Hello @voxik, `sha256sum` etc. are in coreutils, which I bet rpm already
requires...i mean coreutils should be present on any system anyway.
An interesting idea with `%(sha512sum -c sources)` but I wouldn't bring the
sources file into the picture because it is used to fetch files from dist-git
before rpmbuild even happens and checksums are checked at that stage. All urls
that are now pointing to upstream would need to change to point to dist-git
lookaside cache if the rpm mechanism for downloading should be used instead of
the fedpkg one.
We could use a bit of bash code `%([ "$(sha256sum <path_to_source_filename> |
cut -d " " -f 1)" = <checksum> ])` to do the verification per downloaded
source but i think `<path_to_source_filename>` might be slightly tricky unless
rpm exposes enviroment variable like 'SOURCES'. Also maybe it would be more
pleasant to have the support for this in rpm than to put those snippets into
spec.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-603211487
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint