diff --git a/scripts/get_garage_sign.py b/scripts/get-garage-sign.py similarity index 75% rename from scripts/get_garage_sign.py rename to scripts/get-garage-sign.py index b2ceb0961f..a4b97bcae7 100755 --- a/scripts/get_garage_sign.py +++ b/scripts/get-garage-sign.py @@ -12,6 +12,9 @@ from pathlib import Path +aws_bucket_url = 'https://ota-tuf-cli-releases.s3-eu-west-1.amazonaws.com/' + + def main(): parser = argparse.ArgumentParser(description='Download a specific or the latest version of garage-sign') parser.add_argument('-a', '--archive', help='static local archive') @@ -48,7 +51,7 @@ def find_version(version_name, sha256_hash, output): if version_name and not sha256_hash: print('Warning: specific version requested without specifying the sha256 hash.') - r = urllib.request.urlopen('https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com') + r = urllib.request.urlopen(aws_bucket_url) if r.status != 200: print('Error: unable to request index!') return None @@ -59,9 +62,8 @@ def find_version(version_name, sha256_hash, output): versions = dict() cli_items = [i for i in items if i.find(ns + 'Key').text.startswith('cli-')] for i in cli_items: - # ETag is md5sum. versions[i.find(ns + 'Key').text] = (i.find(ns + 'LastModified').text, - i.find(ns + 'ETag').text[1:-1]) + i.find(ns + 'Size').text) if version_name: name = version_name if name not in versions: @@ -76,10 +78,10 @@ def find_version(version_name, sha256_hash, output): name = max(versions, key=(lambda name: (versions[name][0]))) path = output.joinpath(name) - md5_hash = versions[name][1] - if not path.is_file() or not check_hashes(name, path, md5_hash, sha256_hash): + size = versions[name][1] + if not path.is_file() or not verify(name, path, size, sha256_hash): print('Downloading ' + name + ' from server...') - if download(name, path, md5_hash, sha256_hash): + if download(name, path, size, sha256_hash): print(name + ' successfully downloaded and validated.') return path else: @@ -88,36 +90,32 @@ def find_version(version_name, sha256_hash, output): return path -def download(name, path, md5_hash, sha256_hash): - r = urllib.request.urlopen('https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/' + name) +def download(name, path, size, sha256_hash): + r = urllib.request.urlopen(aws_bucket_url + name) if r.status != 200: print('Error: unable to request file!') return False with path.open(mode='wb') as f: shutil.copyfileobj(r, f) - return check_hashes(name, path, md5_hash, sha256_hash) + return verify(name, path, size, sha256_hash) -def check_hashes(name, path, md5_hash, sha256_hash): +def verify(name, path, size, sha256_hash): if not tarfile.is_tarfile(str(path)): print('Error: ' + name + ' is not a valid tar archive!') return False - m = hashlib.md5() + actual_size = os.path.getsize(str(path)) + if actual_size != int(size): + print('Error: size of ' + name + ' (' + str(actual_size) + ') does not match expected value (' + size + ')!') + return False if sha256_hash: s = hashlib.sha256() - with path.open(mode='rb') as f: - data = f.read() - m.update(data) - if sha256_hash: + with path.open(mode='rb') as f: + data = f.read() s.update(data) - if m.hexdigest() != md5_hash: - print('Error: md5 hash of ' + name + ' does not match expected value!') - print(m.hexdigest()) - print(md5_hash) - return False - if sha256_hash and s.hexdigest() != sha256_hash: - print('Error: sha256 hash of ' + name + ' does not match provided value!') - return False + if s.hexdigest() != sha256_hash: + print('Error: sha256 hash of ' + name + ' does not match provided value!') + return False return True diff --git a/src/sota_tools/CMakeLists.txt b/src/sota_tools/CMakeLists.txt index 9902a408f0..f817773896 100644 --- a/src/sota_tools/CMakeLists.txt +++ b/src/sota_tools/CMakeLists.txt @@ -88,7 +88,7 @@ if (BUILD_SOTA_TOOLS) endif() add_custom_target(garage-sign - COMMAND ${PROJECT_SOURCE_DIR}/scripts/get_garage_sign.py + COMMAND ${PROJECT_SOURCE_DIR}/scripts/get-garage-sign.py --output ${CMAKE_CURRENT_BINARY_DIR} ${GARAGE_SIGN_ARGS}) add_dependencies(garage-deploy garage-sign)