From b0061fd1b64ee0d5144fb30e052ed803bcc5f6de Mon Sep 17 00:00:00 2001
From: Dominik Csapak <d.csapak@proxmox.com>
Date: Mon, 18 Nov 2024 15:31:11 +0100
Subject: [PATCH] tools: download file: add a verification sub as option

so that a caller can do additional verification on the downloaded or
extracted file

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
Tested-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/Tools.pm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index cb6c0f2..0325f53 100644
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -2061,6 +2061,8 @@ sub safe_compare {
 #  https_proxy
 #  verify_certificates - if 0 (false) we tell wget to ignore untrusted TLS certs. Default to true
 #  md5sum|sha(1|224|256|384|512)sum - the respective expected checksum string
+#  assert_file_validity - a subroutine to verify the extracted/downloaded file. gets the tmp path as parameter
+#                         should die when the downloaded file is not valid
 sub download_file_from_url {
     my ($dest, $url, $opts) = @_;
 
@@ -2149,6 +2151,11 @@ sub download_file_from_url {
 	    $tmp_download = $tmp_decomp;
 	}
 
+	if (my $assertion = $opts->{assert_file_validity}) {
+	    eval { $assertion->($tmp_download); };
+	    die "failed to verify file: $@" if $@;
+	}
+
 	rename($tmp_download, $dest) or die "unable to rename temporary file: $!\n";
     };
     if (my $err = $@) {