Postpone to a separate PR the build-installer changes to support additional hash types

ned-deily · ned-deily · commit 3e54cf5c8083 · 2025-08-05T01:09:43.000-04:00
diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
@@ -37,7 +37,6 @@
 Usage: see USAGE variable in the script.
 """
 import platform, os, sys, getopt, textwrap, shutil, stat, time, pwd, grp
-import hashlib
 try:
     import urllib2 as urllib_request
 except ImportError:
@@ -362,7 +361,7 @@ def library_recipes():
           dict(
               name="SQLite 3.50.4",
               url="https://www.sqlite.org/2025/sqlite-autoconf-3500400.tar.gz",
-              checksum="sha3-256:330bb88febc08814d49406391891eddac59e5f812e87b83c27ab172687554375",
+              checksum="a3db587a1b92ee5ddac2f66b3edb41b26f9c867275782d46c3a088977d6a5b18",
               extra_cflags=('-Os '
                             '-DSQLITE_ENABLE_FTS5 '
                             '-DSQLITE_ENABLE_FTS4 '
@@ -796,7 +795,7 @@ def downloadURL(url, fname):
 def verifyThirdPartyFile(url, checksum, fname):
     """
     Download file from url to filename fname if it does not already exist.
-    Abort if file contents does not match supplied hashlib checksum.
+    Abort if file contents does not match supplied md5 checksum.
     """
     name = os.path.basename(fname)
     if os.path.exists(fname):
@@ -806,30 +805,16 @@ def verifyThirdPartyFile(url, checksum, fname):
         print("Downloading %s"%(name,))
         downloadURL(url, fname)
         print("Archive for %s stored as %s"%(name, fname))
-    if ':' in checksum:
-        algo, _, checksum = checksum.partition(':')
-        assert algo in hashlib.algorithms_guaranteed, f"Unsupported {algo}, try sha3-256 or sha256 instead."
-        if algo in ("md5", "sha1"):
-            raise ValueError(f"Known insecure checksum algorithm {algo} for {fname}.")
-        if algo.startswith(("shake", "blake")):
-            raise ValueError(f"Please stick to sha2 or sha3 standard checksum algorithms, not {algo}")
-    # TODO remove length based logic AND legacy md5s after updating the ones we already list.
-    elif len(checksum) == 32:
+    if len(checksum) == 32:
         algo = 'md5'
-        print("WARNING: insecure md5 used for {fname}", file=sys.stderr)
     elif len(checksum) == 64:
         algo = 'sha256'
     else:
         raise ValueError(checksum)
-    with open(fname, 'rb') as downloaded_file:
-        if hasattr(hashlib, 'file_digest'):
-            hasher = hashlib.file_digest(downloaded_file, algo)  # 3.11+
-        else:
-            hasher = hashlib.new(algo, downloaded_file.read())
-        computed_checksum = hasher.hexdigest()
-        if computed_checksum != checksum:
-            fatal(f"{algo} hashlib checksum mismatch for file {fname}")
-
+    if os.system(
+            'CHECKSUM=$(openssl %s %s) ; test "${CHECKSUM##*= }" = "%s"'
+                % (algo, shellQuote(fname), checksum) ):
+        fatal('%s checksum mismatch for file %s' % (algo, fname))
 
 def build_universal_openssl(basedir, archList):
     """
