search

openhab / openhabian

openHABian - empowering the smart home, for Raspberry Pi and Debian systems
https://community.openhab.org/t/13379
ISC License
818 stars 251 forks source link

Add file hash #1704

Closed udo1toni closed 1 year ago

udo1toni commented 1 year ago

As there are always situations, where one does not know if the downloaded file is corrupt or not, it is desirable to have a checksum like sha1 or md5.

Or is there any other way to ensure the file was not compromised?

Larsen-Locke commented 1 year ago

What a coincidence: Yesterday I started an attempt to include openhabian in the Raspi-Imager and this only works with sha256 checksums, so I did that for the images. Just look at my previous issue and the linked file (rpi-imager-openhabian.yaml) The command is just sha256sum [filename]. To manually check this hashes could be saved on the server. The Raspi-Imager checks automatically.

udo1toni commented 1 year ago

:)

mstormi commented 1 year ago

can you provide a PR against the GitHub action that builds the image ? See https://github.com/openhab/openhabian/blob/main/.github/workflows/build-action.yml

Not sure where the hashed output would need to be put. Where does Raspi imager expect it ?

Larsen-Locke commented 1 year ago

Not sure where the hashed output would need to be put. Where does Raspi imager expect it ?

Raspi imager expects it in the json-file that has to be made available for download at a static folder. Doesn't the filename already contain a checksum (crc...)?

mstormi commented 1 year ago

Fixed-By: #1708

mstormi commented 1 year ago

See release 1.7.4b. Hash is in the .json file to work with raspi imager, is that enough or would you require some other format ?

mstormi commented 1 year ago

@udo1toni ?

udo1toni commented 1 year ago

Hmm... Is there a way to print the sha256sum to the Release Message? Or at least an information, that one can get the checksum through the json file?

mstormi commented 1 year ago

like so ? https://github.com/openhab/openhabian/releases/tag/v1.7.4b

Larsen-Locke commented 1 year ago

By the way, a checksum is already included in the file name of the image. It is the hex value that follows crc (currently: 075defd9). crc32 is not save regarding manipulations, but it is sufficient against incomplete downloads etc. If crc32 is not available, the package libarchive-zip-perl has to be installed.

mstormi commented 1 year ago

I'd think now that we have both that's sufficient.

udo1toni commented 1 year ago

Thanks, that's very helpful.