Add a script to verify Manifest type & checksums

1 files changed, 51 insertions, 0 deletions

diff --git a/local/update-05-manifest b/local/update-05-manifest
new file mode 100755
index 0000000..ae64211
--- /dev/null
+++ b/local/update-05-manifest
@@ -0,0 +1,51 @@
+#!/bin/bash
+# Copyright 2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2 or later
+
+# Author: Michał Górny <mgorny@gentoo.org>
+
+refname=$1
+oldrev=$2
+newrev=$3
+
+export LC_MESSAGES=C
+
+# enforce only on master branch
+[[ ${refname} == refs/heads/master ]] || exit 0
+
+ret=0
+while read commithash; do
+    # check for any Manifest changes
+    while read fname; do
+        if [[ ${fname} == */Manifest ]]; then
+            # check the resulting Manifest line-by-line
+            while read tag mfile size hashes; do
+                if [[ ${tag} != DIST ]]; then
+                    echo "Thin Manifests can contain only DIST lines!"
+                    echo " commit: ${commithash}"
+                    echo "   file: ${fname}"
+                    echo "  entry: ${tag} ${fname} ${size} ${hashes}"
+                    ret=1
+                    break
+                fi
+
+                case ${hashes} in
+                    *SHA256*SHA512*WHIRLPOOL*)
+                        ;;
+                    *BLAKE2B*SHA512*)
+                        ;;
+                    *)
+                        echo "Disallowed hash set in Manifest!"
+                        echo " commit: ${commithash}"
+                        echo "   file: ${fname}"
+                        echo "  entry: ${tag} ${fname} ${size} ${hashes}"
+                        ret=1
+                        break
+                        ;;
+                esac
+            done < <(git cat-file -p "${commithash}:${fname}")
+        fi
+    done < <(git diff --diff-filter=d --name-only "${commithash}^".."${commithash}")
+done < <(git rev-list "${oldrev}..${newrev}")
+
+exit ${ret}