base: add actual sha256sum checking.

Compare SHA-256 hash sum for each downloaded archive file against
previously known SHA-256 values to ensure files are what they are
supposed to be.

This impacts how new modules are introduced, as they are required to
define the expected SHA-256 along with the installation procedure,
preferably on the adequade *_versions.sh files.

Author: marcofilho

base/install-functions.sh

@@ -15,8 +15,9 @@ download_from_github() {
     github_org=$1
     module_name=$2
     commit=$3
+    sha=$4
 
-    lnls-get-n-unpack -l https://github.com/$github_org/$module_name/archive/$commit.tar.gz
+    lnls-get-n-unpack -l https://github.com/$github_org/$module_name/archive/$commit.tar.gz $sha
 
     # GitHub tarballs for tags starting with 'v' don't include that 'v'
     commit=${commit#v}
@@ -65,8 +66,9 @@ install_from_github() {
     module_name=$2
     dependency_name=$3
     tag=$4
-    release_content="$5"
+    sha=$5
+    release_content="$6"
 
-    download_from_github $github_org $module_name $tag
+    download_from_github $github_org $module_name $tag $sha
     install_module $flag_ioc $module_name $dependency_name "$release_content"
 }

base/install_area_detector.sh

@@ -104,11 +104,11 @@ make clean
 
 cd ..
 
-download_from_github cnpem ssc-pimega $LIBSSCPIMEGA_VERSION
+download_from_github cnpem ssc-pimega $LIBSSCPIMEGA_VERSION $LIBSSCPIMEGA_SHA256
 make -C ssc-pimega/c install
 rm -rf ssc-pimega
 
-install_from_github cnpem NDSSCPimega NDSSCPIMEGA $NDSSCPIMEGA_VERSION "
+install_from_github cnpem NDSSCPimega NDSSCPIMEGA $NDSSCPIMEGA_VERSION $NDSSCPIMEGA_SHA256 "
 EPICS_BASE
 ASYN
 AREA_DETECTOR

base/install_cagateway.sh

@@ -5,11 +5,11 @@ set -ex
 . $EPICS_IN_DOCKER/install-functions.sh
 . $EPICS_IN_DOCKER/cagateway_versions.sh
 
-install_from_github epics-modules pcas PCAS $PCAS_VERSION "
+install_from_github epics-modules pcas PCAS $PCAS_VERSION $PCAS_SHA256 "
 EPICS_BASE
 "
 
-install_from_github epics-extensions ca-gateway CA_GATEWAY $CA_GATEWAY_VERSION "
+install_from_github epics-extensions ca-gateway CA_GATEWAY $CA_GATEWAY_VERSION $CA_GATEWAY_SHA256 "
 EPICS_BASE
 PCAS
 CAPUTLOG

base/install_epics.sh

@@ -5,7 +5,7 @@ set -ex
 . $EPICS_IN_DOCKER/install-functions.sh
 . $EPICS_IN_DOCKER/epics_versions.sh
 
-lnls-get-n-unpack -l https://epics-controls.org/download/base/base-${EPICS_BASE_VERSION}.tar.gz
+lnls-get-n-unpack -l https://epics-controls.org/download/base/base-${EPICS_BASE_VERSION}.tar.gz $EPICS_BASE_SHA256
 mv base-${EPICS_BASE_VERSION} ${EPICS_BASE_PATH}
 
 patch -d ${EPICS_BASE_PATH} -Np1 < $EPICS_IN_DOCKER/epics-base-static-linking.patch

base/install_modules.sh

@@ -5,96 +5,96 @@ set -ex
 . $EPICS_IN_DOCKER/install-functions.sh
 . $EPICS_IN_DOCKER/modules_versions.sh
 
-install_from_github epics-base pvxs PVXS $PVXS_VERSION "
+install_from_github epics-base pvxs PVXS $PVXS_VERSION $PVXS_SHA256 "
 EPICS_BASE
 "
 
-download_from_github epics-base p4p $P4P_VERSION
+download_from_github epics-base p4p $P4P_VERSION $P4P_SHA256
 echo PYTHON=python3 >> p4p/configure/CONFIG_SITE
 install_module p4p P4P "
 EPICS_BASE
 PVXS
 "
 echo 'python3*/linux*/' > p4p/.lnls-keep-paths
 
-install_from_github epics-modules sequencer SNCSEQ $SEQUENCER_VERSION "
+install_from_github epics-modules sequencer SNCSEQ $SEQUENCER_VERSION $SEQUENCER_SHA256 "
 EPICS_BASE
 "
 
-install_from_github epics-modules calc CALC $CALC_VERSION "
+install_from_github epics-modules calc CALC $CALC_VERSION $CALC_SHA256 "
 EPICS_BASE
 "
 
 # Build asyn without seq since it's only needed for testIPServer
-install_from_github epics-modules asyn ASYN $ASYN_VERSION "
+install_from_github epics-modules asyn ASYN $ASYN_VERSION $ASYN_SHA256 "
 EPICS_BASE
 CALC
 "
 
-install_from_github epics-modules modbus MODBUS $MODBUS_VERSION "
+install_from_github epics-modules modbus MODBUS $MODBUS_VERSION $MODBUS_SHA256 "
 EPICS_BASE
 ASYN
 "
 
-install_from_github paulscherrerinstitute StreamDevice STREAM $STREAMDEVICE_VERSION "
+install_from_github paulscherrerinstitute StreamDevice STREAM $STREAMDEVICE_VERSION $STREAMDEVICE_SHA256 "
 EPICS_BASE
 ASYN
 CALC
 "
 
-install_from_github epics-modules busy BUSY $BUSY_VERSION "
+install_from_github epics-modules busy BUSY $BUSY_VERSION $BUSY_SHA256 "
 EPICS_BASE
 ASYN
 "
 
-install_from_github epics-modules autosave AUTOSAVE $AUTOSAVE_VERSION "
+install_from_github epics-modules autosave AUTOSAVE $AUTOSAVE_VERSION $AUTOSAVE_SHA256 "
 EPICS_BASE
 "
 
-install_from_github epics-modules sscan SSCAN $SSCAN_VERSION "
+install_from_github epics-modules sscan SSCAN $SSCAN_VERSION $SSCAN_SHA256 "
 EPICS_BASE
 SNCSEQ
 "
 
-download_from_github ChannelFinder recsync $RECCASTER_VERSION
+download_from_github ChannelFinder recsync $RECCASTER_VERSION $RECCASTER_SHA256
 mv recsync recsync-root
 mv recsync-root/client recsync
 rm -r recsync-root
 install_module recsync RECCASTER "
 EPICS_BASE
 "
 
-install_from_github epics-modules ipac IPAC $IPAC_VERSION "
+install_from_github epics-modules ipac IPAC $IPAC_VERSION $IPAC_SHA256 "
 EPICS_BASE
 "
 
-download_from_github epics-modules caPutLog $CAPUTLOG_VERSION
+download_from_github epics-modules caPutLog $CAPUTLOG_VERSION $CAPUTLOG_SHA256
 patch -d caPutLog -Np1 < $EPICS_IN_DOCKER/caputlog-waveform-fix.patch
 install_module caPutLog CAPUTLOG "
 EPICS_BASE
 "
 
-install_from_github brunoseivam retools RETOOLS $RETOOLS_VERSION "
+install_from_github brunoseivam retools RETOOLS $RETOOLS_VERSION $RETOOLS_SHA256 "
 EPICS_BASE
 "
 
-install_from_github -i epics-modules ether_ip ETHER_IP $ETHER_IP_VERSION "
+install_from_github -i epics-modules ether_ip ETHER_IP $ETHER_IP_VERSION $ETHER_IP_SHA256 "
 EPICS_BASE
 "
 
-install_from_github epics-modules iocStats DEVIOCSTATS $IOCSTATS_VERSION "
+install_from_github  epics-modules iocStats DEVIOCSTATS $IOCSTATS_VERSION $IOCSTATS_SHA256 "
 EPICS_BASE
 "
 
-download_from_github slac-epics-modules ipmiComm $IPMICOMM_VERSION
+download_from_github slac-epics-modules ipmiComm $IPMICOMM_VERSION $IPMICOMM_SHA256
 patch -d ipmiComm -Np1 < $EPICS_IN_DOCKER/backport-ipmicomm.patch
 patch -d ipmiComm -Np1 < $EPICS_IN_DOCKER/ipmicomm.patch
 JOBS=1 install_module ipmiComm IPMICOMM "
 EPICS_BASE
 ASYN
 "
 
-download_from_github mdavidsaver pyDevSup $PYDEVSUP_VERSION
+download_from_github mdavidsaver pyDevSup $PYDEVSUP_VERSION $PYDEVSUP_SHA256
 echo PYTHON=python3 >> pyDevSup/configure/CONFIG_SITE
 install_module pyDevSup PYDEVSUP "
 EPICS_BASE
@@ -103,18 +103,19 @@ echo 'python3*/linux*/' > pyDevSup/.lnls-keep-paths
 
 mkdir snmp
 cd snmp
-lnls-get-n-unpack -l https://groups.nscl.msu.edu/controls/files/epics-snmp-$SNMP_VERSION.zip
+lnls-get-n-unpack -l https://groups.nscl.msu.edu/controls/files/epics-snmp-$SNMP_VERSION.zip \
+$SNMP_SHA256
 cd ..
 install_module -i snmp SNMP "
 EPICS_BASE
 "
 
-install_from_github epics-modules scaler SCALER $SCALER_VERSION "
+install_from_github epics-modules scaler SCALER $SCALER_VERSION $SCALER_SHA256 "
 EPICS_BASE
 ASYN
 "
 
-install_from_github -i epics-modules mca MCA $MCA_VERSION "
+install_from_github -i epics-modules mca MCA $MCA_VERSION $MCA_SHA256 "
 EPICS_BASE
 CALC
 SSCAN
@@ -126,14 +127,14 @@ ASYN
 MCA
 "
 
-download_from_github ISISComputingGroup EPICS-lakeshore $LAKESHORE_VERSION
+download_from_github ISISComputingGroup EPICS-lakeshore $LAKESHORE_VERSION $LAKESHORE_SHA256
 mv EPICS-lakeshore/lakeshore336 .
 rm -r EPICS-lakeshore
 install_module lakeshore336 LAKESHORE "
 EPICS_BASE
 "
 
-install_from_github DiamondLightSource lakeshore340 LAKESHORE340 $LAKESHORE340_VERSION "
+install_from_github DiamondLightSource lakeshore340 LAKESHORE340 $LAKESHORE340_VERSION $LAKESHORE340_SHA256 "
 EPICS_BASE
 ASYN
 CALC

base/install_motor.sh

@@ -55,7 +55,7 @@ SNCSEQ
 
 cd $EPICS_MODULES_PATH
 
-download_from_github dls-controls pmac $PMAC_VERSION
+download_from_github dls-controls pmac $PMAC_VERSION $PMAC_SHA256
 
 rm pmac/configure/RELEASE.local.linux-x86_64
 rm pmac/configure/RELEASE.linux-x86_64.Common
@@ -80,7 +80,7 @@ MOTOR
 BUSY
 "
 
-download_from_github cnpem motorParker $PARKER_VERSION
+download_from_github cnpem motorParker $PARKER_VERSION $PARKER_SHA256
 install_module motorParker MOTOR_PARKER "
 EPICS_BASE
 ASYN

base/install_opcua.sh

@@ -8,7 +8,7 @@ set -ex
 
 opcua_release_url=https://github.com/epics-modules/opcua/releases/download/v${OPCUA_VERSION}
 opcua_release_file=BDIST_opcua-${OPCUA_VERSION}_Base-${EPICS_BASE_VERSION}_debian${DEBIAN_VERSION%.*}.tar.gz
-lnls-get-n-unpack -l $opcua_release_url/$opcua_release_file
+lnls-get-n-unpack -l $opcua_release_url/$opcua_release_file $OPCUA_SHA256
 rm HOW_TO.md
 
 mv opcuaBinaryDist opcua-module

base/lnls-get-n-unpack.sh

@@ -6,20 +6,23 @@ set -eu
 
 help() {
     echo    "lnls-get-n-unpack: download and extract archive from the network"
-    echo -e "Usage: lnls-get-n-unpack <extraction_mode> <URL1> [<URL2>...]\n"
+    echo -e "Usage: lnls-get-n-unpack <extraction_mode> <URL1> <SHA256SUM1> [<URL2> <SHA256SUM2> ...]\n"
     echo    "Extraction mode:"
     echo    "  -l extracts to local directory (./)"
     echo    "  -r extracts to root directory (/)"
     echo    "URL:"
     echo    "  url to download source from."
-    exit 0
+    echo    "SHA256SUM:"
+    echo    "  Reference sha256 hash to compare url download with."
+    exit $1
 }
 
 parse_arguments() {
     if [ "$#" -eq 0 ]; then
         help
     fi
 
+    # Check extraction mode
     case "$1" in
         -r) dest=/ ;;
         -l) dest=. ;;
@@ -29,28 +32,51 @@ parse_arguments() {
             ;;
     esac
 
+    # Check if we have odd number of arguments (extraction_mode + N*url + N*sha256sum)
+    if [ $(( $# % 2 )) -ne 1 ]; then
+        >&2 echo "ERROR: Even number of arguments detected. Something is wrong."
+        help 1
+    fi
+
     # Throw extraction mode argument away
     shift
     echo "$dest $@"
 }
 
+shacheck() {
+    downloaded_file=$1
+    sha=$2
+    url=$3
+
+    if ! echo $sha $downloaded_file | sha256sum -c; then
+        echo "ERROR: SHA $sha for URL $url does not match."
+        exit 1
+    fi
+}
+
 download() {
     dest=$1
     shift
 
-    for url; do
+    while [ $# -gt 1 ]; do
+        url=$1
+        sha=$2
         download_dir=$(mktemp -d)
         echo Downloading "$url"...
         wget -P $download_dir "$url" &> /tmp/wget.log || (cat /tmp/wget.log && false)
-
         filename=$(basename $download_dir/*)
+
+        shacheck $download_dir/$filename $sha $url
+
         if [[ ${filename,,} == *".zip" ]]; then
             unzip -qo $download_dir/$filename -d $dest
         else
             tar --no-same-owner -xf $download_dir/$filename -C $dest
         fi
 
         rm -rf $download_dir /tmp/wget.log
+
+        shift 2
     done
 }