Skip to content

[FEATURE/SECURITY/BUG] Add hash key validation to check the files downloaded from external projects #3418

New issue
New issue
Open
Open
[FEATURE/SECURITY/BUG] Add hash key validation to check the files downloaded from external projects#3418
Labels
Type: BugSomething isn't working
@acassis

Description

@acassis
acassis
opened on Mar 3, 2026

Description / Steps to reproduce the issue

Currently all external projects are downloaded/compiled without checking if their MD5/SHA are valid, so if their content get modified we will not know, ie:

LVGL_UNPACKNAME = lvgl
UNPACK ?= unzip -o $(if $(V),,-q)
CURL ?= curl -L -O $(if $(V),,-Ss)

LVGL_UNPACKDIR = $(WD)/$(LVGL_UNPACKNAME)

$(LVGL_TARBALL):
$(ECHO_BEGIN)"Downloading: $(LVGL_TARBALL)"
$(Q) $(CURL) $(CONFIG_GRAPH_LVGL_URL)/$(LVGL_TARBALL)
$(ECHO_END)

$(LVGL_UNPACKNAME): $(LVGL_TARBALL)
$(ECHO_BEGIN)"Unpacking: $(LVGL_TARBALL) -> $(LVGL_UNPACKNAME)"
$(Q) $(UNPACK) $(LVGL_TARBALL)
$(Q) mv lvgl-$(LVGL_VERSION) $(LVGL_UNPACKNAME)
$(Q) touch $(LVGL_UNPACKNAME)
$(ECHO_END)

On which OS does this issue occur?

[OS: Linux]

What is the version of your OS?

Ubuntu 24.04

NuttX Version

mainline

Issue Architecture

[Arch: all]

Issue Area

[Area: Examples]

Host information

No response

Verification

  • I have verified before submitting the report.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type: BugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions