From e742deddfff13485d2ac3456c26802dc5ac0d2e7 Mon Sep 17 00:00:00 2001
From: Maxim Biro <nurupo.contributions@gmail.com>
Date: Wed, 28 Feb 2024 01:59:19 -0500
Subject: [PATCH] feat: Check hashes of Windows dependencies when
 cross-compiling

It's a disableable option since we allow the user to change versions of
dependencies and we obviously have hashes only for the default versions,
we are not able to verify hashes of any other version, so it might be
handy to be able to disable the check in that case.
---
 INSTALL.md                                 | 17 +++++++++--------
 other/docker/windows/Dockerfile            |  2 ++
 other/docker/windows/build_dependencies.sh |  5 +++++
 other/docker/windows/check_sha256.sh       | 16 ++++++++++++++++
 other/docker/windows/get_packages.sh       |  6 ++++++
 other/windows_build_script_toxcore.sh      |  1 +
 6 files changed, 39 insertions(+), 8 deletions(-)
 create mode 100644 other/docker/windows/check_sha256.sh

diff --git a/INSTALL.md b/INSTALL.md
index c744bf1a72..857954b6ff 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -299,14 +299,15 @@ Get the toxcore source code and navigate to `other/docker/windows`.
 Build the container image based on the Dockerfile. The following options are
 available to customize the building of the container image.
 
-| Name                  | Description                                 | Expected Value                      | Default Value |
-| --------------------- | ------------------------------------------- | ----------------------------------- | ------------- |
-| `SUPPORT_ARCH_i686`   | Support building 32-bit toxcore.            | "true" or "false" (case sensitive). | true          |
-| `SUPPORT_ARCH_x86_64` | Support building 64-bit toxcore.            | "true" or "false" (case sensitive). | true          |
-| `SUPPORT_TEST`        | Support running toxcore automated tests.    | "true" or "false" (case sensitive). | false         |
-| `VERSION_OPUS`        | Version of libopus to build toxcore with.   | Numeric version number.             | 1.4           |
-| `VERSION_SODIUM`      | Version of libsodium to build toxcore with. | Numeric version number.             | 1.0.19        |
-| `VERSION_VPX`         | Version of libvpx to build toxcore with.    | Numeric version number.             | 1.14.0        |
+| Name                       | Description                                           | Expected Value                      | Default Value |
+| -------------------------- | ----------------------------------------------------- | ----------------------------------- | ------------- |
+| `SUPPORT_ARCH_i686`        | Support building 32-bit toxcore.                      | "true" or "false" (case sensitive). | true          |
+| `SUPPORT_ARCH_x86_64`      | Support building 64-bit toxcore.                      | "true" or "false" (case sensitive). | true          |
+| `SUPPORT_TEST`             | Support running toxcore automated tests.              | "true" or "false" (case sensitive). | false         |
+| `VERSION_OPUS`             | Version of libopus to build toxcore with.             | Numeric version number.             | 1.4           |
+| `VERSION_SODIUM`           | Version of libsodium to build toxcore with.           | Numeric version number.             | 1.0.19        |
+| `VERSION_VPX`              | Version of libvpx to build toxcore with.              | Numeric version number.             | 1.14.0        |
+| `ENABLE_HASH_VERIFICATION` | Verify the hashes of the default dependency versions. | "true" or "false" (case sensitive). | true          |
 
 Example of building a container image with options
 
diff --git a/other/docker/windows/Dockerfile b/other/docker/windows/Dockerfile
index 13bb6682a4..caa7a66733 100644
--- a/other/docker/windows/Dockerfile
+++ b/other/docker/windows/Dockerfile
@@ -7,6 +7,7 @@ FROM debian:bookworm-slim
 ARG VERSION_OPUS=1.4 \
     VERSION_SODIUM=1.0.19 \
     VERSION_VPX=1.14.0 \
+    ENABLE_HASH_VERIFICATION=true \
  \
     SUPPORT_TEST=false \
     SUPPORT_ARCH_i686=true \
@@ -20,6 +21,7 @@ ENV SUPPORT_TEST=${SUPPORT_TEST} \
     CROSS_COMPILE=${CROSS_COMPILE}
 
 WORKDIR /work
+COPY check_sha256.sh .
 COPY get_packages.sh .
 RUN ./get_packages.sh
 
diff --git a/other/docker/windows/build_dependencies.sh b/other/docker/windows/build_dependencies.sh
index 2b8ca4dacc..fa2353c93a 100755
--- a/other/docker/windows/build_dependencies.sh
+++ b/other/docker/windows/build_dependencies.sh
@@ -7,6 +7,8 @@ fi
 
 #=== Cross-Compile Dependencies ===
 
+. ./check_sha256.sh
+
 build() {
   ARCH=${1}
 
@@ -41,6 +43,7 @@ build() {
   echo
   echo "=== Building Sodium $VERSION_SODIUM $ARCH ==="
   curl "${CURL_OPTIONS[@]}" -O "https://github.com/jedisct1/libsodium/releases/download/$VERSION_SODIUM-RELEASE/libsodium-$VERSION_SODIUM.tar.gz"
+  check_sha256 "018d79fe0a045cca07331d37bd0cb57b2e838c51bc48fd837a1472e50068bbea" "libsodium-$VERSION_SODIUM.tar.gz"
   tar -xf "libsodium-$VERSION_SODIUM.tar.gz"
   cd "libsodium-stable"
   ./configure \
@@ -65,6 +68,7 @@ build() {
   fi
 
   curl "${CURL_OPTIONS[@]}" -O "https://ftp.osuosl.org/pub/xiph/releases/opus/opus-$VERSION_OPUS.tar.gz"
+  check_sha256 "c9b32b4253be5ae63d1ff16eea06b94b5f0f2951b7a02aceef58e3a3ce49c51f" "opus-$VERSION_OPUS.tar.gz"
   tar -xf "opus-$VERSION_OPUS.tar.gz"
   cd "opus-$VERSION_OPUS"
   CFLAGS="$CFLAGS $LIB_OPUS_CFLAGS" \
@@ -93,6 +97,7 @@ build() {
     LIB_VPX_CFLAGS="-fno-asynchronous-unwind-tables"
   fi
   curl "${CURL_OPTIONS[@]}" "https://github.com/webmproject/libvpx/archive/v$VERSION_VPX.tar.gz" -o "libvpx-$VERSION_VPX.tar.gz"
+  check_sha256 "5f21d2db27071c8a46f1725928a10227ae45c5cd1cad3727e4aafbe476e321fa" "libvpx-$VERSION_VPX.tar.gz"
   tar -xf "libvpx-$VERSION_VPX.tar.gz"
   cd "libvpx-$VERSION_VPX"
   CFLAGS="$CFLAGS $LIB_VPX_CFLAGS" \
diff --git a/other/docker/windows/check_sha256.sh b/other/docker/windows/check_sha256.sh
new file mode 100644
index 0000000000..6e5a4f86a4
--- /dev/null
+++ b/other/docker/windows/check_sha256.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+check_sha256() {
+  [ "$ENABLE_HASH_VERIFICATION" = "true" ] && _check_sha256 "$@"
+}
+
+_check_sha256() {
+  if ! (echo "$1  $2" | sha256sum -c --status -); then
+    echo "Error: sha256 of $2 doesn't match the known one."
+    echo "Expected: $1  $2"
+    echo "Got: $(sha256sum "$2")"
+    return 1
+  fi
+  echo "sha256 matches the expected one: $1"
+  return 0
+}
diff --git a/other/docker/windows/get_packages.sh b/other/docker/windows/get_packages.sh
index 1021785138..efd81e68c9 100755
--- a/other/docker/windows/get_packages.sh
+++ b/other/docker/windows/get_packages.sh
@@ -51,6 +51,12 @@ if [ "$SUPPORT_TEST" = "true" ]; then
   curl "${CURL_OPTIONS[@]}" -O --output-dir /etc/apt/sources.list.d/ \
     https://dl.winehq.org/wine-builds/debian/dists/bookworm/winehq-bookworm.sources
 
+  . ./check_sha256.sh
+  check_sha256 "78b185fabdb323971d13bd329fefc8038e08559aa51c4996de18db0639a51df6" \
+    "/etc/apt/keyrings/winehq-archive.key"
+  check_sha256 "8dd8ef66c749d56e798646674c1c185a99b3ed6727ca0fbb5e493951e66c0f9e" \
+    "/etc/apt/sources.list.d/winehq-bookworm.sources"
+
   dpkg --add-architecture i386
   apt-get update
   apt-get install -y \
diff --git a/other/windows_build_script_toxcore.sh b/other/windows_build_script_toxcore.sh
index 4af35437af..9f2202d254 100644
--- a/other/windows_build_script_toxcore.sh
+++ b/other/windows_build_script_toxcore.sh
@@ -6,6 +6,7 @@
 export VERSION_OPUS="1.4"
 export VERSION_SODIUM="1.0.19"
 export VERSION_VPX="1.14.0"
+export ENABLE_HASH_VERIFICATION=true
 
 export SUPPORT_TEST=false
 export SUPPORT_ARCH_i686=true