From fe47203cafd7532de612c53e631703089adb9839 Mon Sep 17 00:00:00 2001
From: Andre Anjos <andre.dos.anjos@gmail.com>
Date: Tue, 29 Mar 2022 07:26:12 +0200
Subject: [PATCH] [bootstrap] Actually checks for the checksum of the
 downloaded installer to verify it has been updated correctly

---
 bob/devtools/bootstrap.py | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/bob/devtools/bootstrap.py b/bob/devtools/bootstrap.py
index 0f91e4c9..4b47575b 100644
--- a/bob/devtools/bootstrap.py
+++ b/bob/devtools/bootstrap.py
@@ -245,7 +245,7 @@ def ensure_miniconda_sh():
             return
         else:
             logger.info(
-                "Erasing cached miniconda3 installer (%s does NOT " "match)",
+                "Erasing cached miniconda3 installer (%s does NOT match)",
                 actual_sha256,
             )
             os.unlink("miniconda.sh")
@@ -259,6 +259,21 @@ def ensure_miniconda_sh():
     with open(dst, "wb") as f:
         f.write(response.read())
 
+    # checks that the checksum is correct on this file
+    actual_sha256 = hashlib.sha256(
+        open("miniconda.sh", "rb").read()
+    ).hexdigest()
+    if actual_sha256 != sha256:
+        os.unlink("miniconda.sh")
+        raise RuntimeError(
+            "Just downloaded miniconda3 installer sha256 checksum (%s) does "
+            "NOT match expected value (%s). Removing downloaded installer. "
+            "A wrong checksum may end up making the CI download too many copies "
+            "and be banned! You must fix this ASAP.",
+            actual_sha256,
+            sha256,
+        )
+
 
 def install_miniconda(prefix, name):
     """Creates a new miniconda installation.
-- 
GitLab