feat: Check hashes of Windows dependencies when cross-compiling

It's a disableable option since we allow the user to change versions of
dependencies and we obviously have hashes only for the default versions,
we are not able to verify hashes of any other version, so it might be
handy to be able to disable the check in that case.

Author: nurupo

INSTALL.md

@@ -299,14 +299,15 @@ Get the toxcore source code and navigate to `other/docker/windows`.
 Build the container image based on the Dockerfile. The following options are
 available to customize the building of the container image.
 
-| Name                  | Description                                 | Expected Value                      | Default Value |
-| --------------------- | ------------------------------------------- | ----------------------------------- | ------------- |
-| `SUPPORT_ARCH_i686`   | Support building 32-bit toxcore.            | "true" or "false" (case sensitive). | true          |
-| `SUPPORT_ARCH_x86_64` | Support building 64-bit toxcore.            | "true" or "false" (case sensitive). | true          |
-| `SUPPORT_TEST`        | Support running toxcore automated tests.    | "true" or "false" (case sensitive). | false         |
-| `VERSION_OPUS`        | Version of libopus to build toxcore with.   | Numeric version number.             | 1.4           |
-| `VERSION_SODIUM`      | Version of libsodium to build toxcore with. | Numeric version number.             | 1.0.19        |
-| `VERSION_VPX`         | Version of libvpx to build toxcore with.    | Numeric version number.             | 1.14.0        |
+| Name                       | Description                                           | Expected Value                      | Default Value |
+| -------------------------- | ----------------------------------------------------- | ----------------------------------- | ------------- |
+| `SUPPORT_ARCH_i686`        | Support building 32-bit toxcore.                      | "true" or "false" (case sensitive). | true          |
+| `SUPPORT_ARCH_x86_64`      | Support building 64-bit toxcore.                      | "true" or "false" (case sensitive). | true          |
+| `SUPPORT_TEST`             | Support running toxcore automated tests.              | "true" or "false" (case sensitive). | false         |
+| `VERSION_OPUS`             | Version of libopus to build toxcore with.             | Numeric version number.             | 1.4           |
+| `VERSION_SODIUM`           | Version of libsodium to build toxcore with.           | Numeric version number.             | 1.0.19        |
+| `VERSION_VPX`              | Version of libvpx to build toxcore with.              | Numeric version number.             | 1.14.0        |
+| `ENABLE_HASH_VERIFICATION` | Verify the hashes of the default dependency versions. | "true" or "false" (case sensitive). | true          |
 
 Example of building a container image with options
 

other/docker/windows/Dockerfile

@@ -7,6 +7,7 @@ FROM debian:bookworm-slim
 ARG VERSION_OPUS=1.4 \
     VERSION_SODIUM=1.0.19 \
     VERSION_VPX=1.14.0 \
+    ENABLE_HASH_VERIFICATION=true \
  \
     SUPPORT_TEST=false \
     SUPPORT_ARCH_i686=true \
@@ -20,6 +21,7 @@ ENV SUPPORT_TEST=${SUPPORT_TEST} \
     CROSS_COMPILE=${CROSS_COMPILE}
 
 WORKDIR /work
+COPY check_sha256.sh .
 COPY get_packages.sh .
 RUN ./get_packages.sh
 

other/docker/windows/build_dependencies.sh

@@ -7,6 +7,8 @@ fi
 
 #=== Cross-Compile Dependencies ===
 
+. ./check_sha256.sh
+
 build() {
   ARCH=${1}
 
@@ -41,6 +43,7 @@ build() {
   echo
   echo "=== Building Sodium $VERSION_SODIUM $ARCH ==="
   curl "${CURL_OPTIONS[@]}" -O "https://github.com/jedisct1/libsodium/releases/download/$VERSION_SODIUM-RELEASE/libsodium-$VERSION_SODIUM.tar.gz"
+  check_sha256 "018d79fe0a045cca07331d37bd0cb57b2e838c51bc48fd837a1472e50068bbea" "libsodium-$VERSION_SODIUM.tar.gz"
   tar -xf "libsodium-$VERSION_SODIUM.tar.gz"
   cd "libsodium-stable"
   ./configure \
@@ -65,6 +68,7 @@ build() {
   fi
 
   curl "${CURL_OPTIONS[@]}" -O "https://ftp.osuosl.org/pub/xiph/releases/opus/opus-$VERSION_OPUS.tar.gz"
+  check_sha256 "c9b32b4253be5ae63d1ff16eea06b94b5f0f2951b7a02aceef58e3a3ce49c51f" "opus-$VERSION_OPUS.tar.gz"
   tar -xf "opus-$VERSION_OPUS.tar.gz"
   cd "opus-$VERSION_OPUS"
   CFLAGS="$CFLAGS $LIB_OPUS_CFLAGS" \
@@ -93,6 +97,7 @@ build() {
     LIB_VPX_CFLAGS="-fno-asynchronous-unwind-tables"
   fi
   curl "${CURL_OPTIONS[@]}" "https://github.com/webmproject/libvpx/archive/v$VERSION_VPX.tar.gz" -o "libvpx-$VERSION_VPX.tar.gz"
+  check_sha256 "5f21d2db27071c8a46f1725928a10227ae45c5cd1cad3727e4aafbe476e321fa" "libvpx-$VERSION_VPX.tar.gz"
   tar -xf "libvpx-$VERSION_VPX.tar.gz"
   cd "libvpx-$VERSION_VPX"
   CFLAGS="$CFLAGS $LIB_VPX_CFLAGS" \

other/docker/windows/check_sha256.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+check_sha256() {
+  [ "$ENABLE_HASH_VERIFICATION" = "true" ] && _check_sha256 "$@"
+}
+
+_check_sha256() {
+  if ! (echo "$1  $2" | sha256sum -c --status -); then
+    echo "Error: sha256 of $2 doesn't match the known one."
+    echo "Expected: $1  $2"
+    echo "Got: $(sha256sum "$2")"
+    return 1
+  fi
+  echo "sha256 matches the expected one: $1"
+  return 0
+}

other/docker/windows/get_packages.sh

@@ -51,6 +51,12 @@ if [ "$SUPPORT_TEST" = "true" ]; then
   curl "${CURL_OPTIONS[@]}" -O --output-dir /etc/apt/sources.list.d/ \
     https://dl.winehq.org/wine-builds/debian/dists/bookworm/winehq-bookworm.sources
 
+  . ./check_sha256.sh
+  check_sha256 "78b185fabdb323971d13bd329fefc8038e08559aa51c4996de18db0639a51df6" \
+    "/etc/apt/keyrings/winehq-archive.key"
+  check_sha256 "8dd8ef66c749d56e798646674c1c185a99b3ed6727ca0fbb5e493951e66c0f9e" \
+    "/etc/apt/sources.list.d/winehq-bookworm.sources"
+
   dpkg --add-architecture i386
   apt-get update
   apt-get install -y \

other/windows_build_script_toxcore.sh

@@ -6,6 +6,7 @@
 export VERSION_OPUS="1.4"
 export VERSION_SODIUM="1.0.19"
 export VERSION_VPX="1.14.0"
+export ENABLE_HASH_VERIFICATION=true
 
 export SUPPORT_TEST=false
 export SUPPORT_ARCH_i686=true