add option to disable checksum validation (#115)

* add option to disable checksum validation

* add section to BUILDING.md for bypassing checksum validation

Author: thewh1teagle

BUILDING.md

@@ -202,6 +202,14 @@ patchelf --set-rpath '$ORIGIN' /path/to/binary/or/shared/library.so
 
 For debug the build process of sherpa-onnx, please set `SHERPA_BUILD_DEBUG=1` environment variable before build.
 
+### Bypass checksum validation (NOT RECOMMENDED)
+
+If you encounter checksum validation errors and trust the download source, you can bypass validation:
+
+```console
+UNSAFE_DISABLE_CHECKSUM_VALIDATION=1 cargo build
+```
+
 ## Release new version
 
 ```console
@@ -268,4 +276,4 @@ Open Visual Studio Installer, go to Individual Components, search ARM64, select
 ```console
 rustup target add aarch64-pc-windows-msvc
 cargo build --no-default-features --target aarch64-pc-windows-msvc --release
-```
+```

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "sherpa-rs-sys"
-version = "0.6.6"
+version = "0.6.7"
 edition = "2021"
 authors = ["thewh1teagle"]
 homepage = "https://github.com/thewh1teagle/sherpa-rs"

crates/sherpa-rs-sys/Cargo.toml

@@ -202,6 +202,30 @@ fn rerun_if_changed(vars: &[&str]) {
     }
 }
 
+fn verify_checksum(actual_hash: &str, expected_hash: &str) {
+    if env::var("UNSAFE_DISABLE_CHECKSUM_VALIDATION").unwrap_or_default() == "1" {
+        println!("cargo:warning=UNSAFE: Checksum validation disabled!");
+        return;
+    }
+
+    if actual_hash != expected_hash {
+        panic!(
+            "Checksum validation failed!\n\
+            Expected: {}\n\
+            Got:      {}\n\
+            \n\
+            This usually means the downloaded file is corrupted or has been tampered with.\n\
+            \n\
+            Possible solutions:\n\
+            1. Try cleaning the cache and rebuilding: cargo clean && cargo build\n\
+            2. Check your internet connection and try again\n\
+            3. If you trust the source and want to bypass validation (NOT RECOMMENDED):\n\
+               UNSAFE_DISABLE_CHECKSUM_VALIDATION=1 cargo build",
+            expected_hash, actual_hash
+        );
+    }
+}
+
 fn main() {
     rerun_if_changed(&["wrapper.h", "dist.json", "checksum.txt", "./sherpa-onnx"]);
     rerun_on_env_changes(&[
@@ -212,6 +236,7 @@ fn main() {
         "SHERPA_STATIC_CRT",
         "SHERPA_LIB_PROFILE",
         "BUILD_DEBUG",
+        "UNSAFE_DISABLE_CHECKSUM_VALIDATION",
     ]);
 
     let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap();
@@ -357,13 +382,7 @@ fn main() {
             if (is_mobile && cache_dir_empty) || (!is_mobile && !lib_dir.exists()) {
                 let downloaded_file = fetch_file(&dist.url);
                 let hash = sha256(&downloaded_file);
-                // verify checksum
-                assert_eq!(
-                    hash, dist.checksum,
-                    "Checksum mismatch: {} != {}",
-                    hash, dist.checksum
-                );
-
+                verify_checksum(&hash, &dist.checksum);
                 extract_tbz(&downloaded_file, &cache_dir);
             } else {
                 debug_log!("Skip fetch file. Using cache from {}", lib_dir.display());

crates/sherpa-rs-sys/build.rs

@@ -1,6 +1,6 @@
 [package]
 name = "sherpa-rs"
-version = "0.6.6"
+version = "0.6.7"
 edition = "2021"
 authors = ["thewh1teagle"]
 license = "MIT"
@@ -21,7 +21,7 @@ crate-type = ["cdylib", "rlib"]
 [dependencies]
 eyre = "0.6.12"
 hound = { version = "3.5.1" }
-sherpa-rs-sys = { path = "../sherpa-rs-sys", version = "0.6.6", default-features = false }
+sherpa-rs-sys = { path = "../sherpa-rs-sys", version = "0.6.7", default-features = false }
 tracing = "0.1.40"
 
 [dev-dependencies]
@@ -125,4 +125,4 @@ path = "../../examples/dolphin.rs"
 
 [[example]]
 name = "parakeet"
-path = "../../examples/parakeet.rs"
+path = "../../examples/parakeet.rs"