install: validate checksums

FFY00 · FFY00 · commit d676e525fe06 · 2020-05-28T23:02:25.000+01:00
Signed-off-by: Filipe Laíns &lt;lains@archlinux.org&gt;
diff --git a/README.md b/README.md
@@ -28,6 +28,8 @@ Missing components:
 ### Bootstraping
 
 `install` has a dependency on `installer`, which is used for entrypoint script
-generation. As we don't install entrypoint scripts, this dependency is not needed
-to install a `install` wheel, making `install` bootstrapable without any
-dependencies.
+generation and checksum validation. As we don't install entrypoint scripts,
+this dependency is not needed to install a `install` wheel, making `install`
+bootstrapable without any dependencies. The only thing is that you won't get the
+checksum validation, but if you are building from source that shouldn't be a
+problem.
diff --git a/install/__init__.py b/install/__init__.py
@@ -79,6 +79,22 @@ def _copy_dir(src, dst, ignore=[]):  # type: (str, str, List[str]) -> None
         _copy_dir_old(src, dst, ignore)
 
 
+def _validate_checksums(dist_info, dir):  # type: (str, str) -> None
+    try:
+        import installer.records
+
+        with open(os.path.join(dist_info, 'RECORD'), 'r') as f:
+            lines = [line.strip() for line in f]
+
+        for record in installer.records.parse_record_file(lines):
+            with open(os.path.join(dir, record.path.as_posix()), 'rb') as f:
+                if not record.validate(f.read()):
+                    raise InstallException('Invalid checksum: {}'.format(record))
+    except ImportError:
+        import warnings
+        warnings.warn("'installer' package missing, skipping checksum verification", RuntimeWarning)
+
+
 def _generate_entrypoint_scripts(file, dir):  # type: (str, str) -> None
     entrypoints = configparser.ConfigParser()
     entrypoints.read(file)
@@ -130,6 +146,8 @@ def build(wheel, cache_dir, optimize=[0, 1, 2]):  # type: (str, str, List[int])
     elif optimize:
         compileall.compile_dir(pkg_cache_dir)
 
+    _validate_checksums(dist_info, pkg_cache_dir)
+
     if os.path.isfile(entrypoints_file):
         _generate_entrypoint_scripts(entrypoints_file, scripts_cache_dir)
 
@@ -138,8 +156,6 @@ def build(wheel, cache_dir, optimize=[0, 1, 2]):  # type: (str, str, List[int])
     with open(os.path.join(cache_dir, 'metadata.pickle'), 'wb') as f:
         pickle.dump(metadata, f)
 
-    # TODO: verify checksums
-
     # TODO: replace scripts shebang
     # TODO: validate platform/python tags to make sure it is compatible
 
