upload_package: Don't leak directory name into sha256sums file

The base directory is part of the filename entry in the sha256sums file when it's an absolute path. Don't leak any absolute paths into the checksum file.
flatcar · Sep 27, 2023 · dc94945 · dc94945
1 parent e241367
commit dc94945
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/upload_package b/upload_package
@@ -54,13 +54,14 @@ PAYLOAD_SIZE=$(stat --format='%s' "${UPDATE_PATH}")
 PAYLOAD_SHA1=$(cat "${UPDATE_PATH}" | openssl dgst -sha1 -binary | base64)
 PAYLOAD_SHA256=$(cat "${UPDATE_PATH}" | openssl dgst -sha256 -binary | base64)
 
-sha256sum "${UPDATE_PATH}" > "${UPDATE_CHECKSUM_PATH}"
+(cd "${DATA_DIR}" && sha256sum "flatcar_production_update.gz") > "${UPDATE_CHECKSUM_PATH}"
 
 EXTRA_FILES=()
 EXTRA_SUMS=()
 shopt -s nullglob
 for EXTRA_FILE in "${DATA_DIR}/oem-"*.gz "${DATA_DIR}/flatcar-"*.gz; do
-  sha256sum "${EXTRA_FILE}" > "${EXTRA_FILE}.sha256"
+  BASENAME=$(basename "${EXTRA_FILE}")
+  (cd "${DATA_DIR}" && sha256sum "${BASENAME}") > "${EXTRA_FILE}.sha256"
   EXTRA_FILES+=("${EXTRA_FILE}")
   EXTRA_SUMS+=("${EXTRA_FILE}.sha256")
 done