fix: download firmware releases from NabuCasa/silabs-firmware-builder releases branch (#49)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: AlCalzone

package-lock.json

@@ -42,6 +42,7 @@
 		"zwave-js": "^15.21.1"
 	},
 	"dependencies": {
+		"@noble/hashes": "^2.0.1",
 		"improv-wifi-serial-sdk": "^2.5.0"
 	}
 }

package.json

@@ -1,7 +1,9 @@
 import { type BytesView } from "@zwave-js/shared";
+import { sha3_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
 
 /**
- * Utility functions for downloading and verifying Z-Wave firmware from GitHub
+ * Utility functions for downloading and verifying Z-Wave firmware
  */
 
 export interface FirmwareDownloadResult {
@@ -26,84 +28,136 @@ export class FirmwareDownloadError extends Error {
 
 interface GitHubRelease {
 	tag_name: string;
-	assets: GitHubAsset[];
+	draft: boolean;
+	prerelease: boolean;
 }
 
-interface GitHubAsset {
-	name: string;
-	browser_download_url: string;
-	digest?: string;
+interface FirmwareManifest {
+	metadata: {
+		created_at: string;
+	};
+	firmwares: FirmwareManifestEntry[];
+}
+
+interface FirmwareManifestEntry {
+	filename: string;
+	checksum: string;
+	size: number;
 }
 
+const SILABS_FIRMWARE_REPO = 'NabuCasa/silabs-firmware-builder';
+const RELEASES_BRANCH = 'releases';
+const RELEASES_LATEST_API_URL = `https://api.github.com/repos/${SILABS_FIRMWARE_REPO}/releases/latest`;
+const RELEASES_API_URL = `https://api.github.com/repos/${SILABS_FIRMWARE_REPO}/releases?per_page=30`;
+const RELEASES_BRANCH_RAW_BASE_URL =
+	`https://raw.githubusercontent.com/${SILABS_FIRMWARE_REPO}/${RELEASES_BRANCH}`;
+const ZWA2_FIRMWARE_PREFIX = 'zwa2_controller';
+
 /**
- * Downloads the latest Z-Wave firmware from the GitHub repository
+ * Downloads the latest Z-Wave firmware from silabs-firmware-builder release manifests
  * @returns Promise resolving to firmware file name and data
  * @throws FirmwareDownloadError if download or verification fails
  */
 export async function downloadLatestFirmware(): Promise<FirmwareDownloadResult> {
 	try {
-		// Fetch the latest release information
-		const releaseResponse = await fetch(
-			'https://api.github.com/repos/NabuCasa/zwave-firmware/releases/latest'
-		);
+		let latestRelease: GitHubRelease | undefined;
+		const latestReleaseResponse = await fetch(RELEASES_LATEST_API_URL);
+		if (latestReleaseResponse.ok) {
+			latestRelease = await latestReleaseResponse.json();
+		}
+
+		const releaseResponse = await fetch(RELEASES_API_URL);
 
-		if (!releaseResponse.ok) {
+		if (!releaseResponse.ok && !latestRelease) {
 			throw new FirmwareDownloadError(
-				`Failed to fetch release information: ${releaseResponse.status} ${releaseResponse.statusText}`
+				`Failed to fetch release list: ${releaseResponse.status} ${releaseResponse.statusText}`
 			);
 		}
 
-		const release: GitHubRelease = await releaseResponse.json();
-
-		// Find the GBL file in the assets
-		const gblAsset = release.assets.find(asset =>
-			asset.name.toLowerCase().endsWith('.gbl')
-		);
+		const releases: GitHubRelease[] = releaseResponse.ok
+			? await releaseResponse.json()
+			: [];
+		const stableReleases = releases.filter(release => !release.draft && !release.prerelease);
 
-		if (!gblAsset) {
-			throw new FirmwareDownloadError(
-				`No GBL firmware file found in release ${release.tag_name}`
-			);
+		if (
+			latestRelease &&
+			!stableReleases.some(release => release.tag_name === latestRelease.tag_name)
+		) {
+			stableReleases.unshift(latestRelease);
 		}
 
-		// Extract expected checksum from the digest property
-		let expectedChecksum: string | null = null;
-		if (gblAsset.digest) {
-			// The digest format is "sha256:hash"
-			const digestMatch = gblAsset.digest.match(/^sha256:([a-fA-F0-9]{64})$/);
-			if (digestMatch) {
-				expectedChecksum = digestMatch[1];
-			}
+		if (stableReleases.length === 0) {
+			throw new FirmwareDownloadError('No stable releases found in firmware repository');
 		}
 
-		// Download the firmware file through a CORS proxy
-		// GitHub doesn't provide CORS headers for release downloads, so we need a proxy
-		const proxyUrl = `https://corsproxy.io/?${encodeURIComponent(gblAsset.browser_download_url)}`;
-		const firmwareResponse = await fetch(proxyUrl);
+		let lastReleaseError: unknown;
 
-		if (!firmwareResponse.ok) {
-			throw new FirmwareDownloadError(
-				`Failed to download firmware: ${firmwareResponse.status} ${firmwareResponse.statusText}`
-			);
-		}
+		for (const release of stableReleases) {
+			try {
+				const manifestUrl = `${RELEASES_BRANCH_RAW_BASE_URL}/${release.tag_name}/manifest.json`;
 
-		const firmwareArrayBuffer = await firmwareResponse.arrayBuffer();
-		const firmwareData = new Uint8Array(firmwareArrayBuffer);
+				const manifestResponse = await fetch(manifestUrl);
+				if (!manifestResponse.ok) {
+					if (manifestResponse.status === 404) {
+						continue;
+					}
 
-		// Verify checksum if available
-		if (expectedChecksum) {
-			const actualChecksum = await calculateSHA256(firmwareData);
-			if (actualChecksum.toLowerCase() !== expectedChecksum.toLowerCase()) {
-				throw new FirmwareDownloadError(
-					`Checksum verification failed. Expected: ${expectedChecksum}, Got: ${actualChecksum}`
+					throw new FirmwareDownloadError(
+						`Failed to fetch manifest for release ${release.tag_name}: ${manifestResponse.status} ${manifestResponse.statusText}`
+					);
+				}
+
+				const manifest: FirmwareManifest = await manifestResponse.json();
+				const firmwareEntry = manifest.firmwares.find(
+					firmware =>
+						firmware.filename.startsWith(ZWA2_FIRMWARE_PREFIX) &&
+						firmware.filename.toLowerCase().endsWith('.gbl')
 				);
+
+				if (!firmwareEntry) {
+					continue;
+				}
+
+				const firmwareUrl = `${RELEASES_BRANCH_RAW_BASE_URL}/${release.tag_name}/${firmwareEntry.filename}`;
+				const firmwareResponse = await fetch(firmwareUrl);
+
+				if (!firmwareResponse.ok) {
+					throw new FirmwareDownloadError(
+						`Failed to download firmware from ${release.tag_name}: ${firmwareResponse.status} ${firmwareResponse.statusText}`
+					);
+				}
+
+				const firmwareArrayBuffer = await firmwareResponse.arrayBuffer();
+				const firmwareData = new Uint8Array(firmwareArrayBuffer);
+
+				if (firmwareEntry.size !== firmwareData.length) {
+					throw new FirmwareDownloadError(
+						`Firmware size verification failed for ${firmwareEntry.filename}. Expected: ${firmwareEntry.size}, Got: ${firmwareData.length}`
+					);
+				}
+
+				await verifyChecksum(firmwareData, firmwareEntry.checksum);
+
+				return {
+					fileName: firmwareEntry.filename,
+					data: firmwareData,
+				};
+			} catch (error) {
+				lastReleaseError = error;
+				continue;
 			}
 		}
 
-		return {
-			fileName: gblAsset.name,
-			data: firmwareData
-		};
+		if (lastReleaseError) {
+			throw new FirmwareDownloadError(
+				`Unable to download ${ZWA2_FIRMWARE_PREFIX} firmware from available releases`,
+				lastReleaseError
+			);
+		}
+
+		throw new FirmwareDownloadError(
+			`No ${ZWA2_FIRMWARE_PREFIX} firmware found in available release manifests`
+		);
 
 	} catch (error) {
 		if (error instanceof FirmwareDownloadError) {
@@ -137,3 +191,27 @@ async function calculateSHA256(data: Uint8Array): Promise<string> {
 	const hashArray = Array.from(new Uint8Array(hashBuffer));
 	return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
 }
+
+async function verifyChecksum(data: Uint8Array, checksum: string): Promise<void> {
+	const [algorithm, expectedHash] = checksum.split(':', 2);
+
+	if (!algorithm || !expectedHash) {
+		throw new FirmwareDownloadError(`Invalid checksum format: ${checksum}`);
+	}
+
+	let actualHash: string;
+
+	if (algorithm.toLowerCase() === 'sha256') {
+		actualHash = await calculateSHA256(data);
+	} else if (algorithm.toLowerCase() === 'sha3-256') {
+		actualHash = bytesToHex(sha3_256(data));
+	} else {
+		throw new FirmwareDownloadError(`Unsupported checksum algorithm: ${algorithm}`);
+	}
+
+	if (actualHash.toLowerCase() !== expectedHash.toLowerCase()) {
+		throw new FirmwareDownloadError(
+			`Checksum verification failed. Expected: ${expectedHash}, Got: ${actualHash}`
+		);
+	}
+}