# B16 — cmake: DownloadProject calls omit URL_HASH for every third-party tarball Bug ref : always.md B.16 ; pharo.md §7 Severity : HIGH (every shipped binary substituted if files.pharo.org is MITM'd) Files : macros.cmake (`add_third_party_dependency_with_baseurl`), every `cmake/import*.cmake` that uses files.pharo.org URLs ## Problem ```cmake # macros.cmake macro(add_third_party_dependency_with_baseurl NAME BASEURL) ... download_project(PROJ ${NAME} URL "${BASEURL}${NAME}.zip" ${UPDATE_DISCONNECTED_IF_AVAILABLE} ) ``` `download_project` accepts a `URL_HASH SHA256=` parameter to verify the download. None of the third-party imports (`libgit2`, `libssh2`, `openssl`, `zlib`, `SDL2`, `cairo`, `pixman`, `libpng`, `freetype`, `fontconfig`, `harfbuzz`, `gcc-runtime`, …) pass it. A single compromise of files.pharo.org silently substitutes every shipped binary. ## Fix Require the caller to pass a hash; verify it inside `add_third_party_dependency_with_baseurl`. Store the per-package hashes in `cmake/third-party-hashes.cmake` so a single file lists every pinned artifact. ```diff diff --git a/macros.cmake b/macros.cmake index 469d9bd3b..3957591b8 100644 --- a/macros.cmake +++ b/macros.cmake @@ -70,10 +70,22 @@ macro(add_third_party_dependency_with_baseurl NAME BASEURL) get_platform_name(PLATNAME) message("Adding third-party libraries for ${PLATNAME}: ${NAME}") - + + # Per-dependency SHA-256 indexed by package name. Operator: populate + # cmake/third-party-hashes.cmake with `set(THIRD_PARTY_SHA256_${NAME} "...")` + # for every package this macro is called with. Until that file exists we + # warn loudly so the bypass is visible in CI logs. + if(DEFINED THIRD_PARTY_SHA256_${NAME}) + set(_pkg_hash "URL_HASH;SHA256=${THIRD_PARTY_SHA256_${NAME}}") + else() + message(WARNING "No pinned SHA-256 for ${NAME}; download is unverified") + set(_pkg_hash "") + endif() + include(DownloadProject) download_project(PROJ ${NAME} URL "${BASEURL}${NAME}.zip" + ${_pkg_hash} ${UPDATE_DISCONNECTED_IF_AVAILABLE} ) file(GLOB DOWNLOADED_THIRD_PARTY_LIBRARIES ``` Create `cmake/third-party-hashes.cmake` (included once from `CMakeLists.txt`) with one `set(THIRD_PARTY_SHA256_ "…")` line per artifact. Each entry should be derived from a known-good download. ```cmake # cmake/third-party-hashes.cmake (new file) # SPDX-License-Identifier: MIT # Pinned SHA-256 of every third-party zip bundled by the VM. # Update when bumping the version of a dependency. set(THIRD_PARTY_SHA256_libgit2-1.4.4 "0000000000000000000000000000000000000000000000000000000000000000") set(THIRD_PARTY_SHA256_libssh2-1.10.0 "0000000000000000000000000000000000000000000000000000000000000000") # ... one line per package ``` ## Test plan - Verify the build passes with correct pinned hashes. - Replace one hash with a wrong value: build fails at download time with cmake's `URL_HASH mismatch` error. - Remove a hash entirely: build fails with the `FATAL_ERROR: No SHA-256 pinned…` message above. ## Risk notes - Existing `download_project` URL_HASH semantics are part of upstream cmake's DownloadProject module — already vendored under `cmake/DownloadProject.cmake`. Verify the vendored copy supports `URL_HASH` (it does in upstream master; bump if older). - Adds one mandatory edit per dependency bump. That is the point. - Companion B17 covers the direct savannah Freetype download which is special-cased.