASYN
 CALC
-"
+" \
+$STREAMDEVICE_SHA256
 
 install_from_github epics-modules busy BUSY $BUSY_VERSION "
 EPICS_BASE
 ASYN
-"
+" \
+$BUSY_SHA256
 
 install_from_github epics-modules autosave AUTOSAVE $AUTOSAVE_VERSION "
 EPICS_BASE
-"
+" \
+$AUTOSAVE_SHA256
 
 install_from_github epics-modules sscan SSCAN $SSCAN_VERSION "
 EPICS_BASE
 SNCSEQ
-"
+" \
+$SSCAN_SHA256
 
-download_from_github ChannelFinder recsync $RECCASTER_VERSION
+download_from_github ChannelFinder recsync $RECCASTER_VERSION $RECCASTER_SHA256
 mv recsync recsync-root
 mv recsync-root/client recsync
 rm -r recsync-root
@@ -66,35 +75,39 @@ EPICS_BASE
 
 install_from_github epics-modules ipac IPAC $IPAC_VERSION "
 EPICS_BASE
-"
+" \
+$IPAC_SHA256
 
-download_from_github epics-modules caPutLog $CAPUTLOG_VERSION
+download_from_github epics-modules caPutLog $CAPUTLOG_VERSION $CAPUTLOG_SHA256
 patch -d caPutLog -Np1 < $EPICS_IN_DOCKER/caputlog-waveform-fix.patch
 install_module caPutLog CAPUTLOG "
 EPICS_BASE
 "
 
 install_from_github brunoseivam retools RETOOLS $RETOOLS_VERSION "
 EPICS_BASE
-"
+" \
+$RETOOLS_SHA256
 
 install_from_github -i epics-modules ether_ip ETHER_IP $ETHER_IP_VERSION "
 EPICS_BASE
-"
+" \
+$ETHER_IP_SHA256
 
 install_from_github  epics-modules iocStats DEVIOCSTATS $IOCSTATS_VERSION "
 EPICS_BASE
-"
+" \
+$IOCSTATS_SHA256
 
-download_from_github slac-epics-modules ipmiComm $IPMICOMM_VERSION
+download_from_github slac-epics-modules ipmiComm $IPMICOMM_VERSION $IPMICOMM_SHA256
 patch -d ipmiComm -Np1 < $EPICS_IN_DOCKER/backport-ipmicomm.patch
 patch -d ipmiComm -Np1 < $EPICS_IN_DOCKER/ipmicomm.patch
 JOBS=1 install_module ipmiComm IPMICOMM "
 EPICS_BASE
 ASYN
 "
 
-download_from_github mdavidsaver pyDevSup $PYDEVSUP_VERSION
+download_from_github mdavidsaver pyDevSup $PYDEVSUP_VERSION $PYDEVSUP_SHA256
 echo PYTHON=python3 >> pyDevSup/configure/CONFIG_SITE
 install_module pyDevSup PYDEVSUP "
 EPICS_BASE
@@ -103,7 +116,8 @@ echo 'python3*/linux*/' > pyDevSup/.lnls-keep-paths
 
 mkdir snmp
 cd snmp
-lnls-get-n-unpack -l https://groups.nscl.msu.edu/controls/files/epics-snmp-$SNMP_VERSION.zip
+lnls-get-n-unpack -l https://groups.nscl.msu.edu/controls/files/epics-snmp-$SNMP_VERSION.zip \
+$SNMP_SHA256
 cd ..
 install_module -i snmp SNMP "
 EPICS_BASE
@@ -112,7 +126,8 @@ EPICS_BASE
 install_from_github epics-modules scaler SCALER $SCALER_VERSION "
 EPICS_BASE
 ASYN
-"
+" \
+$SCALER_SHA256
 
 install_from_github -i epics-modules mca MCA $MCA_VERSION "
 EPICS_BASE
@@ -124,9 +139,10 @@ SNCSEQ
 AUTOSAVE
 ASYN
 MCA
-"
+" \
+$MCA_SHA256
 
-download_from_github ISISComputingGroup EPICS-lakeshore $LAKESHORE_VERSION
+download_from_github ISISComputingGroup EPICS-lakeshore $LAKESHORE_VERSION $LAKESHORE_SHA256
 mv EPICS-lakeshore/lakeshore336 .
 rm -r EPICS-lakeshore
 install_module lakeshore336 LAKESHORE "
@@ -138,4 +154,5 @@ EPICS_BASE
 ASYN
 CALC
 STREAM
-"
+" \
+$LAKESHORE340_SHA256

base/install_motor.sh

@@ -55,7 +55,7 @@ SNCSEQ
 
 cd $EPICS_MODULES_PATH
 
-download_from_github dls-controls pmac $PMAC_VERSION
+download_from_github dls-controls pmac $PMAC_VERSION $PMAC_SHA256
 
 rm pmac/configure/RELEASE.local.linux-x86_64
 rm pmac/configure/RELEASE.linux-x86_64.Common
@@ -80,7 +80,7 @@ MOTOR
 BUSY
 "
 
-download_from_github cnpem motorParker $PARKER_VERSION
+download_from_github cnpem motorParker $PARKER_VERSION $PARKER_SHA256
 install_module motorParker MOTOR_PARKER "
 EPICS_BASE
 ASYN

base/install_opcua.sh

@@ -8,7 +8,7 @@ set -ex
 
 opcua_release_url=https://github.com/epics-modules/opcua/releases/download/v${OPCUA_VERSION}
 opcua_release_file=BDIST_opcua-${OPCUA_VERSION}_Base-${EPICS_BASE_VERSION}_debian${DEBIAN_VERSION%.*}.tar.gz
-lnls-get-n-unpack -l $opcua_release_url/$opcua_release_file
+lnls-get-n-unpack -l $opcua_release_url/$opcua_release_file $OPCUA_SHA256
 rm HOW_TO.md
 
 mv opcuaBinaryDist opcua-module

base/lnls-get-n-unpack.sh

@@ -6,13 +6,15 @@ set -eu
 
 help () {
     echo    "lnls-get-n-unpack: download and extract archive from the network"
-    echo -e "Usage: lnls-get-n-unpack <extraction_mode> <URL1> [<URL2>...]\n"
+    echo -e "Usage: lnls-get-n-unpack <extraction_mode> <URL1> <SHA256SUM1> [<URL2> <SHA256SUM2> ...]\n"
     echo    "Extraction mode:"
     echo    "  -l extracts to local directory (./)"
     echo    "  -r extracts to root directory (/)"
     echo    "URL:"
     echo    "  url to download source from."
-    exit 0
+    echo    "SHA256SUM:"
+    echo    "  Reference sha256 hash to compare url download with."
+    exit $1
 }
 
 parse_arguments() {
@@ -21,6 +23,7 @@ parse_arguments() {
         help
     fi
 
+    # Check extraction mode
     case "$1" in
         -r) dest=/ ;;
         -l) dest=. ;;
@@ -29,26 +32,49 @@ parse_arguments() {
         ;;
     esac
 
+    # Check if we have odd number of arguments (extraction_mode + N*url + N*sha256sum)
+    if [ $(( $# % 2 )) -ne 1 ]; then
+        >&2 echo "ERROR: Even number of arguments detected. Something is wrong."
+        help 1
+    fi
+
     echo "$dest ${@:2}" # Throw extraction mode argument away
 }
 
+shacheck() {
+    downloaded_file=$1
+    sha=$2
+    url=$3
+
+    if ! echo $sha $downloaded_file | sha256sum -c; then
+        echo "ERROR: SHA $sha for URL $url does not match."
+        exit 1
+    fi
+}
+
 download () {
     dest=$1
     shift
 
-    for url; do
+    while [[ $# -gt 1 ]]; do
+        url=$1
+        sha=$2
         download_dir=$(mktemp -d)
         echo Downloading "$url"...
         wget -P $download_dir "$url" &> /tmp/wget.log || (cat /tmp/wget.log && false)
-
         filename=$(basename $download_dir/*)
+
+        shacheck $download_dir/$filename $sha $url
+
         if [[ ${filename,,} == *".zip" ]]; then
             unzip -qo $download_dir/$filename -d $dest
         else
             tar --no-same-owner -xf $download_dir/$filename -C $dest
         fi
 
         rm -rf $download_dir /tmp/wget.log
+
+        shift 2
     done
 }