The sums for binutils and gcc are based on an HTTPS download (instead
of the default HTTP).
newlib doesn't seem to be available with any kind of signature, so I
compared a tarball and CVS checkout; let's hope they weren't both
compromised.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
BASEDIR=$(shell pwd)
+define checksum
+@if grep -q ' $(subst .,\.,$(1))$$' SHA256SUMS; then \
+ grep ' $(subst .,\.,$(1))$$' SHA256SUMS | sha256sum -c; \
+else \
+ echo "WARNING: no checksum defined for $(1)"; \
+fi
+endef
+
all: gcc
src/$(BINUTILS_TAR):
wget -P src $(BINUTILS_URL)
+ $(call checksum,$@)
src/$(NEWLIB_TAR):
wget -P src $(NEWLIB_URL)
+ $(call checksum,$@)
src/$(GCC_TAR):
wget -P src $(GCC_URL)
+ $(call checksum,$@)
src/binutils-$(BINUTILS_VER): src/$(BINUTILS_TAR)
tar -C src -xjf $<
--- /dev/null
+6c7af8ed1c8cf9b4b9d6e6fe09a3e1d3d479fe63984ba8b9b26bf356b6313ca9 src/binutils-2.22.tar.bz2
+16093f6fa01732adf378d97fe338f113c933bdf56da22bf87c76beff13da406f src/gcc-4.7.1.tar.bz2
+c644b2847244278c57bec2ddda69d8fab5a7c767f3b9af69aa7aa3da823ff692 src/newlib-1.20.0.tar.gz