[RFC] rpmbuild,check: verify file hashes #3039
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note
This is a demonstrator to steer discussions. A fully functional variant would likely use a dynamic container to store the hashes, handle errors better, and use a more sophisticated hash function.
We are aware that there are ways around this validation and still modify build files from the %check phase.
This is one way to implement the requirement to have an immutable build root during rpmbuild's %check phase, as described in #3010
Testing Done
I compiled the xz-utils package of Amazon Linux 2 in an Amazon Linux 2 container image with this change. We also tested a malicious RPM that modified its build files during
%check
.