install: validate checksums

Signed-off-by: Filipe Laíns <[email protected]>
FFY00 · Jun 5, 2020 · 77006d8 · 77006d8
1 parent 103f418
commit 77006d8
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -24,14 +24,15 @@ optional arguments:
 ```
 
 Missing components:
-  - Checksum verification
   - Custom data installation:
     - `headers`
     - `data`
 
 ### Bootstraping
 
 `install` has a dependency on `installer`, which is used for entrypoint script
-generation. As we don't install entrypoint scripts, this dependency is not needed
-to install a `install` wheel, making `install` bootstrapable without any
-dependencies.
+generation and checksum validation. As we don't install entrypoint scripts,
+this dependency is not needed to install a `install` wheel, making `install`
+bootstrapable without any dependencies. The only thing is that you won't get the
+checksum validation, but if you are building from source that shouldn't be a
+problem.
diff --git a/install/__init__.py b/install/__init__.py
@@ -92,6 +92,21 @@ def _copy_dir(src, dst, ignore=[]):  # type: (str, str, List[str]) -> None
                 shutil.copy2(path, root)
 
 
+def _validate_checksums(dist_info, dir):  # type: (str, str) -> None
+    try:
+        import installer.records
+
+        with open(os.path.join(dist_info, 'RECORD'), 'r') as f:
+            lines = [line.strip() for line in f]
+
+        for record in installer.records.parse_record_file(lines):
+            with open(os.path.join(dir, record.path.as_posix()), 'rb') as fr:
+                if not record.validate(fr.read()):
+                    raise InstallException('Invalid checksum: {}'.format(record))
+    except ImportError:
+        warnings.warn("'installer' package missing, skipping checksum verification", RuntimeWarning)
+
+
 def _generate_entrypoint_scripts(file, dir):  # type: (str, str) -> None
     entrypoints = configparser.ConfigParser()
     entrypoints.read(file)
@@ -228,6 +243,8 @@ def build(wheel, cache_dir, optimize=[0, 1, 2], verify_dependencies=False):  # t
     elif optimize:
         compileall.compile_dir(pkg_cache_dir)
 
+    _validate_checksums(dist_info, pkg_cache_dir)
+
     if os.path.isfile(entrypoints_file):
         _generate_entrypoint_scripts(entrypoints_file, scripts_cache_dir)