From 560c8c9500cb2d920527d6889e37f4d3fd1fb361 Mon Sep 17 00:00:00 2001 From: Brandon Wood Date: Sat, 23 Jan 2016 21:25:03 -0600 Subject: [PATCH 1/3] Added support for sha256 checksums --- nvm.sh | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/nvm.sh b/nvm.sh index d4250dd..0d68e45 100755 --- a/nvm.sh +++ b/nvm.sh @@ -759,15 +759,28 @@ nvm_ls_remote_index_tab() { nvm_checksum() { local NVM_CHECKSUM - if nvm_has "sha1sum" && ! nvm_is_alias "sha1sum"; then - NVM_CHECKSUM="$(command sha1sum "$1" | command awk '{print $1}')" - elif nvm_has "sha1" && ! nvm_is_alias "sha1"; then - NVM_CHECKSUM="$(command sha1 -q "$1")" - elif nvm_has "shasum" && ! nvm_is_alias "shasum"; then - NVM_CHECKSUM="$(shasum "$1" | command awk '{print $1}')" + if [ -z "$3" ] || [ "$3" == "sha1" ]; then + if nvm_has "sha1sum" && ! nvm_is_alias "sha1sum"; then + NVM_CHECKSUM="$(command sha1sum "$1" | command awk '{print $1}')" + elif nvm_has "sha1" && ! nvm_is_alias "sha1"; then + NVM_CHECKSUM="$(command sha1 -q "$1")" + elif nvm_has "shasum" && ! nvm_is_alias "shasum"; then + NVM_CHECKSUM="$(shasum "$1" | command awk '{print $1}')" + else + echo "Unaliased sha1sum, sha1, or shasum not found." >&2 + return 2 + fi else - echo "Unaliased sha1sum, sha1, or shasum not found." >&2 - return 2 + if nvm_has "sha256sum" && ! nvm_is_alias "sha256sum"; then + NVM_CHECKSUM="$(command sha256sum "$1" | command awk '{print $1}')" + elif nvm_has "sha256" && ! nvm_is_alias "sha256"; then + NVM_CHECKSUM="$(command sha256 -q "$1")" + elif nvm_has "gsha256sum" && ! nvm_is_alias "gsha256sum"; then + NVM_CHECKSUM="$(gsha256sum "$1" | command awk '{print $1}')" + else + echo "Unaliased sha256sum, sha256, or gsha256sum not found." >&2 + return 2 + fi fi if [ "_$NVM_CHECKSUM" = "_$2" ]; then @@ -1051,8 +1064,7 @@ nvm_install_merged_node_binary() { fi if ( [ "$NVM_INSTALL_ERRORED" != true ] && \ - echo "WARNING: checksums are currently disabled for node.js v4.0 and later" >&2 && \ - # nvm_checksum "$tmptarball" "$sum" && \ + nvm_checksum "$tmptarball" "$sum" "sha256" && \ command tar -x${tar_compression_flag}f "$tmptarball" -C "$tmpdir" --strip-components 1 && \ command rm -f "$tmptarball" && \ command mkdir -p "$VERSION_PATH" && \ @@ -1126,8 +1138,7 @@ nvm_install_iojs_binary() { fi if ( [ "$NVM_INSTALL_ERRORED" != true ] && \ - echo "WARNING: checksums are currently disabled for io.js" >&2 && \ - # nvm_checksum "$tmptarball" "$sum" && \ + nvm_checksum "$tmptarball" "$sum" "sha256" && \ command tar -x${tar_compression_flag}f "$tmptarball" -C "$tmpdir" --strip-components 1 && \ command rm -f "$tmptarball" && \ command mkdir -p "$VERSION_PATH" && \ From f1bca106a8f5fc6a4b88b5ef30603cf31ea531f1 Mon Sep 17 00:00:00 2001 From: Brandon Wood Date: Sat, 23 Jan 2016 22:17:43 -0600 Subject: [PATCH 2/3] Added (optional) support for sha256 checksum utils This commit adds (optional) support for additional sha256 checksum utilities for newer versions of node.js and io.js that use sha256 checksums rather than sha1. If nothing is found to do a sha256 checksum on the client machine, a warning is printed and things continue on as normal. Following comments from @ljharb on incorporating some of @DomT4's PR creationix/nvm#664, and making this checksum optional. If I could I would gladly include this as an addon to the now closed PR creationix/nvm#664. I am choosing not to file it onto that PR because it's closed and (currently) significantly behind the master branch. @DomT4 did the hard work of actually finding all the different ways in which one could verify a sha256 checksum, I've just included those here in an effort to move forward with sha256 checksum support. --- nvm.sh | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/nvm.sh b/nvm.sh index 0d68e45..f5dd8bd 100755 --- a/nvm.sh +++ b/nvm.sh @@ -772,14 +772,23 @@ nvm_checksum() { fi else if nvm_has "sha256sum" && ! nvm_is_alias "sha256sum"; then - NVM_CHECKSUM="$(command sha256sum "$1" | command awk '{print $1}')" + NVM_CHECKSUM="$(sha256sum "$1" | awk '{print $1}')" + elif nvm_has "shasum" && ! nvm_is_alias "shasum"; then + NVM_CHECKSUM="$(shasum -a 256 "$1" | awk '{print $1}')" elif nvm_has "sha256" && ! nvm_is_alias "sha256"; then - NVM_CHECKSUM="$(command sha256 -q "$1")" + NVM_CHECKSUM="$(sha256 -q "$1" | awk '{print $1}')" elif nvm_has "gsha256sum" && ! nvm_is_alias "gsha256sum"; then - NVM_CHECKSUM="$(gsha256sum "$1" | command awk '{print $1}')" + NVM_CHECKSUM="$(gsha256sum "$1" | awk '{print $1}')" + elif nvm_has "openssl" && ! nvm_is_alias "openssl"; then + NVM_CHECKSUM="$(openssl dgst -sha256 "$1" | rev | awk '{print $1}' | rev)" + elif nvm_has "libressl" && ! nvm_is_alias "libressl"; then + NVM_CHECKSUM="$(libressl dgst -sha256 "$1" | rev | awk '{print $1}' | rev)" + elif nvm_has "bssl" && ! nvm_is_alias "bssl"; then + NVM_CHECKSUM="$(bssl sha256sum "$1" | awk '{print $1}')" else echo "Unaliased sha256sum, sha256, or gsha256sum not found." >&2 - return 2 + echo "WARNING: Continuing *without checksum verification*" >&2 + return fi fi From f73bfb65780709b181cc4f53bff554f67f26a2b3 Mon Sep 17 00:00:00 2001 From: Brandon Wood Date: Sun, 24 Jan 2016 11:53:19 -0600 Subject: [PATCH 3/3] Updated warning message when sha256sum utility not found Relates to @ljharb's comment on the warning message not including all of the utilties searched for. https://github.com/creationix/nvm/pull/981#discussion_r50638351 --- nvm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nvm.sh b/nvm.sh index f5dd8bd..b8ffb0d 100755 --- a/nvm.sh +++ b/nvm.sh @@ -786,7 +786,7 @@ nvm_checksum() { elif nvm_has "bssl" && ! nvm_is_alias "bssl"; then NVM_CHECKSUM="$(bssl sha256sum "$1" | awk '{print $1}')" else - echo "Unaliased sha256sum, sha256, or gsha256sum not found." >&2 + echo "Unaliased sha256sum, shasum, sha256, gsha256sum, openssl, libressl, or bssl not found." >&2 echo "WARNING: Continuing *without checksum verification*" >&2 return fi