diff --git a/util/crossgcc/buildgcc b/util/crossgcc/buildgcc
index 97c38b8d95..d6b11ed0a6 100755
--- a/util/crossgcc/buildgcc
+++ b/util/crossgcc/buildgcc
@@ -270,18 +270,6 @@ check_cc() {
-check_sum() {
- test -z "$CHECKSUM" || \
- test "$(cat sum/$1.cksum 2>/dev/null | sed -e 's@.*\([0-9a-f]\{40,\}\).*@\1@')" = \
- "$($CHECKSUM tarballs/$1 2>/dev/null | sed -e 's@.*\([0-9a-f]\{40,\}\).*@\1@')"
-compute_sum() {
- test ! -f sum/$1.cksum && test -f tarballs/$1 && \
- (test -z "$CHECKSUM" || $CHECKSUM tarballs/$1 > sum/$1.cksum ) && \
- printf "(checksum created. ${RED}Note. Please upload sum/$1.cksum if the corresponding archive is upgraded.)${NC}"
download_showing_percentage() {
printf " ..${red} 0%%"
@@ -293,12 +281,13 @@ download_showing_percentage() {
download() {
- archive="$(eval echo \$$package"_ARCHIVE")"
+ archive="$package"_ARCHIVE
+ archive="${!archive}"
FILE=$(basename $archive)
printf " * $FILE "
- if test -f tarballs/$FILE && check_sum $FILE ; then
+ if test -f tarballs/$FILE; then
printf "(cached)"
printf "(downloading from $archive)"
@@ -306,7 +295,6 @@ download() {
cd tarballs
download_showing_percentage $archive
cd ..
- compute_sum $FILE
if [ ! -f tarballs/$FILE ]; then
@@ -316,9 +304,100 @@ download() {
printf "\n"
+# Compute the hash of the package given in $1, and print it raw (just the
+# hexadecimal hash).
+compute_hash() {
+ package=$1
+ archive="$package"_ARCHIVE
+ archive="${!archive}"
+ file="$(basename "$archive")"
+ if test -z "$CHECKSUM"; then
+ echo "${RED}\$CHECKSUM program missing. This is bad.${NC}" 1>&2
+ exit 1
+ fi
+ $CHECKSUM "tarballs/$file" 2>/dev/null | sed -e 's@.*\([0-9a-f]\{40,\}\).*@\1@'
+error_hash_missing() {
+ package="$1"
+ archive="$package"_ARCHIVE
+ archive="${!archive}"
+ file="$(basename "$archive")"
+ fullhashfile="util/crossgcc/sum/$file.cksum"
+ printf "${RED}hash file missing:${NC}\n\n" 1>&2
+ printf "Please verify util/crossgcc/tarball/$file carefully\n" 1>&2
+ printf "(using PGP if possible), and then rename\n" 1>&2
+ printf " ${CYAN}${fullhashfile}.calc${NC}\n" 1>&2
+ printf " to ${CYAN}${fullhashfile}${NC}\n\n" 1>&2
+ exit 1
+# Read the known hash file of the package given in $1, and print it raw.
+get_known_hash() {
+ package=$1
+ archive="$package"_ARCHIVE
+ archive="${!archive}"
+ file="$(basename "$archive")"
+ hashfile="sum/$file.cksum"
+ if [ ! -f "$hashfile" ]; then
+ calc_hash="$(compute_hash "$package")" || exit 1
+ echo "$calc_hash tarballs/$file" > "${hashfile}.calc"
+ error_hash_missing "$package"
+ exit 1
+ fi
+ cat "$hashfile" | sed -e 's@.*\([0-9a-f]\{40,\}\).*@\1@'
+error_hash_mismatch() {
+ package=$1
+ known_hash="$2"
+ computed_hash="$3"
+ archive="$package"_ARCHIVE
+ archive="${!archive}"
+ file="$(basename "$archive")"
+ printf "${RED}hash mismatch:${NC}\n\n"
+ printf " expected (known) hash: $known_hash\n"
+ printf "calculated hash of downloaded file: $computed_hash\n\n"
+ printf "If you think this is due to a network error, please delete\n"
+ printf " ${CYAN}util/crossgcc/tarballs/$file${NC}\n"
+ printf "and try again. If the problem persists, it may be due to an\n"
+ printf "administration error on the file server, or you might be\n"
+ printf "subject to a Man-in-the-Middle attack\n\n"
+ exit 1
+# verify_hash - Check that the hash of the file given in $1 matches the known
+# hash; Bail out on mismatch or missing hash file.
+verify_hash() {
+ package=$1
+ archive="$package"_ARCHIVE
+ archive="${!archive}"
+ known_hash="$(get_known_hash "$package")" || exit "$?"
+ computed_hash="$(compute_hash "$package")" || exit "$?"
+ if [ "$known_hash" != "$computed_hash" ]; then
+ error_hash_mismatch "$package" "$known_hash" "$computed_hash"
+ exit 1
+ fi
+ printf "${GREEN}hash verified ("$known_hash")${NC}\n"
unpack_and_patch() {
- archive="$(eval echo \$$package"_ARCHIVE")"
+ archive="$package"_ARCHIVE
+ archive="${!archive}"
dir="$(eval echo \$$package"_DIR")"
test -d ${dir} && test -f ${dir}/.unpack_success || (
printf " * $(basename $archive)\n"
@@ -963,10 +1042,11 @@ export PATH=$DESTDIR$TARGETDIR/bin:$PATH
# Download, unpack, patch and build all packages
-printf "Downloading tarballs ... \n"
+printf "Downloading and verifying tarballs... \n"
mkdir -p tarballs
for P in $PACKAGES; do
- download $P
+ download "$P" || exit "$?"
+ verify_hash "$P" || exit "$P"
printf "Downloaded tarballs ... ${green}ok${NC}\n"