use sha256 for checksum verification

elastic · Dec 6, 2023 · 481158e · 481158e
1 parent 488c11e
commit 481158e
Show file tree

Hide file tree

Showing 10 changed files with 43 additions and 43 deletions.
diff --git a/x-pack/build_chromium/build.py b/x-pack/build_chromium/build.py
@@ -3,7 +3,7 @@
 from build_util import (
   runcmd,
   runcmdsilent,
-  md5_file,
+  sha256_file,
 )
 
 # This file builds Chromium headless on Mac and Linux.
@@ -99,7 +99,7 @@
 # chromium-4747cc2-linux_x64.zip
 base_filename = 'out/headless/chromium-' + base_version + '-' + platform.system().lower() + '_' + arch_name
 zip_filename = base_filename + '.zip'
-md5_filename = base_filename + '.md5'
+sha256_filename = base_filename + '.sha256'
 
 print('Creating '  + path.join(src_path, zip_filename))
 archive = zipfile.ZipFile(zip_filename, mode='w', compression=zipfile.ZIP_DEFLATED)
@@ -126,9 +126,9 @@ def archive_file(name):
 
 archive.close()
 
-print('Creating ' + path.join(src_path, md5_filename))
-with open (md5_filename, 'w') as f:
-  f.write(md5_file(zip_filename))
+print('Creating ' + path.join(src_path, sha256_filename))
+with open (sha256_filename, 'w') as f:
+  f.write(sha256_file(zip_filename))
 
 runcmd('gsutil cp ' + path.join(src_path, zip_filename) + ' gs://headless_shell_staging')
-runcmd('gsutil cp ' + path.join(src_path, md5_filename) + ' gs://headless_shell_staging')
+runcmd('gsutil cp ' + path.join(src_path, sha256_filename) + ' gs://headless_shell_staging')
diff --git a/x-pack/build_chromium/build_util.py b/x-pack/build_chromium/build_util.py
@@ -20,10 +20,10 @@ def mkdir(dir):
   if not os.path.exists(dir):
     return os.makedirs(dir)
 
-def md5_file(filename):
+def sha256_file(filename):
   """Builds a hex md5 hash of the given file"""
-  md5 = hashlib.md5()
+  sha256 = hashlib.sha256()
   with open(filename, 'rb') as f:
-    for chunk in iter(lambda: f.read(128 * md5.block_size), b''):
-      md5.update(chunk)
-  return md5.hexdigest()
+    for chunk in iter(lambda: f.read(128 * sha256.block_size), b''):
+      sha256.update(chunk)
+  return sha256.hexdigest()
diff --git a/x-pack/plugins/reporting/server/browsers/chromium/paths.ts b/x-pack/plugins/reporting/server/browsers/chromium/paths.ts
@@ -44,8 +44,8 @@ export class ChromiumArchivePaths {
       platform: 'darwin',
       architecture: 'x64',
       archiveFilename: 'chrome-mac.zip',
-      archiveChecksum: '47cc74358cf85ba75ba5bf869f34420d',
-      binaryChecksum: 'd66d0e7745e7bbbcc313f3f534a988e0',
+      archiveChecksum: '35261c7a88f1797d27646c340eeaf7d7d70727f0c4ae884e8400240ed66d7192',
+      binaryChecksum: 'ca90fe7573ddb0723d633fe526acf0fdefdda570a549f35e15c111d10f3ffc0d',
       binaryRelativePath: 'chrome-mac/Chromium.app/Contents/MacOS/Chromium',
       revision: 1204244, // 1204232 is not available for Mac Intel
       location: 'common',
@@ -56,8 +56,8 @@ export class ChromiumArchivePaths {
       platform: 'darwin',
       architecture: 'arm64',
       archiveFilename: 'chrome-mac.zip',
-      archiveChecksum: '674c1d3560baaf9b05d76f2d4d42f7c6',
-      binaryChecksum: '93ac963222b282510c47ecc6c6afd18d',
+      archiveChecksum: '1ed375086a9505ee6bc9bc1373bebd79e87e5b27af5a93258ea25ffb6f71f03c',
+      binaryChecksum: 'a8556ed7ac2a669fa81f752f7d18a9d1e9b99b05d3504f6bbc08e3e0b02ff71e',
       binaryRelativePath: 'chrome-mac/Chromium.app/Contents/MacOS/Chromium',
       revision: 1204255, // 1204232 is not available for Mac_Arm
       location: 'common',
@@ -68,8 +68,8 @@ export class ChromiumArchivePaths {
       platform: 'linux',
       architecture: 'x64',
       archiveFilename: 'chromium-38c7255-locales-linux_x64.zip',
-      archiveChecksum: 'a72d52e016350904e6bd6aa0e145e700',
-      binaryChecksum: 'ed0e607e0511b858f5eae4157b1c8873',
+      archiveChecksum: 'bf07734366ece771a85b2452fd63e5981b1abc234ef0ed1c7d0774b8a7b5c6a9',
+      binaryChecksum: '87a991c412ad333549a58524b6be23f2a1ff56af61bb1a1b10c1f4a0206edc2a',
       binaryRelativePath: 'headless_shell-linux_x64/headless_shell',
       revision: 1204232,
       location: 'custom',
@@ -79,8 +79,8 @@ export class ChromiumArchivePaths {
       platform: 'linux',
       architecture: 'arm64',
       archiveFilename: 'chromium-38c7255-locales-linux_arm64.zip',
-      archiveChecksum: 'ccda8b6c3542d77fe561fe3a94907d96',
-      binaryChecksum: '610bfc0511982dd2822adc2c73c7874f',
+      archiveChecksum: '11c1cd2398ae3b57a72e7746e1f1cbbd2c2d18d1b83dec949dc81a3c690688f0',
+      binaryChecksum: '4d914034d466b97c438283dbc914230e087217c25028f403dfa3c933ea755e94',
       binaryRelativePath: 'headless_shell-linux_arm64/headless_shell',
       revision: 1204232,
       location: 'custom',
@@ -90,8 +90,8 @@ export class ChromiumArchivePaths {
       platform: 'win32',
       architecture: 'x64',
       archiveFilename: 'chrome-win.zip',
-      archiveChecksum: 'eed8c0b8edf043416fd7c87cc5866bc8',
-      binaryChecksum: '62c8ae93ffcb58b0a325c9aee92925ed',
+      archiveChecksum: 'd6f5a21973867115435814c2c46d49edd9a0a2ad6da14b4724746374cad80e47',
+      binaryChecksum: '9c0d2404004bd7c4ada649049422de6958460ecf6cec53460a478c6d8c33e444',
       binaryRelativePath: path.join('chrome-win', 'chrome.exe'),
       revision: 1204234, // 1204232 is not available for win
       location: 'common',

diff --git a/x-pack/plugins/reporting/server/browsers/download/checksum.test.ts b/x-pack/plugins/reporting/server/browsers/download/checksum.test.ts
@@ -9,9 +9,9 @@ jest.mock('fs');
 
 import { createReadStream, ReadStream } from 'fs';
 import { Readable } from 'stream';
-import { md5 } from './checksum';
+import { sha256 } from './checksum';
 
-describe('md5', () => {
+describe('sha256', () => {
   let stream: ReadStream;
 
   beforeEach(() => {
@@ -25,14 +25,14 @@ describe('md5', () => {
     (createReadStream as jest.MockedFunction<typeof createReadStream>).mockReturnValue(stream);
   });
 
-  it('should return an md5 hash', async () => {
-    await expect(md5('path')).resolves.toBe('437b930db84b8079c2dd804a71936b5f');
+  it('should return an sha256 hash', async () => {
+    await expect(sha256('path')).resolves.toBe('437b930db84b8079c2dd804a71936b5f');
   });
 
   it('should reject on stream error', async () => {
     const error = new Error('Some error');
     stream.destroy(error);
 
-    await expect(md5('path')).rejects.toEqual(error);
+    await expect(sha256('path')).rejects.toEqual(error);
   });
 });
diff --git a/x-pack/plugins/reporting/server/browsers/download/checksum.ts b/x-pack/plugins/reporting/server/browsers/download/checksum.ts
@@ -15,8 +15,8 @@ function readableEnd(stream: Readable) {
   });
 }
 
-export async function md5(path: string) {
-  const hash = createHash('md5');
+export async function sha256(path: string) {
+  const hash = createHash('sha256');
   await readableEnd(createReadStream(path).on('data', (chunk) => hash.update(chunk)));
   return hash.digest('hex');
 }
diff --git a/x-pack/plugins/reporting/server/browsers/download/download.test.ts b/x-pack/plugins/reporting/server/browsers/download/download.test.ts
@@ -48,9 +48,9 @@ test('downloads the url to the path', async () => {
   expect(readFileSync(TEMP_FILE, 'utf8')).toEqual(BODY);
 });
 
-test('returns the md5 hex hash of the http body', async () => {
+test('returns the sha256 hex hash of the http body', async () => {
   const BODY = 'foobar';
-  const HASH = createHash('md5').update(BODY).digest('hex');
+  const HASH = createHash('sha256').update(BODY).digest('hex');
   request.mockImplementationOnce(async () => {
     return {
       data: new ReadableOf(BODY),

diff --git a/x-pack/plugins/reporting/server/browsers/download/download.ts b/x-pack/plugins/reporting/server/browsers/download/download.ts
@@ -21,7 +21,7 @@ export async function download(
 ): Promise<string> {
   logger.info(`Downloading ${url} to ${path}`);
 
-  const hash = createHash('md5');
+  const hash = createHash('sha256');
 
   mkdirSync(dirname(path), { recursive: true });
   const handle = openSync(path, 'w');

diff --git a/x-pack/plugins/reporting/server/browsers/download/ensure_downloaded.test.ts b/x-pack/plugins/reporting/server/browsers/download/ensure_downloaded.test.ts
@@ -10,7 +10,7 @@ import mockFs from 'mock-fs';
 import { existsSync, readdirSync } from 'fs';
 import { chromium } from '../chromium';
 import { download } from './download';
-import { md5 } from './checksum';
+import { sha256 } from './checksum';
 import { ensureBrowserDownloaded } from './ensure_downloaded';
 import { LevelLogger } from '../../lib';
 
@@ -28,18 +28,18 @@ describe.skip('ensureBrowserDownloaded', () => {
       warning: jest.fn(),
     } as unknown as typeof logger;
 
-    (md5 as jest.MockedFunction<typeof md5>).mockImplementation(
+    (sha256 as jest.MockedFunction<typeof sha256>).mockImplementation(
       async (packagePath) =>
         chromium.paths.packages.find(
           (packageInfo) => chromium.paths.resolvePath(packageInfo) === packagePath
-        )?.archiveChecksum ?? 'some-md5'
+        )?.archiveChecksum ?? 'some-sha256'
     );
 
     (download as jest.MockedFunction<typeof download>).mockImplementation(
       async (_url, packagePath) =>
         chromium.paths.packages.find(
           (packageInfo) => chromium.paths.resolvePath(packageInfo) === packagePath
-        )?.archiveChecksum ?? 'some-md5'
+        )?.archiveChecksum ?? 'some-sha256'
     );
 
     mockFs();
@@ -73,8 +73,8 @@ describe.skip('ensureBrowserDownloaded', () => {
     await expect(ensureBrowserDownloaded(logger)).rejects.toBeInstanceOf(Error);
   });
 
-  it('should reject when downloaded md5 hash is different', async () => {
-    (download as jest.MockedFunction<typeof download>).mockResolvedValue('random-md5');
+  it('should reject when downloaded sha256 hash is different', async () => {
+    (download as jest.MockedFunction<typeof download>).mockResolvedValue('random-sha256');
 
     await expect(ensureBrowserDownloaded(logger)).rejects.toBeInstanceOf(Error);
   });
@@ -110,8 +110,8 @@ describe.skip('ensureBrowserDownloaded', () => {
       ]);
     });
 
-    it('should download again if md5 hash different', async () => {
-      (md5 as jest.MockedFunction<typeof md5>).mockResolvedValueOnce('random-md5');
+    it('should download again if sha256 hash different', async () => {
+      (sha256 as jest.MockedFunction<typeof sha256>).mockResolvedValueOnce('random-sha256');
       await ensureBrowserDownloaded(logger);
 
       expect(download).toHaveBeenCalledTimes(1);

diff --git a/x-pack/plugins/reporting/server/browsers/download/ensure_downloaded.ts b/x-pack/plugins/reporting/server/browsers/download/ensure_downloaded.ts
@@ -9,7 +9,7 @@ import { existsSync } from 'fs';
 import del from 'del';
 import { BrowserDownload, chromium } from '../';
 import { GenericLevelLogger } from '../../lib/level_logger';
-import { md5 } from './checksum';
+import { sha256 } from './checksum';
 import { download } from './download';
 
 /**
@@ -48,7 +48,7 @@ async function ensureDownloaded(browsers: BrowserDownload[], logger: GenericLeve
 
             let foundChecksum: string;
             try {
-              foundChecksum = await md5(path).catch();
+              foundChecksum = await sha256(path).catch();
             } catch {
               foundChecksum = 'MISSING';
             }

diff --git a/x-pack/plugins/reporting/server/browsers/install.ts b/x-pack/plugins/reporting/server/browsers/install.ts
@@ -12,7 +12,7 @@ import * as Rx from 'rxjs';
 import { GenericLevelLogger } from '../lib/level_logger';
 import { ChromiumArchivePaths } from './chromium';
 import { ensureBrowserDownloaded } from './download';
-import { md5 } from './download/checksum';
+import { sha256 } from './download/checksum';
 import { extract } from './extract';
 
 /**
@@ -36,7 +36,7 @@ export function installBrowser(
 
   const backgroundInstall = async () => {
     const binaryPath = paths.getBinaryPath(pkg);
-    const binaryChecksum = await md5(binaryPath).catch(() => '');
+    const binaryChecksum = await sha256(binaryPath).catch(() => '');
 
     if (binaryChecksum !== pkg.binaryChecksum) {
       logger.warning(