From f0b9398942afe4b53e8ed503b12891478243c291 Mon Sep 17 00:00:00 2001
From: Jason Andryuk <jandryuk@gmail.com>
Date: Wed, 30 Aug 2023 16:15:48 -0400
Subject: [PATCH 1/4] verify-repo-metadata: Support more hashes

Use the hash length to determine which algorithm to use.

Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
---
 .../xenclient-repo-certs/verify-repo-metadata | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata b/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
index f0ba9333ec..b0f5af1a99 100755
--- a/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
+++ b/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
@@ -54,6 +54,24 @@ Exit status:
 EOF
 }
 
+get_hasher()
+{
+    case "${#1}" in
+    64)
+        echo "sha256sum"
+        ;;
+    96)
+        echo "sha384sum"
+        ;;
+    128)
+        echo "sha512sum"
+        ;;
+    *)
+        die "invalid checksum length"
+        ;;
+    esac
+}
+
 verify_xc_packages()
 {
     local PACKAGES_CHECKSUM=$(sed -n 's/^packages://p' "${REPOSITORY_FILE}") ||
@@ -62,7 +80,8 @@ verify_xc_packages()
     [ -n "${PACKAGES_CHECKSUM}" ] ||
         die "XC-PACKAGES checksum MISSING"
 
-    local FILE_CHECKSUM=$(sha256sum "${PACKAGES_FILE}" | cut -f1 -d' ') ||
+    local hasher="$( get_hasher "${PACKAGES_CHECKSUM}" )"
+    local FILE_CHECKSUM=$( "$hasher" "${PACKAGES_FILE}" | cut -f1 -d' ') ||
         die "error calculating checksum of '${PACKAGES_FILE}'"
 
     [ -n "${FILE_CHECKSUM}" ] ||

From 179697d91b0a996912bd6ccef94d002c3c8ab4be Mon Sep 17 00:00:00 2001
From: Jason Andryuk <jandryuk@gmail.com>
Date: Thu, 31 Aug 2023 12:04:55 -0400
Subject: [PATCH 2/4] verify-repo-metadata: Add package checking

Use getopts to allow -d and -p to be specified in any order.

Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
---
 .../xenclient-repo-certs/verify-repo-metadata | 36 +++++++++++++++----
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata b/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
index b0f5af1a99..00f70c6606 100755
--- a/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
+++ b/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
@@ -5,15 +5,22 @@
 PROD_CERT_FILE="/usr/share/xenclient/repo-certs/prod/cert.pem"
 DEV_CERT_FILE="/usr/share/xenclient/repo-certs/dev/cert.pem"
 
+VERIFY_PACKAGES=0
+
 parse_args()
 {
     ALLOW_DEV_KEY=0
 
-    if [ "$1" = "-d" ] ; then
-        ALLOW_DEV_KEY=1
-        shift
-    fi
+    while getopts "dp" opt ; do
+        case "$opt" in
+        d) ALLOW_DEV_KEY=1 ;;
+        p) VERIFY_PACKAGES=1 ;;
+        \?) die "unknown option" ;;
+        *) die "getopts error" ;;
+        esac
+    done
 
+    shift "$(( OPTIND - 1 ))"
     if [ $# -ne 1 ] ; then
         usage
         exit 2
@@ -29,7 +36,7 @@ parse_args()
 usage()
 {
     cat <<EOF
-Usage: $(basename $0) [-d] REPOSITORY_DIR
+Usage: $(basename $0) [-d] [-p] REPOSITORY_DIR
 
 Verifies the integrity of the metadata files (XC-REPOSITORY, XC-PACKAGES and
 XC-SIGNATURE) in a XenClient repository:
@@ -39,7 +46,7 @@ XC-SIGNATURE) in a XenClient repository:
 
 Note that this only verifies the integrity of the metadata files: it does not
 verify that the packages in the repository match the checksums listed in
-XC-PACKAGES.
+XC-PACKAGES.  The -p option enables package checksum checking.
 
 The -d option should only be used for testing purposes. It allows signatures
 created with the XenClient development signing certificate in addition to
@@ -72,6 +79,19 @@ get_hasher()
     esac
 }
 
+verify_xc_packages_contents()
+{
+    local hasher
+    while read n sz hash _ _ file _ ; do
+        hasher=$( get_hasher "$hash" )
+        [ "$sz" = "$( du -b "$REPOSITORY_DIR/$file" | awk '{print $1}' )" ] ||
+            die "file size mismatch $n $file"
+        [ "$( "$hasher" "$REPOSITORY_DIR/$file" | awk '{print $1}' )" = "$hash" ] ||
+            die "hash mismatch $n $file"
+    done < "$PACKAGES_FILE"
+
+}
+
 verify_xc_packages()
 {
     local PACKAGES_CHECKSUM=$(sed -n 's/^packages://p' "${REPOSITORY_FILE}") ||
@@ -142,4 +162,8 @@ verify_xc_packages
 # so we only exit with status 1 if metadata is valid except for signature.
 verify_xc_repository
 
+if [ "$VERIFY_PACKAGES" -eq 1 ] ; then
+    verify_xc_packages_contents
+fi
+
 exit 0

From 1a8b58c8e35dfe1ddba7496624c98463f5879841 Mon Sep 17 00:00:00 2001
From: Jason Andryuk <jandryuk@gmail.com>
Date: Thu, 31 Aug 2023 12:06:25 -0400
Subject: [PATCH 3/4] verify-repo-metadata: Check signature first

It's better this way to check the signature before looking at the
contents.
---
 .../xenclient-repo-certs/verify-repo-metadata            | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata b/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
index 00f70c6606..ea2b3e0066 100755
--- a/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
+++ b/recipes-openxt/xenclient-repo-certs/xenclient-repo-certs/verify-repo-metadata
@@ -55,7 +55,7 @@ signatures created with the XenClient production signing certificate.
 Exit status:
 
     0  metadata is valid
-    1  metadata is valid except for invalid signature
+    1  invalid signature
     2  metadata is not valid or another error occurred
 
 EOF
@@ -155,13 +155,12 @@ die()
 
 parse_args "$@"
 
+# Verify XC-REPOSITORY against signature in XC-SIGNATURE.
+verify_xc_repository
+
 # Verify XC-PACKAGES against checksum in XC-REPOSITORY.
 verify_xc_packages
 
-# Verify XC-REPOSITORY against signature in XC-SIGNATURE. Must be done last,
-# so we only exit with status 1 if metadata is valid except for signature.
-verify_xc_repository
-
 if [ "$VERIFY_PACKAGES" -eq 1 ] ; then
     verify_xc_packages_contents
 fi

From 369f493200e7e2520f32c9c91166e3b31f661f91 Mon Sep 17 00:00:00 2001
From: Jason Andryuk <jandryuk@gmail.com>
Date: Fri, 1 Sep 2023 08:33:23 -0400
Subject: [PATCH 4/4] updatemgr: Make verify-repo-metadata check packages

Use the new option to check the package hashes.
---
 .../updatemgr/updatemgr-verify-packages.patch       | 13 +++++++++++++
 recipes-openxt/manager/updatemgr_git.bb             |  1 +
 2 files changed, 14 insertions(+)
 create mode 100644 recipes-openxt/manager/updatemgr/updatemgr-verify-packages.patch

diff --git a/recipes-openxt/manager/updatemgr/updatemgr-verify-packages.patch b/recipes-openxt/manager/updatemgr/updatemgr-verify-packages.patch
new file mode 100644
index 0000000000..20f8f25643
--- /dev/null
+++ b/recipes-openxt/manager/updatemgr/updatemgr-verify-packages.patch
@@ -0,0 +1,13 @@
+--- a/UpdateMgr/Logic.hs
++++ b/UpdateMgr/Logic.hs
+@@ -346,8 +346,8 @@ verifyUpdateMetadataSignature :: Update
+ verifyUpdateMetadataSignature = void $
+   handleError failed . safeShellExecuteAndLogOutput . cmd =<< allowDevRepoCert
+   where
+-    cmd False = "verify-repo-metadata " ++ updateDirCurrent
+-    cmd True  = "verify-repo-metadata -d " ++ updateDirCurrent
++    cmd False = "verify-repo-metadata -p " ++ updateDirCurrent
++    cmd True  = "verify-repo-metadata -d -p " ++ updateDirCurrent
+     failed _  = throwError $ localE FailedSignatureVerification
+ 
+ handleError = flip catchError
diff --git a/recipes-openxt/manager/updatemgr_git.bb b/recipes-openxt/manager/updatemgr_git.bb
index 9c8eb04789..3689f1481c 100644
--- a/recipes-openxt/manager/updatemgr_git.bb
+++ b/recipes-openxt/manager/updatemgr_git.bb
@@ -29,6 +29,7 @@ require manager.inc
 
 SRC_URI += " \
     file://updatemgr.initscript \
+    file://updatemgr-verify-packages.patch \
 "
 
 S = "${WORKDIR}/git/updatemgr"