Meta: Use SHA-256 verification for downloaded CA certificate files

2024-10-07 00:19:27 +00:00 · 2024-05-23 12:19:12 -04:00 · 2024-05-23 12:19:12 -04:00 · 398c99e981
parent 3b2c8d0af2
commit 398c99e981
2 changed files with 8 additions and 4 deletions
--- a/Meta/CMake/ca_certificates_data.cmake
+++ b/Meta/CMake/ca_certificates_data.cmake
@ -1,8 +1,9 @@
 include(${CMAKE_CURRENT_LIST_DIR}/utils.cmake)

-set(CACERT_PATH "${SERENITY_CACHE_DIR}/CACERT" CACHE PATH "Download location for cacert.pem")
+set(CACERT_VERSION "2023-12-12")
+set(CACERT_SHA256 "ccbdfc2fe1a0d7bbbb9cc15710271acf1bb1afe4c8f1725fe95c4c7733fcbe5a")

-set(CACERT_VERSION 2023-12-12)
+set(CACERT_PATH "${SERENITY_CACHE_DIR}/CACERT" CACHE PATH "Download location for cacert.pem")
 set(CACERT_VERSION_FILE "${CACERT_PATH}/version.txt")

 set(CACERT_FILE cacert-${CACERT_VERSION}.pem)
@ -12,7 +13,7 @@ set(CACERT_INSTALL_FILE cacert.pem)
 if (ENABLE_CACERT_DOWNLOAD)
    remove_path_if_version_changed("${CACERT_VERSION}" "${CACERT_VERSION_FILE}" "${CACERT_PATH}")

-    download_file("${CACERT_URL}" "${CACERT_PATH}/${CACERT_FILE}")
+    download_file("${CACERT_URL}" "${CACERT_PATH}/${CACERT_FILE}" SHA256 "${CACERT_SHA256}")

    if (NOT "${CMAKE_STAGING_PREFIX}" STREQUAL "")
        set(CACERT_INSTALL_PATH ${CMAKE_STAGING_PREFIX}/etc/${CACERT_INSTALL_FILE})
--- a/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn
+++ b/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn
@ -9,12 +9,15 @@ declare_args() {

 cacert_cache = cache_path + "CACERT/"

+cacert_version = "2023-12-12"
+
 if (enable_cacert_download) {
  download_file("ca_certificates_download") {
-    version = "2023-12-12"
+    version = cacert_version
    url = "https://curl.se/ca/cacert-$version.pem"
    output = "$root_build_dir/cacert.pem"
    version_file = cacert_cache + "version.txt"
+    sha256 = "ccbdfc2fe1a0d7bbbb9cc15710271acf1bb1afe4c8f1725fe95c4c7733fcbe5a"
  }
  # FIXME: Copy file to /etc/cacert.pem on serenity
 }