Use Hash Verification of any Downloaded Files

[newzealandpaul]

I propose this project uses the same approach as homebrew and other package managers.

Scripts should contain the hash values of any files downloaded. For example in the adguard.sh script it has this line:

wget -qL https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz

This should ideally download a specific version of the file, followed by a hash check eg.

# In header of adguard.sh
ADGUARD_URL="https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.108.0-b.59/AdGuardHome_linux_amd64.tar.gz"
ADGUARD_ARCHIVE="AdGuardHome_linux_amd64.tar.gz"
ADGUARD_SHA256="72719613d472299c46d25c53b694611d90a357e3ac3ebb6f8b1bc7beef119608"
....

# build.func or some other location
check_sha256() {
  local file=$1
  local expected_sha256=$2

  # Calculate the sha256 checksum of the file
  local calculated_sha256=$(sha256sum "$file" | awk '{ print $1 }')

  # Compare the calculated checksum with the expected checksum
  if [ "$calculated_sha256" == "$expected_sha256" ]; then
    echo "Success: Checksum matches."
    return 0
  else
    echo "Error: Checksum does not match."
    return 1
  fi
}

....
# in adguard.sh body
wget -qL ADGUARD_URL

# Download the file
wget -O $FILE $URL

# Verify the download
if [ $? -ne 0 ]; then
  echo "Error: Failed to download archive."
  exit 1
fi

# Check the sha256 checksum using the function
check_sha256 $FILE $ADGUARD_SHA256
if [ $? -ne 0 ]; then
  exit 2
fi

msg_info "Stopping AdguardHome"
systemctl stop AdGuardHome
msg_ok "Stopped AdguardHome"

....

This would require a new commit when adguard updates, but this I think would be worth the time of maintainers to ensure users are getting the file they expected. It works well for homebrew.

[Mellowlynx]

I like this idea, but for the scripts itself.
I'm not sure if this is workable with the number of scripts there are, but maybe it's an option.

[newzealandpaul]

It would indeed require more community resources. There is a small cli app I created and users of the app have maintained the homebrew file, although most recently I submitted a patch to the homebrew.

[judeibe]

This would require a bot to work in the long run. Homebrew has BrewTestBot that works using brew bump. They also have an automerge after a test run.

[newzealandpaul]

A bot would certainly help. Keep in mind not all software is being downloaded manually. Many projects are being installed from official repositories (be they app repos or debian/alpine repos).

[uSlackr]

Perhaps we should walk before we run. As stated, a change like this would significantly increase the need for resources even if a bot is used. I'd hate to see scripts fall by the wayside if we get out ahead of ourselves. I'm very encouraged by the energy at this point and hope we can honor the ttech's legacy. \\Greg

…

________________________________ From: Paul ***@***.***> Sent: Saturday, November 2, 2024 19:07 To: community-scripts/ProxmoxVE ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [community-scripts/ProxmoxVE] Use Hash Verification of any Downloaded Files (Discussion #17) A bot would certainly help. Keep in mind not all software is being downloaded manually. Many projects are being installed from official repositories (be they app repos or debian/alpine repos). — Reply to this email directly, view it on GitHub<#17 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGEO6Z66KGNGM6IYVKXPDM3Z6VLL5AVCNFSM6AAAAABRCDLLB2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCMJTGE3TKOA>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[newzealandpaul]

I hear what you are saying. I do think we should be discussing the future. tteck's legacy will live on.