From cfb565dc8bfc7e06adc9c7864ea4511c99b88ab6 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Sun, 27 Jul 2025 02:11:49 +0000 Subject: [PATCH 1/8] Update SQLite to 3.50.3 for binary releases. --- Android/android.py | 2 +- Mac/BuildScript/build-installer.py | 33 ++++++++++++++++++++++-------- Misc/externals.spdx.json | 8 ++++---- PCbuild/get_externals.bat | 2 +- PCbuild/python.props | 2 +- PCbuild/readme.txt | 2 +- 6 files changed, 32 insertions(+), 17 deletions(-) diff --git a/Android/android.py b/Android/android.py index 75f73cd30993da..6683f224313e61 100755 --- a/Android/android.py +++ b/Android/android.py @@ -187,7 +187,7 @@ def unpack_deps(host, prefix_dir): os.chdir(prefix_dir) deps_url = "https://github.com/beeware/cpython-android-source-deps/releases/download" for name_ver in ["bzip2-1.0.8-3", "libffi-3.4.4-3", "openssl-3.0.15-4", - "sqlite-3.49.1-0", "xz-5.4.6-1", "zstd-1.5.7-1"]: + "sqlite-3.50.3-0", "xz-5.4.6-1", "zstd-1.5.7-1"]: filename = f"{name_ver}-{host}.tar.gz" download(f"{deps_url}/{name_ver}/{filename}") shutil.unpack_archive(filename) diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py index b31cb766a468f4..5131a9b043ab1e 100755 --- a/Mac/BuildScript/build-installer.py +++ b/Mac/BuildScript/build-installer.py @@ -37,6 +37,7 @@ Usage: see USAGE variable in the script. """ import platform, os, sys, getopt, textwrap, shutil, stat, time, pwd, grp +import hashlib try: import urllib2 as urllib_request except ImportError: @@ -359,9 +360,9 @@ def library_recipes(): ), ), dict( - name="SQLite 3.49.1", - url="https://sqlite.org/2025/sqlite-autoconf-3490100.tar.gz", - checksum="106642d8ccb36c5f7323b64e4152e9b719f7c0215acf5bfeac3d5e7f97b59254", + name="SQLite 3.50.3", + url="https://www.sqlite.org/2025/sqlite-autoconf-3500300.tar.gz", + checksum="sha3-256:c3df1542703a666d3f41bb623e9bed7d6e1dc81c57f0c45e3122403f862c520d", extra_cflags=('-Os ' '-DSQLITE_ENABLE_FTS5 ' '-DSQLITE_ENABLE_FTS4 ' @@ -795,7 +796,7 @@ def downloadURL(url, fname): def verifyThirdPartyFile(url, checksum, fname): """ Download file from url to filename fname if it does not already exist. - Abort if file contents does not match supplied md5 checksum. + Abort if file contents does not match supplied hashlib checksum. """ name = os.path.basename(fname) if os.path.exists(fname): @@ -805,16 +806,30 @@ def verifyThirdPartyFile(url, checksum, fname): print("Downloading %s"%(name,)) downloadURL(url, fname) print("Archive for %s stored as %s"%(name, fname)) - if len(checksum) == 32: + if ':' in checksum: + algo, _, checksum = checksum.partition(':') + assert algo in hashlib.algorithms_guaranteed, f"Unsupported {algo}, try sha3-256 or sha256 instead." + if algo in ("md5", "sha1"): + raise ValueError(f"Known insecure checksum algorithm {algo} for {fname}.") + if algo.startswith(("shake", "blake")): + raise ValueError(f"Please stick to sha2 or sha3 standard checksum algorithms, not {algo}") + # TODO remove length based logic AND legacy md5s after updating the ones we already list. + elif len(checksum) == 32: algo = 'md5' + print("WARNING: insecure md5 used for {fname}", file=sys.stderr) elif len(checksum) == 64: algo = 'sha256' else: raise ValueError(checksum) - if os.system( - 'CHECKSUM=$(openssl %s %s) ; test "${CHECKSUM##*= }" = "%s"' - % (algo, shellQuote(fname), checksum) ): - fatal('%s checksum mismatch for file %s' % (algo, fname)) + with open(fname, 'rb') as downloaded_file: + if hasattr(hashlib, 'file_digest'): + hasher = hashlib.file_digest(downloaded_file, algo) # 3.11+ + else: + hasher = hashlib.new(algo, downloaded_file.read()) + computed_checksum = hasher.hexdigest() + if computed_checksum != checksum: + fatal(f"{algo} hashlib checksum mismatch for file {fname}") + def build_universal_openssl(basedir, archList): """ diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json index 69f3beec82ed34..8cb04659107c2a 100644 --- a/Misc/externals.spdx.json +++ b/Misc/externals.spdx.json @@ -94,18 +94,18 @@ "checksumValue": "e335aeb44fa36cde60ecbb6a9f8be6f5d449d645ce9b0199ee53a7e6728d19d2" } ], - "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.49.1.0.tar.gz", + "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.3.0.tar.gz", "externalRefs": [ { "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.49.1.0:*:*:*:*:*:*:*", + "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.50.3.0:*:*:*:*:*:*:*", "referenceType": "cpe23Type" } ], "licenseConcluded": "NOASSERTION", "name": "sqlite", "primaryPackagePurpose": "SOURCE", - "versionInfo": "3.49.1.0" + "versionInfo": "3.50.3.0" }, { "SPDXID": "SPDXRef-PACKAGE-tcl-core", @@ -214,4 +214,4 @@ } ], "spdxVersion": "SPDX-2.3" -} \ No newline at end of file +} diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index e29054f5734d49..8d83561ad633fa 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -56,7 +56,7 @@ set libraries=%libraries% bzip2-1.0.8 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.4.4 if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-3.0.16 set libraries=%libraries% mpdecimal-4.0.0 -set libraries=%libraries% sqlite-3.49.1.0 +set libraries=%libraries% sqlite-3.50.3.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.15.0 set libraries=%libraries% xz-5.2.5 diff --git a/PCbuild/python.props b/PCbuild/python.props index ddc7696d2762fe..49258ea4a74af9 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -74,7 +74,7 @@ - $(ExternalsDir)sqlite-3.49.1.0\ + $(ExternalsDir)sqlite-3.50.3.0\ $(ExternalsDir)bzip2-1.0.8\ $(ExternalsDir)xz-5.2.5\ $(ExternalsDir)libffi-3.4.4\ diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt index 3ae3255d933967..f22b1a8bc7f85f 100644 --- a/PCbuild/readme.txt +++ b/PCbuild/readme.txt @@ -237,7 +237,7 @@ _ssl again when building. _sqlite3 - Wraps SQLite 3.49.1, which is itself built by sqlite3.vcxproj + Wraps SQLite 3.50.3, which is itself built by sqlite3.vcxproj Homepage: https://www.sqlite.org/ From b69076290d188c043af0df1682ae87c05f79aab5 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Sun, 27 Jul 2025 02:20:56 +0000 Subject: [PATCH 2/8] macOS and Windows news entries. what about Android? --- .../next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst | 1 + .../next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst | 1 + 2 files changed, 2 insertions(+) create mode 100644 Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst create mode 100644 Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst diff --git a/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst b/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst new file mode 100644 index 00000000000000..b4d1bcd2aba752 --- /dev/null +++ b/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst @@ -0,0 +1 @@ +Update Windows installer to ship with SQLite 3.50.3. diff --git a/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst new file mode 100644 index 00000000000000..c97c5c5e471715 --- /dev/null +++ b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst @@ -0,0 +1 @@ +Update macOS installer to ship SQLite version 3.50.3. From c69125df49ab4a615da0061a681618e88127e0cf Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Sun, 27 Jul 2025 02:31:31 +0000 Subject: [PATCH 3/8] update sbom hash --- Misc/externals.spdx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json index 8cb04659107c2a..ea82c2e2ebdb94 100644 --- a/Misc/externals.spdx.json +++ b/Misc/externals.spdx.json @@ -91,7 +91,7 @@ "checksums": [ { "algorithm": "SHA256", - "checksumValue": "e335aeb44fa36cde60ecbb6a9f8be6f5d449d645ce9b0199ee53a7e6728d19d2" + "checksumValue": "b1c4b2bf9be3923aea18da433a1c479fcc30b4905e4e1c7c30f069387dc7ea9c" } ], "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.3.0.tar.gz", From b9158c0f481f0f8bb31fd56097b14b73e546452d Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Fri, 1 Aug 2025 18:12:40 +0000 Subject: [PATCH 4/8] newline fix via regen-sbom --- Misc/externals.spdx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json index ea82c2e2ebdb94..0302593e85cf2b 100644 --- a/Misc/externals.spdx.json +++ b/Misc/externals.spdx.json @@ -214,4 +214,4 @@ } ], "spdxVersion": "SPDX-2.3" -} +} \ No newline at end of file From 623272658616e935ec7310adb63e742601383831 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" <68491+gpshead@users.noreply.github.com> Date: Fri, 1 Aug 2025 11:13:36 -0700 Subject: [PATCH 5/8] news wording Co-authored-by: Erlend E. Aasland --- .../next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst index c97c5c5e471715..1c85f6031a5c67 100644 --- a/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst +++ b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst @@ -1 +1 @@ -Update macOS installer to ship SQLite version 3.50.3. +Update macOS installer to ship with SQLite version 3.50.3. From ff16075f94a0c5a2a7963d31e44929dd54dbb02b Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Fri, 1 Aug 2025 18:48:14 +0000 Subject: [PATCH 6/8] Update SQLite to 3.50.4 for binary releases. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- Android/android.py | 2 +- Mac/BuildScript/build-installer.py | 6 +++--- .../Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst | 2 +- .../macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst | 2 +- Misc/externals.spdx.json | 6 +++--- PCbuild/get_externals.bat | 2 +- PCbuild/python.props | 2 +- PCbuild/readme.txt | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Android/android.py b/Android/android.py index 6683f224313e61..e6090aa1d80db0 100755 --- a/Android/android.py +++ b/Android/android.py @@ -187,7 +187,7 @@ def unpack_deps(host, prefix_dir): os.chdir(prefix_dir) deps_url = "https://github.com/beeware/cpython-android-source-deps/releases/download" for name_ver in ["bzip2-1.0.8-3", "libffi-3.4.4-3", "openssl-3.0.15-4", - "sqlite-3.50.3-0", "xz-5.4.6-1", "zstd-1.5.7-1"]: + "sqlite-3.50.4-0", "xz-5.4.6-1", "zstd-1.5.7-1"]: filename = f"{name_ver}-{host}.tar.gz" download(f"{deps_url}/{name_ver}/{filename}") shutil.unpack_archive(filename) diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py index 5131a9b043ab1e..c6002a5c30bd9c 100755 --- a/Mac/BuildScript/build-installer.py +++ b/Mac/BuildScript/build-installer.py @@ -360,9 +360,9 @@ def library_recipes(): ), ), dict( - name="SQLite 3.50.3", - url="https://www.sqlite.org/2025/sqlite-autoconf-3500300.tar.gz", - checksum="sha3-256:c3df1542703a666d3f41bb623e9bed7d6e1dc81c57f0c45e3122403f862c520d", + name="SQLite 3.50.4", + url="https://www.sqlite.org/2025/sqlite-autoconf-3500400.tar.gz", + checksum="sha3-256:330bb88febc08814d49406391891eddac59e5f812e87b83c27ab172687554375", extra_cflags=('-Os ' '-DSQLITE_ENABLE_FTS5 ' '-DSQLITE_ENABLE_FTS4 ' diff --git a/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst b/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst index b4d1bcd2aba752..ddccf95b7d039a 100644 --- a/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst +++ b/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst @@ -1 +1 @@ -Update Windows installer to ship with SQLite 3.50.3. +Update Windows installer to ship with SQLite 3.50.4. diff --git a/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst index 1c85f6031a5c67..957270f5abae93 100644 --- a/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst +++ b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst @@ -1 +1 @@ -Update macOS installer to ship with SQLite version 3.50.3. +Update macOS installer to ship with SQLite version 3.50.4. diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json index 0302593e85cf2b..9b57862f0f8416 100644 --- a/Misc/externals.spdx.json +++ b/Misc/externals.spdx.json @@ -94,18 +94,18 @@ "checksumValue": "b1c4b2bf9be3923aea18da433a1c479fcc30b4905e4e1c7c30f069387dc7ea9c" } ], - "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.3.0.tar.gz", + "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.4.0.tar.gz", "externalRefs": [ { "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.50.3.0:*:*:*:*:*:*:*", + "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.50.4.0:*:*:*:*:*:*:*", "referenceType": "cpe23Type" } ], "licenseConcluded": "NOASSERTION", "name": "sqlite", "primaryPackagePurpose": "SOURCE", - "versionInfo": "3.50.3.0" + "versionInfo": "3.50.4.0" }, { "SPDXID": "SPDXRef-PACKAGE-tcl-core", diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index 8d83561ad633fa..eff8d1ccd7f146 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -56,7 +56,7 @@ set libraries=%libraries% bzip2-1.0.8 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.4.4 if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-3.0.16 set libraries=%libraries% mpdecimal-4.0.0 -set libraries=%libraries% sqlite-3.50.3.0 +set libraries=%libraries% sqlite-3.50.4.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.15.0 set libraries=%libraries% xz-5.2.5 diff --git a/PCbuild/python.props b/PCbuild/python.props index 49258ea4a74af9..e1c2ff3fe3cc11 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -74,7 +74,7 @@ - $(ExternalsDir)sqlite-3.50.3.0\ + $(ExternalsDir)sqlite-3.50.4.0\ $(ExternalsDir)bzip2-1.0.8\ $(ExternalsDir)xz-5.2.5\ $(ExternalsDir)libffi-3.4.4\ diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt index f22b1a8bc7f85f..27c0d382281bdb 100644 --- a/PCbuild/readme.txt +++ b/PCbuild/readme.txt @@ -237,7 +237,7 @@ _ssl again when building. _sqlite3 - Wraps SQLite 3.50.3, which is itself built by sqlite3.vcxproj + Wraps SQLite 3.50.4, which is itself built by sqlite3.vcxproj Homepage: https://www.sqlite.org/ From 8aa4e573b5fa3ad934d0f9cf3588daa0ab12fbd8 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Fri, 1 Aug 2025 18:56:06 +0000 Subject: [PATCH 7/8] update 3.50.4.0.tar.gz hash in sbom & regen-sbom to fix whitespace --- Misc/externals.spdx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json index 9b57862f0f8416..a87af7f9173780 100644 --- a/Misc/externals.spdx.json +++ b/Misc/externals.spdx.json @@ -91,7 +91,7 @@ "checksums": [ { "algorithm": "SHA256", - "checksumValue": "b1c4b2bf9be3923aea18da433a1c479fcc30b4905e4e1c7c30f069387dc7ea9c" + "checksumValue": "fb5ab81f27612b0a7b4861ba655906c76dc85ee969e7a4905d2075aff931e8d0" } ], "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.4.0.tar.gz", From 3e54cf5c8083fe1ecbafe103e5440875d03ba647 Mon Sep 17 00:00:00 2001 From: Ned Deily Date: Tue, 5 Aug 2025 01:09:43 -0400 Subject: [PATCH 8/8] Postpone to a separate PR the build-installer changes to support additional hash types --- Mac/BuildScript/build-installer.py | 29 +++++++---------------------- 1 file changed, 7 insertions(+), 22 deletions(-) diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py index c6002a5c30bd9c..8ae2cff93d2082 100755 --- a/Mac/BuildScript/build-installer.py +++ b/Mac/BuildScript/build-installer.py @@ -37,7 +37,6 @@ Usage: see USAGE variable in the script. """ import platform, os, sys, getopt, textwrap, shutil, stat, time, pwd, grp -import hashlib try: import urllib2 as urllib_request except ImportError: @@ -362,7 +361,7 @@ def library_recipes(): dict( name="SQLite 3.50.4", url="https://www.sqlite.org/2025/sqlite-autoconf-3500400.tar.gz", - checksum="sha3-256:330bb88febc08814d49406391891eddac59e5f812e87b83c27ab172687554375", + checksum="a3db587a1b92ee5ddac2f66b3edb41b26f9c867275782d46c3a088977d6a5b18", extra_cflags=('-Os ' '-DSQLITE_ENABLE_FTS5 ' '-DSQLITE_ENABLE_FTS4 ' @@ -796,7 +795,7 @@ def downloadURL(url, fname): def verifyThirdPartyFile(url, checksum, fname): """ Download file from url to filename fname if it does not already exist. - Abort if file contents does not match supplied hashlib checksum. + Abort if file contents does not match supplied md5 checksum. """ name = os.path.basename(fname) if os.path.exists(fname): @@ -806,30 +805,16 @@ def verifyThirdPartyFile(url, checksum, fname): print("Downloading %s"%(name,)) downloadURL(url, fname) print("Archive for %s stored as %s"%(name, fname)) - if ':' in checksum: - algo, _, checksum = checksum.partition(':') - assert algo in hashlib.algorithms_guaranteed, f"Unsupported {algo}, try sha3-256 or sha256 instead." - if algo in ("md5", "sha1"): - raise ValueError(f"Known insecure checksum algorithm {algo} for {fname}.") - if algo.startswith(("shake", "blake")): - raise ValueError(f"Please stick to sha2 or sha3 standard checksum algorithms, not {algo}") - # TODO remove length based logic AND legacy md5s after updating the ones we already list. - elif len(checksum) == 32: + if len(checksum) == 32: algo = 'md5' - print("WARNING: insecure md5 used for {fname}", file=sys.stderr) elif len(checksum) == 64: algo = 'sha256' else: raise ValueError(checksum) - with open(fname, 'rb') as downloaded_file: - if hasattr(hashlib, 'file_digest'): - hasher = hashlib.file_digest(downloaded_file, algo) # 3.11+ - else: - hasher = hashlib.new(algo, downloaded_file.read()) - computed_checksum = hasher.hexdigest() - if computed_checksum != checksum: - fatal(f"{algo} hashlib checksum mismatch for file {fname}") - + if os.system( + 'CHECKSUM=$(openssl %s %s) ; test "${CHECKSUM##*= }" = "%s"' + % (algo, shellQuote(fname), checksum) ): + fatal('%s checksum mismatch for file %s' % (algo, fname)) def build_universal_openssl(basedir, archList): """