Fix hash verification

cjom · cjom · commit eb2ed5e3d099 · 2026-01-17T17:07:03.000Z
diff --git a/.github/workflows/build-openwrt.yaml b/.github/workflows/build-openwrt.yaml
@@ -74,9 +74,10 @@ jobs:
 
       - name: Setup configuration and custom files
         run: |
-          # patch files with repository info
+          # delete unneeded folders and patch files with repository info
+          rm -frv builder_repo/.git builder_repo/.github
           for file in $(grep -rl XXXXXX builder_repo/); do echo "Patching: $file"; sed -i 's|XXXXXX/YYYYYY|${{ github.repository }}|g' "$file" || exit 1; done
-          patch -p1 < builder_repo/patch-attendedsysupgrade.patch
+          patch -p1 < builder_repo/attendedsysupgrade-with-GitHub.patch
           mv -v builder_repo/files ./
           chmod -v 755 files/usr/bin/upgrade_custom_openwrt files/www/cgi-bin/github_*
           mv -v builder_repo/${{ env.CONFIG_FILE }} .config
diff --git a/attendedsysupgrade-with-GitHub.patch b/attendedsysupgrade-with-GitHub.patch
@@ -22,7 +22,7 @@
  			branch: get_branch(promises[1].release.version),
  			revision: promises[1].release.revision,
  			efi: promises[2],
-@@ -745,13 +751,271 @@
+@@ -745,13 +751,218 @@
  			E(
  				'button',
  				{
@@ -202,78 +202,25 @@
 +				}
 +
 +				if (data.success) {
-+					// Firmware is already downloaded to /tmp/firmware.bin
-+					// Verify the SHA256 hash if available
-+					if (data.sha256) {
-+						// Calculate the SHA256 hash of the downloaded file
-+						L.resolveDefault(callFileExec('sha256sum', ['/tmp/firmware.bin']), {})
-+							.then(result => {
-+								if (result && result.stdout) {
-+									// Extract the hash from the command output (first 64 characters)
-+									const calculatedHash = result.stdout.trim().substring(0, 64);
-+
-+									if (calculatedHash.toLowerCase() === data.sha256.toLowerCase()) {
-+										// Hashes match, proceed with installation
-+										ui.showModal(_('Installing...'), [
-+											E('div', { class: 'spinning' }, [
-+												E('p', _('Installing the sysupgrade image...')),
-+												E('p',
-+												_('Once the image is written, the system will reboot.')
-+												+ ' ' +
-+												_('This should take at least a minute, so please wait for the login screen.')
-+												),
-+												E('b', _('While you are waiting, do not unpower device!')),
-+											]),
-+										]);
-+
-+										L.resolveDefault(callUpgradeStart(keep), {}).then((response) => {
-+											// Wait 10 seconds before we try to reconnect...
-+											let hosts = keep ? [] : ['192.168.1.1', 'openwrt.lan'];
-+											setTimeout(() => { ui.awaitReconnect(...hosts); }, 10000);
-+										});
-+									} else {
-+										// Hashes don't match, show error
-+										ui.showModal(_('Wrong checksum'), [
-+											E('p', _('Calculated SHA256: %s').format(calculatedHash)),
-+											E('p', _('Expected SHA256: %s').format(data.sha256)),
-+											E('p', _('Error during verification of the downloaded firmware. Please try again')),
-+											E('div', { class: 'btn', click: ui.hideModal }, _('Close')),
-+										]);
-+									}
-+								} else {
-+									// Could not calculate hash, show error
-+									ui.showModal(_('Verification Error'), [
-+										E('p', _('Could not calculate SHA256 hash of the downloaded firmware')),
-+										E('div', { class: 'btn', click: ui.hideModal }, _('Close')),
-+									]);
-+								}
-+							})
-+							.catch(error => {
-+								ui.showModal(_('Verification Error'), [
-+									E('p', _('Error calculating SHA256 hash: %s').format(error.message)),
-+									E('div', { class: 'btn', click: ui.hideModal }, _('Close')),
-+								]);
-+							});
-+					} else {
-+						// No hash to verify, proceed with installation
-+						ui.showModal(_('Installing...'), [
-+							E('div', { class: 'spinning' }, [
-+								E('p', _('Installing the sysupgrade image...')),
-+								E('p',
-+								_('Once the image is written, the system will reboot.')
-+								+ ' ' +
-+								_('This should take at least a minute, so please wait for the login screen.')
-+								),
-+								E('b', _('While you are waiting, do not unpower device!')),
-+							]),
-+						]);
++					// Firmware is already downloaded to the device and SHA256 verified by the CGI script
++					// Path returned by the CGI script: ${data.path || '/tmp/firmware.bin'}
++					ui.showModal(_('Installing...'), [
++						E('div', { class: 'spinning' }, [
++							E('p', _('Installing the sysupgrade image...')),
++							E('p',
++							_('Once the image is written, the system will reboot.')
++							+ ' ' +
++							_('This should take at least a minute, so please wait for the login screen.')
++							),
++							E('b', _('While you are waiting, do not unpower device!')),
++						]),
++					]);
 +
-+						L.resolveDefault(callUpgradeStart(keep), {}).then((response) => {
-+							// Wait 10 seconds before we try to reconnect...
-+							let hosts = keep ? [] : ['192.168.1.1', 'openwrt.lan'];
-+							setTimeout(() => { ui.awaitReconnect(...hosts); }, 10000);
-+						});
-+					}
++					L.resolveDefault(callUpgradeStart(keep), {}).then((response) => {
++						// Wait 10 seconds before we try to reconnect...
++						let hosts = keep ? [] : ['192.168.1.1', 'openwrt.lan'];
++						setTimeout(() => { ui.awaitReconnect(...hosts); }, 10000);
++					});
 +				} else {
 +					ui.showModal(_('Error'), [
 +						E('p', _('Unexpected response from firmware download script')),
diff --git a/files/www/cgi-bin/github_fetch b/files/www/cgi-bin/github_fetch
@@ -1,39 +1,58 @@
 #!/bin/sh
 
 # CGI header
-echo "Content-Type: application/json"
-echo ""
+printf 'Content-Type: application/json\n\n'
 
-# Parse query string to get the tag parameter
+# Read query string (from env or first arg)
 QUERY_STRING="${QUERY_STRING:-$1}"
-TAG=$(echo "$QUERY_STRING" | sed -n 's/.*tag=\([^&]*\).*/\1/p' | sed 's/%2B/+/g; s/%3D/=/g; s/%2F/\//g')
 
-# If TAG is empty, try to get it directly from the query string
+# Extract tag parameter (simple URL-decode of %XX sequences and +->space not needed here)
+# Use parameter expansion and sed to get tag value if present, otherwise use whole string
+TAG=$(printf '%s' "$QUERY_STRING" | sed -n 's/.*[?&]*tag=\([^&]*\).*/\1/p')
+[ -z "$TAG" ] && TAG="$QUERY_STRING"
+# Decode percent-encoding (handles %2B, %2F, etc.)
+TAG=$(printf '%b' "$(printf '%s' "$TAG" | sed 's/+/ /g;s/%/\\x/g')")
+
+# basic validation
 if [ -z "$TAG" ]; then
-    TAG="$QUERY_STRING"
+  printf '{"error":"missing tag"}'
+  exit 1
+fi
+
+# Fetch release metadata once
+RELEASE_JSON=$(curl -sS "https://api.github.com/repos/XXXXXX/YYYYYY/releases/tags/$TAG") || {
+  printf '{"error":"failed to fetch release metadata"}'
+  exit 1
+}
+
+# Extract sysupgrade asset URL and sha256sums asset URL and any inline digest
+URL=$(printf '%s' "$RELEASE_JSON" | jq -r '.assets[] | select(.browser_download_url|contains("sysupgrade")) | .browser_download_url // empty' | head -n1)
+if [ -z "$URL" ]; then
+  printf '{"error":"No sysupgrade firmware found"}'
+  exit 1
 fi
-# Fetch the latest release from GitHub and extract the sysupgrade asset URL
-URL=$(curl -sS "https://api.github.com/repos/XXXXXX/YYYYYY/releases/tags/$TAG" | jq -r '.assets[] | select(.browser_download_url | contains("sysupgrade")) | select((length == 0) | not) | .browser_download_url')
-if [ -z "$URL" ] || [ "$URL" = "null" ]; then
-    echo '{"error": "No sysupgrade firmware found"}'
+
+FILENAME=$(basename "$URL")
+# Try: 1) sha256sums asset file, 2) asset .digest field (sha256:)
+SHA256_URL=$(printf '%s' "$RELEASE_JSON" | jq -r '.assets[] | select(.browser_download_url|contains("sha256sums")) | .browser_download_url // empty' | head -n1)
+# download sha256sums and extract matching line
+[ -n "$SHA256_URL" ] && SHA256=$(curl -sSL "$SHA256_URL" | sed -n "s|\([0-9a-fA-F]*\).*${FILENAME}|\1|p")
+# fallback to metadata if present
+[ -z "$SHA256" ] && SHA256=$(printf '%s' "$RELEASE_JSON" | jq -r '.assets[] | select(.browser_download_url|contains("sysupgrade")) | .digest // empty' | sed -n 's/^sha256://p' | head -n1)
+
+if [ -z "$SHA256" ]; then
+  # If still missing, report and stop
+  printf '{"error":"Could not get SHA256 hash for %s"}' "$FILENAME"
+  exit 1
+fi
+
+# Download firmware and verify SHA256
+FIRMWAREFILE="/tmp/firmware.bin"
+if curl -sS -L -o "$FIRMWAREFILE" "$URL" && printf '%s  %s\n' "$SHA256" "$FIRMWAREFILE" | sha256sum -cs >/dev/null 2>&1; then
+  printf '{"success":true,"path":"%s"}' "$FIRMWAREFILE"
+  exit 0
 else
-    SHA256_URL=$(curl -sS "https://api.github.com/repos/XXXXXX/YYYYYY/releases/tags/$TAG" | jq -r '.assets[] | select(.browser_download_url | contains("sha256sums")) | select((length == 0) | not) | .browser_download_url')
-    if [ -n "$SHA256_URL" ] && [ "$SHA256_URL" != "null" ]; then
-        FILENAME=$(basename "$URL")
-        # Get the SHA256 hash for the specific file
-        SHA256=$(curl -sSL "$SHA256_URL" | sed -n "s|\(.*\) .*${FILENAME}.*|\1|p")
-    fi
-    if [ -z "$SHA256" ]; then
-        SHA256=$(curl -sS "https://api.github.com/repos/XXXXXX/YYYYYY/releases/tags/$TAG" | jq -r '.assets[] | select(.browser_download_url | contains("sysupgrade")) | select((length == 0) | not) | .digest' | sed 's|sha256:||')
-    fi
-    if [ -z "$SHA256" ]; then
-        echo "{\"error\": \"Could not get SHA256 hash for $FILENAME\"}"
-    else
-        # Download the firmware file to /tmp/firmware.bin
-        if curl -sS -L -o /tmp/firmware.bin "$URL"; then
-            echo "{\"success\": true, \"path\": \"/tmp/firmware.bin\", \"sha256\": \"$SHA256\"}"
-        else
-            echo "{\"error\": \"Failed to download firmware from $URL\"}"
-        fi
-    fi
+  printf '{"error":"SHA256 hash mismatch for downloaded firmware"}'
+  rm -f "$FIRMWAREFILE"
+  exit 1
 fi
