-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Checksum validation #59
Conversation
408698b
to
dba19db
Compare
Converted to draft PR, as I've just noticed that Godot doesn't seem to provide checksums for builds up to 3.2.2-beta1, which will need to be handled by informing the user about the missing checksum and asking how to proceed. I'll extend the PR for that, and if anybody wants, intermediate feedback is greatly appreciated :) |
Hey, thank you! This looks like it took quite a bit of effort, so I applaud you for getting it done! Overall, code looks very well structured. I might suggest renaming the Would you go into more detail in your PR description about the steps this takes to ensure checksums are valid and how it does it, as well as how the tests or test data work (specifically, what the |
Thanks for the feedback, I'll address it in the coming days, and seeing the failed CI runs, I'll also test it more thoroughly. |
Nice addition! Thanks for working on this @Shaderbug. |
Hi everyone, I need some input from you on how we want to proceed with this PR when there's no published checksum for an archive, or a checksum mismatch. My first plan would be:
|
If I understand correctly, I think prefer if users just retry the command with a flag in either of those scenarios, as opposed to interactive input prompts. It's simpler. Maybe a shorter flag name, like |
+1 to using a flag for both scenarios over interactive prompts. I like the shorter flag name. Here are a a few suggestions to consider if you'd prefer the flag to include "checksum" in the name. |
dba19db
to
0b1053b
Compare
I've updated the description as requested. If further questions arise during the review, I'm happy to amend it :) |
I've released version 2.1.0 with your changes! Thank you so much for your hard work 🥳 |
Hi everyone,
this is my implementation of checksum checking, I tried to make my contributions match the existing style in this codebase. Looking forward to your feedback :)
Overall design
While Godot unfortunately doesn't sign their releases, they publish JSON files containing SHA-512 checksums of their official builds in the
godotengine/godot-builds
repository.This PR introduces a
IGodotChecksumClient
interface, which is intended to be used to work with and validate checksums of archives, and implements it with aGodotChecksumClient
that accesses the aforementioned builds repository to obtain checksums and validate them.This client is then used in the
GodotRepository
after a file has been downloaded to verify its checksum against the published one.As Godot doesn't publish checksums for builds up to 3.2.2-beta1, an additional command-line parameter called
--unsafe-skip-checksum-verification
has been added to thegodot install
command, that allows skipping the checksum verification.For JSON parsing,
System.Text.Json
is used, and for Checksum calculationSystem.Security.Cryptography
, introducing no new dependencies.As the unit tests require real JSON data to test the implementation against, two files from the
godot-builds
repository are added to the repository and included into the test assembly as embedded resource.Another thing of note is that two unit tests create temporary files for testing the checksum calculation and mismatch handling, but they should be collision free due to one using a standard library function for creating a temporary file, the other appending a GUID to the path it creates.
Additional Changes
SemanticVersion
class were added, and it was extended with a method that formats semantic versions the way Godot prints them (i.e. omitting the patch if it's zero)..universal
suffix, but.64
insteadCloses #58