From 0cf916730f29ec1ba9e5552ad143b7eb4b76740c Mon Sep 17 00:00:00 2001
From: Cyril Brulebois <cyril@debamax.com>
Date: Tue, 23 Jul 2024 13:22:39 +0200
Subject: [PATCH] Add checksum-based safeguard.

---
 build-images | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/build-images b/build-images
index 079e263..f80798f 100755
--- a/build-images
+++ b/build-images
@@ -25,6 +25,15 @@ TOP_DIR=$(pwd)
 #  - prefer parallel compression if available:
 xz_compress() {
   FILE="$1"
+
+  # PTS images are published as compressed images alongside checksums for those
+  # compressed images (as opposed to checksums for the uncompressed images). To
+  # make sure everything is consistent, compare checksum of the original file
+  # vs. checksum of a decompressed compressed image:
+  printf 'Computing checksum for %s...' "$FILE"
+  SUM1=$(sha256sum "$FILE" | awk '{print $1}')
+  echo " $SUM1"
+
   if which pixz >/dev/null 2>&1; then
     printf 'Compressing %s with pixz...' "$FILE"
     pixz "$FILE"
@@ -34,6 +43,15 @@ xz_compress() {
     xz "$FILE"
     echo ' done'
   fi
+
+  printf 'Computing checksum for %s after decompression...' "$FILE"
+  SUM2=$(xz -c -d "$FILE.xz" | sha256sum | awk '{print $1}')
+  if [ "$SUM1" = "$SUM2" ]; then
+    echo " $SUM2 (match)"
+  else
+    echo " $SUM2 (NO MATCH), exiting!"
+    exit 1
+  fi
 }
 
 #  - compute checksum and remember both target file and checksum file: