Don't use BLAKE2 digests for Tails PIP packages.

maqp · Apr 21, 2023 · 1ecacc5 · 1ecacc5
1 parent 18c4d30
commit 1ecacc5
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 16 deletions.
diff --git a/install.sh b/install.sh
@@ -438,16 +438,16 @@ function verify_packages() {
         fi
 
         # Calculate the purported hash from the downloaded file
-        purp_hash=$(b2sum "${INSTALL_DIR}/${dep_file_name}" | awk '{print $1}')
+        purp_hash=$(sha512sum "${INSTALL_DIR}/${dep_file_name}" | awk '{print $1}')
 
         # Load pinned hash from the hashmap based on filename
         pinned_hash=${dependency_hashes[${dep_file_name}]}
 
         # Compare the purported hash to the pinned hash
         if echo "${purp_hash}" | cmp -s <(echo "$pinned_hash"); then
-            echo "OK - Pinned BLAKE2b hash matched file ${dep_file_name}"
+            echo "OK - Pinned SHA512 hash matched file ${dep_file_name}"
         else
-            echo "Error: ${dep_file_name} had an invalid BLAKE2b hash:"
+            echo "Error: ${dep_file_name} had an invalid SHA512 hash:"
             echo "${purp_hash}"
             echo "Expected following hash:"
             echo "${pinned_hash}"

diff --git a/install.sh.asc b/install.sh.asc
@@ -1,16 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAABCgAdFiEEezGdWvqo2PnNVluHYeTHwtf8TU8FAmRBgY4ACgkQYeTHwtf8
-TU+cZw//ScuEtVl4rZkngxG1fVdg08oFjVvpNipZszz44IWXOqLfIQhUYzrh8K9O
-VtvZ108tcGCLTgkjj9e2ycL8/hcq98tIvnxasUP2OIn662ZGj021ZP6D10+Lix7S
-uYyQZv8MtDjq64RJZF5tAo4bQ2z6ltrxXqmFbzxk0l191Ubvqi4gVdcwb3vZ+Y30
-jIZGm4YykVZZw4rfDNl6qz93Evvo9YSb344sbSbtnE3OIjAH8300LUzXr3LigfAy
-W7kUe2NbG3D5npDZljv2g2LlOKeLnywraJjQIio2nSt1CHVNFPmh4MvGEHBtE3g/
-zFka78Wr0JG6f3cz+MQOoUHmyfHmG5Y1Biw8hVsVjDskbbDYW2TQ68NOePtz5STt
-itICTmU3RAFu897sUoiPvRDDP1h4a+VcCwhE914MgfUg2jBBYkxRzVeUBroR//6o
-6/FT7lBnB0KKCjHTjM7TEZ3nl/8nSRqEh01ScpFq9v7SKAeMpdBdJqp09Jodlg04
-JtV8Mvvs98WKk4ZiHXc1/t2yxFCaqzGeEVifqo09S3ImEIZ2QAPOBqsICSG3SAPs
-i/JZiLLOhwkVQr2M2PAVkfjVPm2RLx5Csp/4EXB9/2NdqqfkInURJN9EV2fY9C7c
-hTXJghZxw+Thz9mOXtFXGtC4apQCMeXvo6cK0kBfjbIA7zNw86g=
-=bMHx
+iQIzBAABCgAdFiEEezGdWvqo2PnNVluHYeTHwtf8TU8FAmRB8GwACgkQYeTHwtf8
+TU/6RA//YZ8IvlJe7hHELc3VeoKbUOiCEy5q/vZ0pWmgrwP2nnpxJtEdLc9zbYMr
+o7exXshmp2OTru6gGgKuccHVHU3Igx0pr78YoOK9KKP6I6NAYpLvWslxLk1aL0JI
+3fDgeAOwJl4Y1fHBcWi4QNXOH/r7DOHcgAq869C0/86c+T88rPa5/tnyNMKVZok6
+YhgZRxBHZFHhy4fJXGAdQWRft3TDKcQTN0mh0rJ+CV9yk/tCCcb8n2SPjtoHBR+r
+NP9r1g3+P65tWzJzSZyUhPKyNr4hsWgR2qNd93dj298+2Fa7kp2RQtn8+6OvFa/j
+Vo6q0BYreRE/DEcF1ZohdrUen1BkzTjLrUG2pzCDZKVIBkosXpnI4q6ToYRDMGq6
+uLpAtDRraCAZzAPVF1QBVZiLHUCLShUTY/tepGpKqqS2NUGhTWMunXrCybiUz7p5
+sx4tsOcAH28pkvfraaOo0kaHWg6wqxdktshpeCPzz1QKPshrQuE2w6SuS9KmQYm8
+8vg81xxSmYUtUVpEofRqpDY1l2uokRMr7M9PDpzTswzQB1COxahPTORKF7fewkB9
+WIyW2RMeSW9VI8xSDNn7XQhcftqSrmdPB0WZOM40Lmtfg0LZSgnbTjrIr1GziexP
+TbBMXRr7O0bivFV0m1uslNQUEIj9YSazMHfRghXjLPFKbtHgKQA=
+=QEQ1
 -----END PGP SIGNATURE-----