src/main/java/io/github/moulberry/notenoughupdates/miscfeatures/updater/SignedGithubUpdateData.kt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

/*
 * Copyright (C) 2024 NotEnoughUpdates contributors
 *
 * This file is part of NotEnoughUpdates.
 *
 * NotEnoughUpdates is free software: you can redistribute it
 * and/or modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation, either
 * version 3 of the License, or (at your option) any later version.
 *
 * NotEnoughUpdates is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with NotEnoughUpdates. If not, see <https://www.gnu.org/licenses/>.
 */

package io.github.moulberry.notenoughupdates.miscfeatures.updater

import com.google.gson.JsonElement
import moe.nea.libautoupdate.GithubReleaseUpdateSource.GithubRelease
import moe.nea.libautoupdate.UpdateData
import moe.nea.libautoupdate.UpdateUtils
import java.io.ByteArrayInputStream
import java.net.URL

class SignedGithubUpdateData(
    versionName: String,
    versionNumber: JsonElement,
    sha256: String,
    download: String,
    val signatures: List<GithubRelease.Download>
) : UpdateData(
    versionName,
    versionNumber,
    sha256,
    download
) {
    override fun toString(): String {
        return "${super.toString()} + Signatures(signatures = ${signatures.map { it.name }}})"
    }

    fun verifyAnySignature(): Boolean {
        val signatories = validSignatories
        for (signatory in signatories) {
            println("Accepted signature from ${signatory.name}")
        }
        return signatories.size >= 2
    }

    val validSignatories by lazy {
        findValidSignatories()
    }


    private fun findValidSignatories(): List<GithubRelease.Download> {
        val signatures = signatures
        return signatures.filter { verifySignature(it) }
    }

    private fun verifySignature(signatureDownload: GithubRelease.Download): Boolean {
        val name = signatureDownload.name.substringBeforeLast('.').substringAfterLast("_")
        val signatureBytes = UpdateUtils.openUrlConnection(URL(signatureDownload.browserDownloadUrl)).readBytes()
        val hashBytes = ByteArrayInputStream(sha256.uppercase().encodeToByteArray())
        return SigningPool.verifySignature(name, hashBytes, signatureBytes)
    }

}