diff options
author | Leah Rowe <leah@libreboot.org> | 2023-09-09 16:39:26 +0100 |
---|---|---|
committer | Leah Rowe <leah@libreboot.org> | 2023-09-09 16:39:26 +0100 |
commit | 878550d51949cec38cc475c1ec87b968e8fbec6b (patch) | |
tree | ee1df97bb23ed2b13413853324542f9cc4ae53ed /script/update/blobs/download | |
parent | 022e0200df14222cee54dddf5faada1177f97319 (diff) |
use sha512sum to check downloads, not sha1sum
sha-1 has known collision issues, which may not be readily
exploitable yet (in our context), but we should ideally use
a more secure method for checking file integrity.
therefore, use sha-2 (sha512sum) for checking files. this is
slower than sha-1, but checksum verification is only a minor
part of what lbmk does, so the overall effect on build times
is quite negligible.
Signed-off-by: Leah Rowe <leah@libreboot.org>
Diffstat (limited to 'script/update/blobs/download')
-rwxr-xr-x | script/update/blobs/download | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/script/update/blobs/download b/script/update/blobs/download index 2903c504..0364bfa5 100755 --- a/script/update/blobs/download +++ b/script/update/blobs/download @@ -455,7 +455,7 @@ vendor_checksum() printf "Vendor update not found on disk for: %s\n" "${board}" \ 1>&2 return 1 - elif [ "$(sha1sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then + elif [ "$(sha512sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then printf "Bad checksum on vendor update for: %s\n" "${board}" 1>&2 return 1 fi |