advancedtelematic · pattivacek · Mar 30, 2020 · Mar 27, 2020 · Mar 27, 2020 · Mar 27, 2020
diff --git a/scripts/get_garage_sign.py → scripts/get-garage-sign.py b/scripts/get_garage_sign.py → scripts/get-garage-sign.py
@@ -12,6 +12,9 @@
 from pathlib import Path
 
 
+aws_bucket_url = 'https://ota-tuf-cli-releases.s3-eu-west-1.amazonaws.com/'
+
+
 def main():
     parser = argparse.ArgumentParser(description='Download a specific or the latest version of garage-sign')
     parser.add_argument('-a', '--archive', help='static local archive')
@@ -48,7 +51,7 @@ def find_version(version_name, sha256_hash, output):
     if version_name and not sha256_hash:
         print('Warning: specific version requested without specifying the sha256 hash.')
 
-    r = urllib.request.urlopen('https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com')
+    r = urllib.request.urlopen(aws_bucket_url)
     if r.status != 200:
         print('Error: unable to request index!')
         return None
@@ -59,9 +62,8 @@ def find_version(version_name, sha256_hash, output):
     versions = dict()
     cli_items = [i for i in items if i.find(ns + 'Key').text.startswith('cli-')]
     for i in cli_items:
-        # ETag is md5sum.
         versions[i.find(ns + 'Key').text] = (i.find(ns + 'LastModified').text,
-                                             i.find(ns + 'ETag').text[1:-1])
+                                             i.find(ns + 'Size').text)
     if version_name:
         name = version_name
         if name not in versions:
@@ -76,10 +78,10 @@ def find_version(version_name, sha256_hash, output):
         name = max(versions, key=(lambda name: (versions[name][0])))
 
     path = output.joinpath(name)
-    md5_hash = versions[name][1]
-    if not path.is_file() or not check_hashes(name, path, md5_hash, sha256_hash):
+    size = versions[name][1]
+    if not path.is_file() or not verify(name, path, size, sha256_hash):
         print('Downloading ' + name + ' from server...')
-        if download(name, path, md5_hash, sha256_hash):
+        if download(name, path, size, sha256_hash):
             print(name + ' successfully downloaded and validated.')
             return path
         else:
@@ -88,36 +90,32 @@ def find_version(version_name, sha256_hash, output):
     return path
 
 
-def download(name, path, md5_hash, sha256_hash):
-    r = urllib.request.urlopen('https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/' + name)
+def download(name, path, size, sha256_hash):
+    r = urllib.request.urlopen(aws_bucket_url + name)
     if r.status != 200:
         print('Error: unable to request file!')
         return False
     with path.open(mode='wb') as f:
         shutil.copyfileobj(r, f)
-    return check_hashes(name, path, md5_hash, sha256_hash)
+    return verify(name, path, size, sha256_hash)
 
 
-def check_hashes(name, path, md5_hash, sha256_hash):
+def verify(name, path, size, sha256_hash):
     if not tarfile.is_tarfile(str(path)):
         print('Error: ' + name + ' is not a valid tar archive!')
         return False
-    m = hashlib.md5()
+    actual_size = os.path.getsize(str(path))
+    if actual_size != int(size):
+        print('Error: size of ' + name + ' (' + str(actual_size) + ') does not match expected value (' + size + ')!')
+        return False
     if sha256_hash:
         s = hashlib.sha256()
-    with path.open(mode='rb') as f:
-        data = f.read()
-        m.update(data)
-        if sha256_hash:
+        with path.open(mode='rb') as f:
+            data = f.read()
             s.update(data)
-    if m.hexdigest() != md5_hash:
-        print('Error: md5 hash of ' + name + ' does not match expected value!')
-        print(m.hexdigest())
-        print(md5_hash)
-        return False
-    if sha256_hash and s.hexdigest() != sha256_hash:
-        print('Error: sha256 hash of ' + name + ' does not match provided value!')
-        return False
+        if s.hexdigest() != sha256_hash:
+            print('Error: sha256 hash of ' + name + ' does not match provided value!')
+            return False
     return True
 
 

diff --git a/src/sota_tools/CMakeLists.txt b/src/sota_tools/CMakeLists.txt
@@ -88,7 +88,7 @@ if (BUILD_SOTA_TOOLS)
     endif()
 
     add_custom_target(garage-sign
-                    COMMAND ${PROJECT_SOURCE_DIR}/scripts/get_garage_sign.py
+                    COMMAND ${PROJECT_SOURCE_DIR}/scripts/get-garage-sign.py
                     --output ${CMAKE_CURRENT_BINARY_DIR}
                     ${GARAGE_SIGN_ARGS})
     add_dependencies(garage-deploy garage-sign)