From b5bcbc45f19ee068478edb73b48bc7194e582da8 Mon Sep 17 00:00:00 2001
From: Carl Worth <cworth@cworth.org>
Date: Mon, 25 May 2020 14:20:38 -0700
Subject: [PATCH] Rework Makefile to force sha512 verification of downloaded
 files

We had sha512 checksums here, but no automation was happening for the
verification, (instead there was only a "make checksums" file that
would have to be called manually).

We rework things here so that the checksum is verified on every file
that is downloaded. The rework simplifies the recipe for
download/verification to a single recipe for all dependencies (rather
than 4 recipes with a lot of duplicated logic).

The "make checksums" target is also renamed to "make deps" since it
can be used to force the downloading of all dependencies, (and it is
given the .PHONY treatment so that it always performs checksum
verification even if there is nothing new to download).
---
 .gitignore                              |  2 +-
 Makefile                                | 20 +++++++-------------
 checksums.sha512                        |  4 ----
 deps/react-dom.development.js.sha512    |  1 +
 deps/react-dom.production.min.js.sha512 |  1 +
 deps/react.development.js.sha512        |  1 +
 deps/react.production.min.js.sha512     |  1 +
 7 files changed, 12 insertions(+), 18 deletions(-)
 delete mode 100644 checksums.sha512
 create mode 100644 deps/react-dom.development.js.sha512
 create mode 100644 deps/react-dom.production.min.js.sha512
 create mode 100644 deps/react.development.js.sha512
 create mode 100644 deps/react.production.min.js.sha512

diff --git a/.gitignore b/.gitignore
index c3cd6a2..10a74da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-deps
+deps/*.js
 .deploy-source
 react.js
 react-dom.js
diff --git a/Makefile b/Makefile
index 4b0b4c4..4ef4b4d 100644
--- a/Makefile
+++ b/Makefile
@@ -69,21 +69,15 @@ endif
 quiet ?= $($(word 1, $(1)))
 WGET_VERBOSE_FLAGS ?= --no-verbose
 
-checksums: $(REACT_DOWNLOADS)
-	sha512sum --strict -c checksums.sha512
+SHA512=sha512sum --strict -c
+.PHONY: deps
+deps: $(REACT_DOWNLOADS)
+	$(call quiet,SHA512) deps/*.sha512
 
 DOWNLOAD=wget $(WGET_VERBOSE_FLAGS) -nc -P deps
-deps/react.development.js:
-	$(call quiet,DOWNLOAD) https://unpkg.com/react@16/umd/react.development.js
-
-deps/react-dom.development.js:
-	$(call quiet,DOWNLOAD) https://unpkg.com/react-dom@16/umd/react-dom.development.js
-
-deps/react.production.min.js:
-	$(call quiet,DOWNLOAD) https://unpkg.com/react@16/umd/react.production.min.js
-
-deps/react-dom.production.min.js:
-	$(call quiet,DOWNLOAD) https://unpkg.com/react-dom@16/umd/react-dom.production.min.js
+deps/%.js:
+	$(call quiet,DOWNLOAD) https://unpkg.com/react@16/umd/$@
+	$(call quiet,SHA512) $(patsubst %,%.sha512,$@)
 
 deploy:
 	rm -rf .deploy-source
diff --git a/checksums.sha512 b/checksums.sha512
deleted file mode 100644
index bc0939a..0000000
--- a/checksums.sha512
+++ /dev/null
@@ -1,4 +0,0 @@
-59e5732c703472fce6a70d2e13aca442df4ff981691524e0edbc988f94a00370b8eeb126c9e8fb0194ebefd224d78905c60208fba70781fa55791a908ffd4d97  deps/react.development.js
-11e7e0b90ecd516615f19efe6be47ebe0c0d61e3541a5d8e8bd81cb958d284d0f766ac16810321d5ed20b0fd23262a9de1173260c5ada399458179ce1209a5f9  deps/react-dom.development.js
-498b179806e5661aee08d515993a79fefd9ad459e889ad3a889877f8bf41f7051aaa94558dc34142ca80825406f5be7e21a5427cb0c7e7ebd6f76dc92f97a964  deps/react-dom.production.min.js
-49426e8e1b54599525c2c0016993674c5465bc2bbb5c605904bd55177dea46fbe0364de9052f44df9de471a838240bf4e7f9ec07db1a9d25c56dd1c0516f7e96  deps/react.production.min.js
diff --git a/deps/react-dom.development.js.sha512 b/deps/react-dom.development.js.sha512
new file mode 100644
index 0000000..03bebad
--- /dev/null
+++ b/deps/react-dom.development.js.sha512
@@ -0,0 +1 @@
+11e7e0b90ecd516615f19efe6be47ebe0c0d61e3541a5d8e8bd81cb958d284d0f766ac16810321d5ed20b0fd23262a9de1173260c5ada399458179ce1209a5f9  deps/react-dom.development.js
diff --git a/deps/react-dom.production.min.js.sha512 b/deps/react-dom.production.min.js.sha512
new file mode 100644
index 0000000..85db868
--- /dev/null
+++ b/deps/react-dom.production.min.js.sha512
@@ -0,0 +1 @@
+498b179806e5661aee08d515993a79fefd9ad459e889ad3a889877f8bf41f7051aaa94558dc34142ca80825406f5be7e21a5427cb0c7e7ebd6f76dc92f97a964  deps/react-dom.production.min.js
diff --git a/deps/react.development.js.sha512 b/deps/react.development.js.sha512
new file mode 100644
index 0000000..e3dc5a8
--- /dev/null
+++ b/deps/react.development.js.sha512
@@ -0,0 +1 @@
+59e5732c703472fce6a70d2e13aca442df4ff981691524e0edbc988f94a00370b8eeb126c9e8fb0194ebefd224d78905c60208fba70781fa55791a908ffd4d97  deps/react.development.js
diff --git a/deps/react.production.min.js.sha512 b/deps/react.production.min.js.sha512
new file mode 100644
index 0000000..e43025f
--- /dev/null
+++ b/deps/react.production.min.js.sha512
@@ -0,0 +1 @@
+49426e8e1b54599525c2c0016993674c5465bc2bbb5c605904bd55177dea46fbe0364de9052f44df9de471a838240bf4e7f9ec07db1a9d25c56dd1c0516f7e96  deps/react.production.min.js
-- 
2.43.0