Home Explore Help
Sign In
rouch
/
rclone
mirror of https://github.com/rclone/rclone.git
Watch 1
Star 0
Fork 0
Files Issues 0 Wiki
Tree: 7b89735ae7
Branches Tags
rclone
/
cmd
/
selfupdate
/
verify.go

verify.go 3.9 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. //go:build !noselfupdate
    2. 

  2. 

  3. package selfupdate
    4. 

  4. 

  5. import (
    6. 

  6. 	"bytes"
    7. 

  7. 	"context"
    8. 

  8. 	"errors"
    9. 

  9. 	"fmt"
    10. 

  10. 	"strings"
    11. 

  11. 

  12. 	"github.com/ProtonMail/go-crypto/openpgp"
    13. 

  13. 	"github.com/ProtonMail/go-crypto/openpgp/clearsign"
    14. 

  14. 	"github.com/rclone/rclone/fs"
    15. 

  15. )
    16. 

  16. 

  17. var ncwPublicKeyPGP = `-----BEGIN PGP PUBLIC KEY BLOCK-----
    18. 

  18. 

  19. mQGiBDuy3V0RBADVQOAF5aFiCxD3t2h6iAF2WMiaMlgZ6kX2i/u7addNkzX71VU9
    20. 

  20. 7NpI0SnsP5YWt+gEedST6OmFbtLfZWCR4KWn5XnNdjCMNhxaH6WccVqNm4ALPIqT
    21. 

  21. 59uVjkgf8RISmmoNJ1d+2wMWjQTUfwOEmoIgH6n+2MYNUKuctBrwAACflwCg1I1Q
    22. 

  22. O/prv/5hczdpQCs+fL87DxsD/Rt7pIXvsIOZyQWbIhSvNpGalJuMkW5Jx92UjsE9
    23. 

  23. 1Ipo3Xr6SGRPgW9+NxAZAsiZfCX/19knAyNrN9blwL0rcPDnkhdGwK69kfjF+wq+
    24. 

  24. QbogRGodbKhqY4v+cMNkKiemBuTQiWPkpKjifwNsD1fNjNKfDP3pJ64Yz7a4fuzV
    25. 

  25. X1YwBACpKVuEen34lmcX6ziY4jq8rKibKBs4JjQCRO24kYoHDULVe+RS9krQWY5b
    26. 

  26. e0foDhru4dsKccefK099G+WEzKVCKxupstWkTT/iJwajR8mIqd4AhD0wO9W3MCfV
    27. 

  27. Ov8ykMDZ7qBWk1DHc87Ep3W1o8t8wq74ifV+HjhhWg8QAylXg7QlTmljayBDcmFp
    28. 

  28. Zy1Xb29kIDxuaWNrQGNyYWlnLXdvb2QuY29tPoh0BBMRCAA0BQsHCgMEAxUDAgMW
    29. 

  29. AgECF4ACGQEWIQT79zfs6firGGBL0qyTk14C/ztU+gUCZS/mXAIbIwAKCRCTk14C
    30. 

  30. /ztU+tX+AJ9CUAnPvT4w5yRAPRfDiwWIPUqBOgCgiTelkzvUxvLWnYmpowwzKmsx
    31. 

  31. qaSJAjMEEAEIAB0WIQTjs1jchY+zB/SBcLnLDb68XzLIHQUCZPRnNAAKCRDLDb68
    32. 

  32. XzLIHZSAD/oCk9Z0xJfbpriphTBxFy7bWyPKF1lM1GZZaLKkktGfunf1i0Q7rhwp
    33. 

  33. Nu+u1launlOTp6ZoY36Ce2Qa1eSxWAQdjVajw9kOHXCAewrTREOMY/mb7RVGjajo
    34. 

  34. 0Egl8T9iD3JRyaxu2iVtbpZYuqehtGG28CaCzmtqE+EJcx1cGqAGSuuaDWRYlVX8
    35. 

  35. KDip44GQB5Lut30vwSIoZG1CPCR6VE82u4cl3mYZUfcJkCHsiLzoeadVzb+fOd+2
    36. 

  36. ybzBn8Y77ifGgM+dSFSHe03mFfcHPdp0QImF9HQR7XI0UMZmEJsw7c2vDrRa+kRY
    37. 

  37. 2A4/amGn4Tahuazq8g2yqgGm3yAj49qGNarAau849lDr7R49j73ESnNVBGJ9ShzU
    38. 

  38. 4Ls+S1A5gohZVu2s1fkE3mbAmoTfU4JCrpRydOuL9xRJk5gbL44sKeuGODNshyTP
    39. 

  39. JzG9DmRHpLsBn59v8mg5tqSfBIGqcqBxxnYHJnkK801MkaLW2m7wDmtz6P3TW86g
    40. 

  40. GukzfIN3/OufLjnpN3Nx376JwWDDIyif7sn6/q+ZMwGz9uLKZkAeM5c3Dh4ygpgl
    41. 

  41. iSLoV2bZzDz0iLxKWW7QOVVdWHmlEqbTldpQ7gUEPG7mxpzVo0xd6nHncSq0M91x
    42. 

  42. 29It4B3fATx/iJB2eardMzSsbzHiwTg0eswhYYGpSKZLgp4RShnVAbkCDQQ7st2B
    43. 

  43. EAgAjpB0UGDf/FrWAUo9jLWKFX15J0arBZkYm+iRax8K8fLnXzS2P+9Q04sAmt2q
    44. 

  44. CUxK9681Nd7xtPrkPrjbcACwuFyH3Cr9o2qseiVNgAHPFGKCNxLX/9PKWfmdoZTO
    45. 

  45. VVBcNV+sOTcx382uR04WPuv9jIwXT6JbCkXPaoCMv3mLnB9VnWRYatPYCaK8TXAP
    46. 

  46. WxZP8lrcUMjQ1GRTQ1vP9rRMp7iaXyItW1lelNFvHEII92QddeBLK7V5ng2sX/BM
    47. 

  47. m6/AafXZMnUQX3lpWQfEBTDT4qYsZ1zIEb4gq4dqauyNYgBcZdX//8oDE+BS2Fxx
    48. 

  48. DTccyOW0Wyt2Z6flDTfhgzd46wADBQf+MAqIgADwulmZk+e30Znj46VmnbZUB/J8
    49. 

  49. M4WXg6X5xaOQsCCMAWybmCc4pxFIT/1c/GdCqSHDv5nKBi5QyBMMn33/kgzVRAve
    50. 

  50. ihL6gWsNoT31Lxst457XuyRx1dwD8rzdWoP2b3etBGdu0P7vnOoqRmf1Y0XIoJeD
    51. 

  51. k/o8U901hG2VAo5zAVH2YdEtSZqlBIAzxjakKAAtnsZWIpBxrz9NPVOBmT18kxlg
    52. 

  52. Z7P4iU4/FMnGOfzT6/LCTj/B0hZKJCP7y7lHNP2yOabvvBsxU0ZGph1b8R6Zb1nP
    53. 

  53. 2+LQIi8kaBs8ypy7HDx7/mWe5DoyLe4NHQ/ZE0gCEWt1mlVIwTzFBohGBBgRAgAG
    54. 

  54. BQI7st2BAAoJEJOTXgL/O1T6YsEAoLZx0XLt4tpAC/LNwTZUrodUiOckAKC4DTRv
    55. 

  55. EtC4nj5EImssVk/xmU3axw==
    56. 

  56. =VUqh
    57. 

  57. -----END PGP PUBLIC KEY BLOCK-----
    58. 

  58. `
    59. 

  59. 

  60. func verifyHashsum(ctx context.Context, siteURL, version, archive string, hash []byte) error {
    61. 

  61. 	sumsURL := fmt.Sprintf("%s/%s/SHA256SUMS", siteURL, version)
    62. 

  62. 	sumsBuf, err := downloadFile(ctx, sumsURL)
    63. 

  63. 	if err != nil {
    64. 

  64. 		return err
    65. 

  65. 	}
    66. 

  66. 	fs.Debugf(nil, "downloaded hashsum list: %s", sumsURL)
    67. 

  67. 	return verifyHashsumDownloaded(ctx, sumsBuf, archive, hash)
    68. 

  68. }
    69. 

  69. 

  70. func verifyHashsumDownloaded(ctx context.Context, sumsBuf []byte, archive string, hash []byte) error {
    71. 

  71. 	keyRing, err := openpgp.ReadArmoredKeyRing(strings.NewReader(ncwPublicKeyPGP))
    72. 

  72. 	if err != nil {
    73. 

  73. 		return fmt.Errorf("unsupported signing key: %w", err)
    74. 

  74. 	}
    75. 

  75. 

  76. 	block, rest := clearsign.Decode(sumsBuf)
    77. 

  77. 	if block == nil {
    78. 

  78. 		return errors.New("invalid hashsum signature: couldn't find detached signature")
    79. 

  79. 	}
    80. 

  80. 	if len(rest) > 0 {
    81. 

  81. 		return fmt.Errorf("invalid hashsum signature: %d bytes of unsigned data", len(rest))
    82. 

  82. 	}
    83. 

  83. 

  84. 	_, err = openpgp.CheckDetachedSignature(keyRing, bytes.NewReader(block.Bytes), block.ArmoredSignature.Body, nil)
    85. 

  85. 	if err != nil {
    86. 

  86. 		return fmt.Errorf("invalid hashsum signature: %w", err)
    87. 

  87. 	}
    88. 

  88. 

  89. 	wantHash, err := findFileHash(sumsBuf, archive)
    90. 

  90. 	if err != nil {
    91. 

  91. 		return err
    92. 

  92. 	}
    93. 

  93. 	if !bytes.Equal(hash, wantHash) {
    94. 

  94. 		return fmt.Errorf("archive hash mismatch: want %02x vs got %02x", wantHash, hash)
    95. 

  95. 	}
    96. 

  96. 	return nil
    97. 

  97. }
    98. 

  98.