From f7d772282dba60cec108b748eedd1e6dee617e44 Mon Sep 17 00:00:00 2001
From: Gunnar Beutner <gbeutner@serenityos.org>
Date: Wed, 28 Jul 2021 18:22:01 +0200
Subject: [PATCH] Ports: Use SHA256 to verify file integrity for binutils

There's no point in using a keyring file we just downloaded from the
same file mirror to verify the authenticity of the binutils tarball.

If someone were to compromise the file mirror they could just as easily
replace the keyring file and we'd happily tell the user that their copy
of binutils is genuine.
---
 Ports/binutils/package.sh | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/Ports/binutils/package.sh b/Ports/binutils/package.sh
index 58f5405a9b..eb1adab851 100755
--- a/Ports/binutils/package.sh
+++ b/Ports/binutils/package.sh
@@ -3,9 +3,7 @@ port=binutils
 version=2.37
 useconfigure=true
 configopts="--target=${SERENITY_ARCH}-pc-serenity --with-sysroot=/ --with-build-sysroot=${SERENITY_INSTALL_ROOT} --disable-werror --disable-gdb --disable-nls"
-files="https://ftpmirror.gnu.org/gnu/binutils/binutils-${version}.tar.xz binutils-${version}.tar.xz
-https://ftpmirror.gnu.org/gnu/binutils/binutils-${version}.tar.xz.sig binutils-${version}.tar.xz.sig
-https://ftpmirror.gnu.org/gnu/gnu-keyring.gpg gnu-keyring.gpg"
-auth_type="sig"
+files="https://ftpmirror.gnu.org/gnu/binutils/binutils-${version}.tar.xz binutils-${version}.tar.xz 820d9724f020a3e69cb337893a0b63c2db161dadcb0e06fc11dc29eb1e84a32c"
+auth_type="sha256"
 auth_opts="--keyring ./gnu-keyring.gpg binutils-${version}.tar.xz.sig"
 export ac_cv_func_getrusage=no