omaha: Write only SHA256 hash for extra files #629
Conversation
pothos
force-pushed
the
kai/ambiguous-hash
branch
from
b8d9e22
to
05c67e5
Compare
|
Happy with the direction we're taking. Good to go from the conceptual side for me if the implementation gets a LGTM. |
pothos
force-pushed
the
kai/ambiguous-hash
branch
4 times, most recently
from
b7e5655
to
35ec45a
Compare
|
@yolossn @joaquimrocha could you please have another look? Are we good to merge? |
The hash tip was rendered as "Tip: cat update.gz false openssl dgst -sha1 -binary false base64" where "false" should be "|". Using "|" does not work in the literal text but it works through templating (which is also nicer for translation).
pothos
force-pushed
the
kai/ambiguous-hash
branch
from
35ec45a
to
53e72ee
Compare
pothos
force-pushed
the
kai/ambiguous-hash
branch
from
53e72ee
to
01d7c63
Compare
|
Updated it to support both hashes in the extra files. |
pothos
force-pushed
the
kai/ambiguous-hash
branch
from
01d7c63
to
e9e7027
Compare
|
Not sure what's wrong with the test, it wants to apply the migration multiple times |
pothos
force-pushed
the
kai/ambiguous-hash
branch
from
e9e7027
to
69b47eb
Compare
|
I've also found a problem with storing extra file names in the syncer-created packages when self-hosting the files. Edit: Ah, got it, regular Go foot guns… |
|
We also have the problem with go-bindata having disappeared: The github repo is there, not sure if the proxy is broken, I'll try to disable it. |
pothos
force-pushed
the
kai/ambiguous-hash
branch
from
3b8150c
to
9048aa2
Compare
|
CI is green and I have tested it manually in various ways (thus the extra bug fixes), last chance for a final look before merging ;) |
| @@ -0,0 +1,7 @@ | |||
| -- +migrate Up | |||
|
|
|||
| alter table package_file add column if not exists hash256 varchar(250) default ''; | |||
There was a problem hiding this comment.
I wonder if this is the best type? It'd expect it to be a set length or NULL?
Reading just the column name, I didn't know what was in there. I looked elsewhere and found out it is hex encoded sha256.
There was a problem hiding this comment.
Good idea, we could limit it to 64 - I followed what was done with the other hash, would I need to change the length for the UI?
| if sha1Base64Checksum != "" && base64.StdEncoding.EncodeToString(hashSha1.Sum(nil)) != sha1Base64Checksum { | ||
| return errors.New("downloaded file sha1 hash mismatch") | ||
| } | ||
| if sha256Base16Checksum != "" && hex.EncodeToString(hashSha256.Sum(nil)) != sha256Base16Checksum { |
There was a problem hiding this comment.
I'd expect it to use the better sha256 hash if it's there. Or should supplying two hashes be an error?
There was a problem hiding this comment.
Any of both may be present and each one should be correct.
| @@ -283,6 +283,7 @@ func TestMultiPackageResponse(t *testing.T) { | |||
| Name: null.StringFrom("myfile1.txt"), | |||
| Size: null.StringFrom("1234"), | |||
| Hash: null.StringFrom("abcd"), | |||
| Hash256: null.StringFrom("xyz"), | |||
There was a problem hiding this comment.
Are the changes to this test sufficient to cover the changes in this PR?
There was a problem hiding this comment.
Should be good, below there is one more file entry that doesn't have the new field.
| @@ -1260,6 +1260,8 @@ components: | |||
| type: string | |||
| hash: | |||
| type: string | |||
| hash256: | |||
There was a problem hiding this comment.
Is it worth commenting here that it's a hex encoded sha256, and how the two are handled by the API? (Can both be supplied, is hash legacy, and such).
There was a problem hiding this comment.
The documentation is in the 3.0 spec
https://github.com/google/omaha/blob/main/doc/ServerProtocolV3.md#package-response (mentioning both fields)
https://github.com/google/omaha/blob/main/doc/ServerProtocol.md#package-element (mentioning hash sha1 base64 encoding
and in the 3.1 spec
https://chromium.googlesource.com/chromium/src.git/+/master/docs/updater/protocol_3_1.md#update-checks-body-update-check-response-objects-update-check-response-9 (mentioning hash sha256 hex encoding but not mentioning the sha1 hash anymore).
The docs don't mention if one is optional but since hash_sha256 was added in a later 3.0 revision I think it's optional. In 3.1 only hash_sha256 is required so I think hash would be optional because it would be an extension.
pothos
force-pushed
the
kai/ambiguous-hash
branch
2 times, most recently
from
479e47a
to
35d47ad
Compare
For extra files there is only one hash attribute but it was used for both a SHA1 and SHA256 entry in the Omaha response. On the wire and in the UI it's unclear which of the formats it should be. Use two entries in the database for each hash format and make clear what the format looks like, i.e., base64 or hex. With a change in go-omaha we can also omit the empty regular SHA1 hash entry but in any case the client would be expected to know about the SHA256 attribute and use this instead. This would match what's done in https://chromium.googlesource.com/chromium/src.git/+/master/docs/updater/protocol_3_1.md
The syncer in self-hosting mode will download the files and store them with new names. The new name wasn't used for the extra file entries. Update the extra file entries to use the new name.
The download for go-bindata failed for no reason, it seems there is a problem with the proxy server. Disable the proxy server for now.
There are changes in the go-omaha version that haven't been used yet by Nebraska. One of them is to omit empty hash attributes. Use the latest commit ID in both the backend and the client library.
pothos
force-pushed
the
kai/ambiguous-hash
branch
from
35d47ad
to
f9eddf3
Compare
|
Found one more UI problem with extra files: #634 |
There was a problem hiding this comment.
LGTM. I was trying to avoid changes to the DB but after talking to @pothos I realize that maybe older implementations of a legacy installer may still rely on the checksum to be in te sha1 format, so let's have both of them in the DB.
For extra files there is only one hash attribute but it was used for
both a SHA1 and SHA256 entry in the Omaha response. On the wire and in
the UI it's unclear which of the formats it should be.
Use two entries in the database for each hash format and make clear what
the format looks like, i.e., base64 or hex. With a change in go-omaha
we can also omit the empty regular SHA1 hash entry but in any case the
client would be expected to know about the SHA256 attribute and use this
instead. This would match what's done in
https://chromium.googlesource.com/chromium/src.git/+/master/docs/updater/protocol_3_1.md
I've also added a small UI fix and a fix for self-hosting:
frontend: Move pipe out of literal text
The hash tip was rendered as
"Tip: cat update.gz false openssl dgst -sha1 -binary false base64"
where "false" should be "|".
Using "|" does not work in the literal text but it works through templating (which is also nicer for translation).
syncer: Use stored file name when self-hosting
The syncer in self-hosting mode will download the files and store them
with new names. The new name wasn't used for the extra file entries.
Update the extra file entries to use the new name.
How to use
With flatcar/go-omaha#9 the empty attribute would be omitted, which is maybe a nice idea but not required to merge this.
Testing done
Locally with update-engine and with curl.
Also tested that it can sync from the public server (no extra files).
Also tested that a local syncer will download packages correctly from the local nebraska:
Omaha:
(
flatcar_production_update.gz.sha256is a dummy extra file, just because it exists already on the server)