TIL - Buildroot & BR_NO_CHECK_HASH_FOR

Posted by Marcus Folkesson on Thursday, March 30, 2023

TIL - Buildroot & BR_NO_CHECK_HASH_FOR

TIL, Today I Learned, is more of a "I just figured this out: here are my notes, you may find them useful too" rather than a full blog post

In Buildroot [1], the integrity of (allmost) all downloaded packages is verified against a hash. Even packages that are fetched from a git repository is verified this way.

This is a good thing that no one really should work around.

Today I had a debug-session for one package which I locally cloned and frequently made changes to. I told Buildroot to fetch the source code for the package locally to speed up my iterations between new code changes and testing on target.

The hash did of course change after each code change, which became quite annoying.

BR_NO_CHECK_HASH_FOR

The BR_NO_CHECK_HASH_FOR was something I found by a coincidence when looking into the support/download/check-hash file.

No wonder why I have missed this one, it is not mention in the documentation at all:

[22:58:16]marcus@goliat:~/git/buildroot$ git grep BR_NO_CHECK_HASH_FOR docs/
[22:58:18]marcus@goliat:~/git/buildroot$

It does what it says - do not check hash for a certain list of files.

Here is an example on how the linux package make use of BR_NO_CHECK_HASH_FOR:

ifeq ($(BR2_LINUX_KERNEL)$(BR2_LINUX_KERNEL_LATEST_VERSION),y)
BR_NO_CHECK_HASH_FOR += $(LINUX_SOURCE)
endif

LINUX_PATCHES = $(call qstrip,$(BR2_LINUX_KERNEL_PATCH))

# We have no way to know the hashes for user-supplied patches.
BR_NO_CHECK_HASH_FOR += $(notdir $(LINUX_PATCHES))

Conclusion

I found this useful for my bug-hunting, but as a general rule, this is something that you probably should not use.