get-garage-sign.py: Check size instead of md5sum.

md5sum offered no security, since it was read from the same place as the archive, and since it is no longer available, use the size instead for a modicum of integrity. You can still provide a sha256sum if desired. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
advancedtelematic · Mar 27, 2020 · a95bf11 · a95bf11
1 parent 6e42454
commit a95bf11
Showing 1 changed file with 16 additions and 21 deletions.
diff --git a/scripts/get-garage-sign.py b/scripts/get-garage-sign.py
@@ -62,9 +62,8 @@ def find_version(version_name, sha256_hash, output):
     versions = dict()
     cli_items = [i for i in items if i.find(ns + 'Key').text.startswith('cli-')]
     for i in cli_items:
-        # ETag is md5sum.
         versions[i.find(ns + 'Key').text] = (i.find(ns + 'LastModified').text,
-                                             i.find(ns + 'ETag').text[1:-1])
+                                             i.find(ns + 'Size').text)
     if version_name:
         name = version_name
         if name not in versions:
@@ -79,10 +78,10 @@ def find_version(version_name, sha256_hash, output):
         name = max(versions, key=(lambda name: (versions[name][0])))
 
     path = output.joinpath(name)
-    md5_hash = versions[name][1]
-    if not path.is_file() or not check_hashes(name, path, md5_hash, sha256_hash):
+    size = versions[name][1]
+    if not path.is_file() or not verify(name, path, size, sha256_hash):
         print('Downloading ' + name + ' from server...')
-        if download(name, path, md5_hash, sha256_hash):
+        if download(name, path, size, sha256_hash):
             print(name + ' successfully downloaded and validated.')
             return path
         else:
@@ -91,36 +90,32 @@ def find_version(version_name, sha256_hash, output):
     return path
 
 
-def download(name, path, md5_hash, sha256_hash):
+def download(name, path, size, sha256_hash):
     r = urllib.request.urlopen(aws_bucket_url + name)
     if r.status != 200:
         print('Error: unable to request file!')
         return False
     with path.open(mode='wb') as f:
         shutil.copyfileobj(r, f)
-    return check_hashes(name, path, md5_hash, sha256_hash)
+    return verify(name, path, size, sha256_hash)
 
 
-def check_hashes(name, path, md5_hash, sha256_hash):
+def verify(name, path, size, sha256_hash):
     if not tarfile.is_tarfile(str(path)):
         print('Error: ' + name + ' is not a valid tar archive!')
         return False
-    m = hashlib.md5()
+    actual_size = os.path.getsize(str(path))
+    if actual_size != int(size):
+        print('Error: size of ' + name + ' (' + str(actual_size) + ') does not match expected value (' + size + ')!')
+        return False
     if sha256_hash:
         s = hashlib.sha256()
-    with path.open(mode='rb') as f:
-        data = f.read()
-        m.update(data)
-        if sha256_hash:
+        with path.open(mode='rb') as f:
+            data = f.read()
             s.update(data)
-    if m.hexdigest() != md5_hash:
-        print('Error: md5 hash of ' + name + ' does not match expected value!')
-        print(m.hexdigest())
-        print(md5_hash)
-        return False
-    if sha256_hash and s.hexdigest() != sha256_hash:
-        print('Error: sha256 hash of ' + name + ' does not match provided value!')
-        return False
+        if s.hexdigest() != sha256_hash:
+            print('Error: sha256 hash of ' + name + ' does not match provided value!')
+            return False
     return True