From c596ac60a568fdcace8e73e9649e91faf6cba0c8 Mon Sep 17 00:00:00 2001
From: Adrian Cochrane <adrianc@catalyst.net.nz>
Date: Mon, 8 Jun 2015 16:31:38 +1200
Subject: [PATCH] install_with_python: Secure Python download with sha256
 checks.

Includes a fallback using md5sum and a refactor to ensure files are cleaned up on failure.

Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 24 05:19:06 CEST 2015 on sn-devel-104
---
 install_with_python.sh | 41 ++++++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/install_with_python.sh b/install_with_python.sh
index e545ecc3223..9335cfe2be8 100755
--- a/install_with_python.sh
+++ b/install_with_python.sh
@@ -18,20 +18,39 @@ export LD_LIBRARY_PATH
 VERSION="Python-2.6.5"
 
 do_install_python() {
-       mkdir -p python_install || exit 1
-       rsync -avz samba.org::ftp/tridge/python/$VERSION.tar python_install || exit 1
-       cd python_install || exit 1;
-       rm -rf $VERSION || exit 1
-       tar -xf $VERSION.tar || exit 1
-       cd $VERSION || exit 1
-       ./configure --prefix=$PREFIX/python --enable-shared --disable-ipv6 || exit 1
-       make || exit 1
-       make install || exit 1
-       cd ../.. || exit 1
-       rm -rf python_install || exit 1
+       set -e
+       mkdir -p python_install
+       rsync -avz samba.org::ftp/tridge/python/$VERSION.tar python_install
+       cd python_install
+       rm -rf $VERSION
+
+       # Verify that the download hasn't been corrupted
+       # This checks Python-2.6.5, while more hashes my be added later.
+       if command -v sha256sum
+       then
+            echo "2f1ec5e52d122bf1864529c1bbac7fe6afc10e3a083217b3a7bff5ded37efcc3  Python-2.6.5.tar" > checksums.sha256
+            sha256sum --status -c checksums.sha256
+       else
+            echo "c83cf77f32463c3949b85c94f661c090  Python-2.6.5.tar" > checksums.md5
+            md5sum --status -c checksums.md5
+       fi
+
+       tar -xf $VERSION.tar
+       cd $VERSION
+       ./configure --prefix=$PREFIX/python --enable-shared --disable-ipv6
+       make
+       make install
+       cd ../..
+       rm -rf python_install
+}
+
+cleanup_install_python() {
+       rm -rf python_install
+       exit 1
 }
 
 if [ ! -d $PREFIX/python ]; then
+   trap "cleanup_install_python" 0
    # needs to be installed
    do_install_python
 fi
-- 
2.45.1