From 58386e35783acad2f275e5d0d990c9aefd1f3d9f Mon Sep 17 00:00:00 2001
From: Charles Kerr <charles@charleskerr.com>
Date: Thu, 6 Jun 2024 18:18:24 -0500
Subject: [PATCH] refactor: use sha256 checksums (#31)

* feat: use Sha256 instead of Sha1

Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5506275

* fixup! feat: use Sha256 instead of Sha1

use sha256 in build_and_upload.py, too

* fixup! feat: use Sha256 instead of Sha1

fix sysroot-creator.sh too

* chore: change upload filename

Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5506275
---
 .../linux/sysroot_scripts/build_and_upload.py | 12 +++++------
 .../linux/sysroot_scripts/install-sysroot.py  | 20 +++++++++----------
 .../linux/sysroot_scripts/sysroot-creator.sh  |  5 ++---
 3 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/build/linux/sysroot_scripts/build_and_upload.py b/build/linux/sysroot_scripts/build_and_upload.py
index 6d0471b..d5202be 100755
--- a/build/linux/sysroot_scripts/build_and_upload.py
+++ b/build/linux/sysroot_scripts/build_and_upload.py
@@ -19,15 +19,15 @@
 DEFAULT_URL_PREFIX = "https://dev-cdn.electronjs.org/linux-sysroots"
 
 
-def sha1sumfile(filename):
-  sha1 = hashlib.sha1()
+def sha256sumfile(filename):
+  sha256 = hashlib.sha256()
   with open(filename, "rb") as f:
     while True:
       data = f.read(65536)
       if not data:
         break
-      sha1.update(data)
-  return sha1.hexdigest()
+      sha256.update(data)
+  return sha256.hexdigest()
 
 
 def get_proc_output(args):
@@ -45,12 +45,12 @@ def build_and_upload(script_path, distro, release, key, arch, lock):
   tarball = "%s_%s_%s_sysroot.tar.xz" % (distro, release, arch.lower())
   tarxz_path = os.path.join(script_dir, "..", "..", "..", "out",
                             "sysroot-build", release, tarball)
-  sha1sum = sha1sumfile(tarxz_path)
+  sha256sum = sha256sumfile(tarxz_path)
   sysroot_dir = "%s_%s_%s-sysroot" % (distro, release, arch.lower())
 
   sysroot_metadata = {
       "Key": key,
-      "Sha1Sum": sha1sum,
+      "Sha256Sum": sha256sum,
       "SysrootDir": sysroot_dir,
       "Tarball": tarball,
       "URL": DEFAULT_URL_PREFIX,
diff --git a/build/linux/sysroot_scripts/install-sysroot.py b/build/linux/sysroot_scripts/install-sysroot.py
index 53110e5..cbe4fca 100755
--- a/build/linux/sysroot_scripts/install-sysroot.py
+++ b/build/linux/sysroot_scripts/install-sysroot.py
@@ -56,16 +56,16 @@ class Error(Exception):
   pass
 
 
-def GetSha1(filename):
-  sha1 = hashlib.sha1()
+def GetSha256(filename):
+  sha256 = hashlib.sha256()
   with open(filename, 'rb') as f:
     while True:
       # Read in 1mb chunks, so it doesn't all have to be loaded into memory.
       chunk = f.read(1024*1024)
       if not chunk:
         break
-      sha1.update(chunk)
-  return sha1.hexdigest()
+      sha256.update(chunk)
+  return sha256.hexdigest()
 
 
 def main(args):
@@ -113,13 +113,13 @@ def GetSysrootDict(target_platform, target_arch):
 def InstallSysroot(target_platform, target_arch):
   sysroot_dict = GetSysrootDict(target_platform, target_arch)
   tarball_filename = sysroot_dict['Tarball']
-  tarball_sha1sum = sysroot_dict['Sha1Sum']
+  tarball_sha256sum = sysroot_dict['Sha256Sum']
   # TODO(thestig) Consider putting this elsewhere to avoid having to recreate
   # it on every build.
   linux_dir = os.path.dirname(SCRIPT_DIR)
   sysroot = os.path.join(linux_dir, sysroot_dict['SysrootDir'])
 
-  url = '%s/%s/%s/%s' % (URL_PREFIX, URL_PATH, tarball_sha1sum,
+  url = '%s/%s/%s/%s' % (URL_PREFIX, URL_PATH, tarball_sha256sum,
                          tarball_filename)
 
   stamp = os.path.join(sysroot, '.stamp')
@@ -147,10 +147,10 @@ def InstallSysroot(target_platform, target_arch):
       pass
   else:
     raise Error('Failed to download %s' % url)
-  sha1sum = GetSha1(tarball)
-  if sha1sum != tarball_sha1sum:
-    raise Error('Tarball sha1sum is wrong.'
-                'Expected %s, actual: %s' % (tarball_sha1sum, sha1sum))
+  sha256sum = GetSha256(tarball)
+  if sha256sum != tarball_sha256sum:
+    raise Error('Tarball sha256sum is wrong.'
+                'Expected %s, actual: %s' % (tarball_sha256sum, sha256sum))
   subprocess.check_call(['tar', 'mxf', tarball, '-C', sysroot])
   os.remove(tarball)
 
diff --git a/build/linux/sysroot_scripts/sysroot-creator.sh b/build/linux/sysroot_scripts/sysroot-creator.sh
index ea2bde6..112953b 100755
--- a/build/linux/sysroot_scripts/sysroot-creator.sh
+++ b/build/linux/sysroot_scripts/sysroot-creator.sh
@@ -915,10 +915,9 @@ BuildSysroot() {
 }
 
 UploadSysroot() {
-  local sha=$(sha1sum "${TARBALL}" | awk '{print $1;}')
-  local tarball_name="$(basename "${TARBALL}")"
+  local sha=$(sha256sum "${TARBALL}" | awk '{print $1;}')
   set -x
-  az storage blob upload -f "${TARBALL}" -c linux-sysroots -n $sha/"${tarball_name}"
+  az storage blob upload -f "${TARBALL}" -c linux-sysroots -n $sha
   set +x
 }