install: validate checksums

Signed-off-by: Filipe Laíns <[email protected]>
FFY00 · May 30, 2020 · 6de1a38 · 6de1a38
1 parent aa06206
commit 6de1a38
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -22,14 +22,15 @@ optional arguments:
 ```
 
 Missing components:
-  - Checksum verification
   - Custom data installation:
     - `headers`
     - `data`
 
 ### Bootstraping
 
 `install` has a dependency on `installer`, which is used for entrypoint script
-generation. As we don't install entrypoint scripts, this dependency is not needed
-to install a `install` wheel, making `install` bootstrapable without any
-dependencies.
+generation and checksum validation. As we don't install entrypoint scripts,
+this dependency is not needed to install a `install` wheel, making `install`
+bootstrapable without any dependencies. The only thing is that you won't get the
+checksum validation, but if you are building from source that shouldn't be a
+problem.
diff --git a/install/__init__.py b/install/__init__.py
@@ -87,6 +87,22 @@ def _copy_dir(src, dst, ignore=[]):  # type: (str, str, List[str]) -> None
                 shutil.copy2(path, root)
 
 
+def _validate_checksums(dist_info, dir):  # type: (str, str) -> None
+    try:
+        import installer.records
+
+        with open(os.path.join(dist_info, 'RECORD'), 'r') as f:
+            lines = [line.strip() for line in f]
+
+        for record in installer.records.parse_record_file(lines):
+            with open(os.path.join(dir, record.path.as_posix()), 'rb') as fr:
+                if not record.validate(fr.read()):
+                    raise InstallException('Invalid checksum: {}'.format(record))
+    except ImportError:
+        import warnings
+        warnings.warn("'installer' package missing, skipping checksum verification", RuntimeWarning)
+
+
 def _generate_entrypoint_scripts(file, dir):  # type: (str, str) -> None
     entrypoints = configparser.ConfigParser()
     entrypoints.read(file)
@@ -137,6 +153,8 @@ def build(wheel, cache_dir, optimize=[0, 1, 2]):  # type: (str, str, List[int])
     elif optimize:
         compileall.compile_dir(pkg_cache_dir)
 
+    _validate_checksums(dist_info, pkg_cache_dir)
+
     if os.path.isfile(entrypoints_file):
         _generate_entrypoint_scripts(entrypoints_file, scripts_cache_dir)
 
@@ -145,8 +163,6 @@ def build(wheel, cache_dir, optimize=[0, 1, 2]):  # type: (str, str, List[int])
     with open(os.path.join(cache_dir, 'metadata.pickle'), 'wb') as f:
         pickle.dump(metadata, f)
 
-    # TODO: verify checksums
-
     # TODO: replace scripts shebang
     # TODO: validate platform/python tags to make sure it is compatible
     warnings.warn('Platform/Python tags were not verified for compatibity, make sure the wheel is compatible', InstallWarning)