Ports: Use SHA256 to verify file integrity for binutils

There's no point in using a keyring file we just downloaded from the same file mirror to verify the authenticity of the binutils tarball. If someone were to compromise the file mirror they could just as easily replace the keyring file and we'd happily tell the user that their copy of binutils is genuine.
Author: https://github.com/gunnarbeutner Commit: https://github.com/SerenityOS/serenity/commit/f7d772282db Pull-request: https://github.com/SerenityOS/serenity/pull/9075 Issue: https://github.com/SerenityOS/serenity/issues/8377
2024-12-27 13:11:46 +03:00 · 2021-07-28 18:22:01 +02:00 · 2021-07-28 18:22:01 +02:00 · f7d772282d · 2024-07-18 07:59:00 +09:00
commit f7d772282d
parent edce9153af
1 changed files with 2 additions and 4 deletions
--- a/Ports/binutils/package.sh
+++ b/Ports/binutils/package.sh
@ -3,9 +3,7 @@ port=binutils
 version=2.37
 useconfigure=true
 configopts="--target=${SERENITY_ARCH}-pc-serenity --with-sysroot=/ --with-build-sysroot=${SERENITY_INSTALL_ROOT} --disable-werror --disable-gdb --disable-nls"
-files="https://ftpmirror.gnu.org/gnu/binutils/binutils-${version}.tar.xz binutils-${version}.tar.xz
-https://ftpmirror.gnu.org/gnu/binutils/binutils-${version}.tar.xz.sig binutils-${version}.tar.xz.sig
-https://ftpmirror.gnu.org/gnu/gnu-keyring.gpg gnu-keyring.gpg"
-auth_type="sig"
+files="https://ftpmirror.gnu.org/gnu/binutils/binutils-${version}.tar.xz binutils-${version}.tar.xz 820d9724f020a3e69cb337893a0b63c2db161dadcb0e06fc11dc29eb1e84a32c"
+auth_type="sha256"
 auth_opts="--keyring ./gnu-keyring.gpg binutils-${version}.tar.xz.sig"
 export ac_cv_func_getrusage=no