From 398c99e981e64b8bdee5a7e3249cbb7260127881 Mon Sep 17 00:00:00 2001
From: Timothy Flynn <trflynn89@pm.me>
Date: Thu, 23 May 2024 12:19:12 -0400
Subject: [PATCH] Meta: Use SHA-256 verification for downloaded CA certificate
 files

---
 Meta/CMake/ca_certificates_data.cmake                | 7 ++++---
 Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn | 5 ++++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/Meta/CMake/ca_certificates_data.cmake b/Meta/CMake/ca_certificates_data.cmake
index 383f8695ae..fed998b5fb 100644
--- a/Meta/CMake/ca_certificates_data.cmake
+++ b/Meta/CMake/ca_certificates_data.cmake
@@ -1,8 +1,9 @@
 include(${CMAKE_CURRENT_LIST_DIR}/utils.cmake)
 
-set(CACERT_PATH "${SERENITY_CACHE_DIR}/CACERT" CACHE PATH "Download location for cacert.pem")
+set(CACERT_VERSION "2023-12-12")
+set(CACERT_SHA256 "ccbdfc2fe1a0d7bbbb9cc15710271acf1bb1afe4c8f1725fe95c4c7733fcbe5a")
 
-set(CACERT_VERSION 2023-12-12)
+set(CACERT_PATH "${SERENITY_CACHE_DIR}/CACERT" CACHE PATH "Download location for cacert.pem")
 set(CACERT_VERSION_FILE "${CACERT_PATH}/version.txt")
 
 set(CACERT_FILE cacert-${CACERT_VERSION}.pem)
@@ -12,7 +13,7 @@ set(CACERT_INSTALL_FILE cacert.pem)
 if (ENABLE_CACERT_DOWNLOAD)
     remove_path_if_version_changed("${CACERT_VERSION}" "${CACERT_VERSION_FILE}" "${CACERT_PATH}")
 
-    download_file("${CACERT_URL}" "${CACERT_PATH}/${CACERT_FILE}")
+    download_file("${CACERT_URL}" "${CACERT_PATH}/${CACERT_FILE}" SHA256 "${CACERT_SHA256}")
 
     if (NOT "${CMAKE_STAGING_PREFIX}" STREQUAL "")
         set(CACERT_INSTALL_PATH ${CMAKE_STAGING_PREFIX}/etc/${CACERT_INSTALL_FILE})
diff --git a/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn b/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn
index a85499ea3b..34ffcef9f6 100644
--- a/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn
+++ b/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn
@@ -9,12 +9,15 @@ declare_args() {
 
 cacert_cache = cache_path + "CACERT/"
 
+cacert_version = "2023-12-12"
+
 if (enable_cacert_download) {
   download_file("ca_certificates_download") {
-    version = "2023-12-12"
+    version = cacert_version
     url = "https://curl.se/ca/cacert-$version.pem"
     output = "$root_build_dir/cacert.pem"
     version_file = cacert_cache + "version.txt"
+    sha256 = "ccbdfc2fe1a0d7bbbb9cc15710271acf1bb1afe4c8f1725fe95c4c7733fcbe5a"
   }
   # FIXME: Copy file to /etc/cacert.pem on serenity
 }