Add CLI flags to specify what hash is preferred

2025-12-22 11:55:40 +01:00 · 2024-09-09 10:25:13 +02:00 · 2024-09-09 10:25:13 +02:00 · 37c9eaf346
commit 37c9eaf346
parent be2e4e7424
2 changed files with 34 additions and 28 deletions
--- a/cmd/csaf_downloader/config.go
+++ b/cmd/csaf_downloader/config.go
@ -41,6 +41,13 @@ const (
 	validationUnsafe = validationMode("unsafe")
 )
 type hashAlgorithm string
 const (
 	algSha256  = hashAlgorithm("SHA256")
 	algSha2512 = hashAlgorithm("SHA512")
 )
 type config struct {
 	Directory            string            `short:"d" long:"directory" description:"DIRectory to store the downloaded files in" value-name:"DIR" toml:"directory"`
 	Insecure             bool              `long:"insecure" description:"Do not check TLS certificates from provider" toml:"insecure"`
@ -79,6 +86,9 @@ type config struct {
 	clientCerts   []tls.Certificate
 	ignorePattern filter.PatternMatcher
 	//lint:ignore SA5008 We are using choice or than once: sha256, sha512
 	PreferredHash hashAlgorithm `long:"preferred_hash" short:"h" choice:"sha256" choice:"sha512" value-name:"HASH" description:"HASH to prefer" toml:"preferred_hash"`
 }
 // configPaths are the potential file locations of the config file.
@ -220,7 +230,7 @@ func (cfg *config) prepareLogging() error {
 		w = f
 	}
 	ho := slog.HandlerOptions{
-		//AddSource: true,
+		// AddSource: true,
 		Level:       cfg.LogLevel.Level,
 		ReplaceAttr: dropSubSeconds,
 	}
--- a/cmd/csaf_downloader/downloader.go
+++ b/cmd/csaf_downloader/downloader.go
@ -53,7 +53,6 @@ type downloader struct {
 const failedValidationDir = "failed_validation"
 func newDownloader(cfg *config) (*downloader, error) {
 	var validator csaf.RemoteValidator
 	if cfg.RemoteValidator != "" {
@ -103,7 +102,6 @@ func logRedirect(req *http.Request, via []*http.Request) error {
 }
 func (d *downloader) httpClient() util.Client {
 	hClient := http.Client{}
 	if d.cfg.verbose() {
@ -253,7 +251,6 @@ func (d *downloader) downloadFiles(
 	label csaf.TLPLabel,
 	files []csaf.AdvisoryFile,
 ) error {
 	var (
 		advisoryCh = make(chan csaf.AdvisoryFile)
 		errorCh    = make(chan error)
@ -303,7 +300,6 @@ func (d *downloader) loadOpenPGPKeys(
 	base *url.URL,
 	expr *util.PathEval,
 ) error {
 	src, err := expr.Eval("$.public_openpgp_keys", doc)
 	if err != nil {
 		// no keys.
@ -357,7 +353,6 @@ func (d *downloader) loadOpenPGPKeys(
 			defer res.Body.Close()
 			return crypto.NewKeyFromArmoredReader(res.Body)
 		}()
 		if err != nil {
 			slog.Warn(
 				"Reading public OpenPGP key failed",
@ -501,31 +496,35 @@ nextAdvisory:
 			signData                   []byte
 		)
-		// Only hash when we have a remote counterpart we can compare it with.
+		if (d.cfg.PreferredHash != "sha512" || file.SHA512URL() == "") && file.SHA256URL() != "" {
-		if remoteSHA256, s256Data, err = loadHash(client, file.SHA256URL()); err != nil {
+			// Only hash when we have a remote counterpart we can compare it with.
-			if !file.IsDirectory() {
+			if remoteSHA256, s256Data, err = loadHash(client, file.SHA256URL()); err != nil {
-				slog.Warn("Cannot fetch SHA256",
+				if !file.IsDirectory() {
-					"url", file.SHA256URL(),
+					slog.Warn("Cannot fetch SHA256",
-					"error", err)
+						"url", file.SHA256URL(),
 						"error", err)
 				} else {
 					slog.Info("SHA256 not present", "file", file.URL())
 				}
 			} else {
-				slog.Info("SHA256 not present", "file", file.URL())
+				s256 = sha256.New()
 				writers = append(writers, s256)
 			}
 		} else {
 			s256 = sha256.New()
 			writers = append(writers, s256)
 		}
-		if remoteSHA512, s512Data, err = loadHash(client, file.SHA512URL()); err != nil {
+		if (d.cfg.PreferredHash != "sha256" || file.SHA256URL() == "") && file.SHA512URL() != "" {
-			if !file.IsDirectory() {
+			if remoteSHA512, s512Data, err = loadHash(client, file.SHA512URL()); err != nil {
-				slog.Warn("Cannot fetch SHA512",
+				if !file.IsDirectory() {
-					"url", file.SHA512URL(),
+					slog.Warn("Cannot fetch SHA512",
-					"error", err)
+						"url", file.SHA512URL(),
 						"error", err)
 				} else {
 					slog.Info("SHA512 not present", "file", file.URL())
 				}
 			} else {
-				slog.Info("SHA512 not present", "file", file.URL())
+				s512 = sha512.New()
 				writers = append(writers, s512)
 			}
 		} else {
 			s512 = sha512.New()
 			writers = append(writers, s512)
 		}
 		// Remember the data as we need to store it to file later.
@ -757,9 +756,6 @@ func loadSignature(client util.Client, p string) (*crypto.PGPSignature, []byte,
 }
 func loadHash(client util.Client, p string) ([]byte, []byte, error) {
 	if p == "" {
 		return nil, nil, fmt.Errorf("no hash path provided")
 	}
 	resp, err := client.Get(p)
 	if err != nil {
 		return nil, nil, err