tools: verify with gpg if md5 is not present in update-icu #50507
Conversation
|
Review requested:
|
islandryu
changed the title
islandryu
force-pushed
the
chore/enableVerifyWithSignatureIcu
branch
from
7eda2d2
to
996127a
Compare
tools/dep_updaters/update-icu.sh
Outdated
| @@ -41,6 +41,9 @@ NEW_VERSION_TGZ="icu4c-${LOW_DASHED_NEW_VERSION}-src.tgz" | |||
| NEW_VERSION_TGZ_URL="https://github.com/unicode-org/icu/releases/download/release-${DASHED_NEW_VERSION}/$NEW_VERSION_TGZ" | |||
|
|
|||
| NEW_VERSION_MD5="https://github.com/unicode-org/icu/releases/download/release-${DASHED_NEW_VERSION}/icu4c-${LOW_DASHED_NEW_VERSION}-src.md5" | |||
| NEW_VERSION_TGZ_ASC_URL="https://github.com/unicode-org/icu/releases/download/release-${DASHED_NEW_VERSION}/icu4c-${LOW_DASHED_NEW_VERSION}-src.tgz.asc" | |||
|
|
|||
| KEY_URL="https://raw.githubusercontent.com/unicode-org/icu/release-$(echo $NEW_VERSION | sed 's/\./-/')/KEYS" | |||
There was a problem hiding this comment.
I don't know myself if the key is correct at this URL.
|
We need to decide what to do with https://github.com/nodejs/node/blob/main/tools/icu/current_ver.dep if we can't use md5 anymore (I don't know what's the purpose of that file) |
It's used to validate ICU downloads if Lines 778 to 782 in a037b88 Lines 1646 to 1679 in a037b88 |
If we're going to verify it based on .asc, we're going to need a dedicated process at the point you indicated. I think it would be good to save the public key and signature information in current_ver.dep or a separate file and verify it as well as md5. |
islandryu
force-pushed
the
chore/enableVerifyWithSignatureIcu
branch
from
996127a
to
582e809
Compare
| def checkGPG(targetfile, key_url, sig_url): | ||
| key_data = download_file(key_url) |
There was a problem hiding this comment.
gpg verification of modification based on url stored in current_ver.dep
|
cc @srl295 in case you missed this pull request |
I missed it, but it's fixed upstream |
islandryu
force-pushed
the
chore/enableVerifyWithSignatureIcu
branch
from
582e809
to
a05004f
Compare
tools/dep_updaters/update-icu.sh
Outdated
| @@ -84,6 +82,7 @@ rm -rf "$DEPS_DIR/icu" | |||
|
|
|||
| perl -i -pe "s|\"url\": .*|\"url\": \"$NEW_VERSION_TGZ_URL\",|" "$TOOLS_DIR/icu/current_ver.dep" | |||
|
|
|||
| perl -i -pe "$REGEX" "$TOOLS_DIR/icu/current_ver.dep" | |||
There was a problem hiding this comment.
conflict resolved
and changed writing of current_ver.dep to be done after icu file change
|
This needs a rebase. |
ICU releases may not include md5 files to verify code Added a branch to verify from .asc file using gpg in such cases Fixes: nodejs#50498
islandryu
force-pushed
the
chore/enableVerifyWithSignatureIcu
branch
from
a05004f
to
368605a
Compare
|
The rebase is done. |
There was a problem hiding this comment.
If gpg isn't installed AND the md5 is present, then the md5 should be used.
https://unicode-org.atlassian.net/jira/software/c/projects/ICU/issues/ICU-22567 was a bug and not a new direction for ICU.
I would suggest a logic change here:
- if the md5 signature is available, verify it.
- if gpg is installed AND the signature is available, verify it.
Warn if neither are available.
Warn if gpg wasn't installed (that is, could not verify provenance.)
configure.py
Outdated
|
|
||
| warn(f'Expected: {expectHash} *MISMATCH*') | ||
| warn(f'\n ** Corrupted ZIP? Delete {targetfile} to retry download.\n') | ||
| if "gpg" in icu: |
There was a problem hiding this comment.
Should this also verify that gpg is present and installed?
There was a problem hiding this comment.
Changed to check both gpg and md5.
- Only warn when md5 cannot be obtained.
- Only warn if gpg signature cannot be obtained or gpg is not installed
- If neither is available, warn and no update.
- If either fails verification, warn out and no update
|
Absence of md5 is an ICU issue and was fixed, However verifying with gpg is not a bad idea. |
Fix: #50498
The problem may be that md5 is not present in the icu, but even in such a case, I used .asc to pass the validation.
If the absence of md5 is clearly an icu issue, this PR will be closed.