fleet/orbit/pkg/update/hash.go

package update

import (
	"bytes"
	"crypto/sha256"
	"crypto/sha512"
	"encoding/hex"
	"fmt"
	"hash"
	"io"
	"os"
	"strings"

	"github.com/rs/zerolog/log"
	"github.com/theupdateframework/go-tuf/data"
)

// checkFileHash checks the file at the local path against the provided hash functions.
func checkFileHash(meta *data.TargetFileMeta, localPath string) error {
	metaHash, localHash, err := fileHashes(meta, localPath)
	if err != nil {
		return fmt.Errorf("failed to calculate local file hash: %s", err)
	}
	if !bytes.Equal(localHash, metaHash) {
		return fmt.Errorf("hash %x does not match expected: %x", localHash, metaHash)
	}
	return nil
}

func fileHashes(meta *data.TargetFileMeta, localPath string) (metaHash []byte, localHash []byte, err error) {
	hashFn, metaHash, err := selectHashFunction(meta)
	if err != nil {
		return nil, nil, err
	}

	f, err := os.Open(localPath)
	if err != nil {
		// If tar.gz doesn't exist but a hash file does, use the cached hash file
		if os.IsNotExist(err) && strings.HasSuffix(localPath, ".tar.gz") {
			cachedHash, err := readCachedHash(localPath, meta)
			if err == nil {
				return metaHash, cachedHash, nil
			}
			log.Info().Err(err).Msg("failed to read cached hash file")
		}
		return nil, nil, fmt.Errorf("open file for hash: %w", err)
	}
	defer f.Close()

	if _, err := io.Copy(hashFn, f); err != nil {
		return nil, nil, fmt.Errorf("read file for hash: %w", err)
	}
	return metaHash, hashFn.Sum(nil), nil
}

// selectHashFunction returns the first matching hash function and expected
// hash, otherwise returning an error if no matching hash can be found.
//
// SHA512 is preferred, and SHA256 is returned if 512 is not available.
func selectHashFunction(meta *data.TargetFileMeta) (hash.Hash, []byte, error) {
	for hashName, hashVal := range meta.Hashes {
		if hashName == "sha512" {
			return sha512.New(), hashVal, nil
		}
	}

	for hashName, hashVal := range meta.Hashes {
		if hashName == "sha256" {
			return sha256.New(), hashVal, nil
		}
	}

	return nil, nil, fmt.Errorf("no matching hash function found: %v", meta.HashAlgorithms())
}

// readCachedHash reads a cached hash from a .sha512 file
// created during packaging when the tar.gz was removed to save space.
func readCachedHash(tarGzPath string, meta *data.TargetFileMeta) ([]byte, error) {
	// Check if TUF metadata has SHA512 (currently the only hash file used)
	for hashName := range meta.Hashes {
		if hashName == "sha512" {
			hashPath := tarGzPath + ".sha512"
			var hashHex []byte
			var err error
			if hashHex, err = os.ReadFile(hashPath); err != nil {
				return nil, err
			}
			return hex.DecodeString(strings.TrimSpace(string(hashHex)))
		}
	}

	return nil, fmt.Errorf("no cached hash file found for %s", tarGzPath)
}
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`package update`

			`import (`
			`"bytes"`
			`"crypto/sha256"`
			`"crypto/sha512"`
When building Linux and macOS fleetd packages, removed duplicate copies of osqueryd and fleet-desktop (#32697) Fixes #32280 - Removed osqueryd.tar.gz from macOS package and desktop.tar.gz from macOS and Linux packages and replaced them with .sha512 hash caches. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] Verified that fleetd runs on macOS, Linux and Windows - [x] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Bug Fixes * Eliminated duplicate osqueryd and Fleet Desktop binaries in Linux and macOS packages, preventing duplicate entries in .deb/.pkg and ensuring cleaner installs. * Chores * Added packaging cleanup to remove leftover tar.gz artifacts, reducing package size and avoiding accidental inclusion in builds. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-09-09 22:13:30 +00:00			`"encoding/hex"`
Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`"fmt"`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`"hash"`
			`"io"`
			`"os"`
When building Linux and macOS fleetd packages, removed duplicate copies of osqueryd and fleet-desktop (#32697) Fixes #32280 - Removed osqueryd.tar.gz from macOS package and desktop.tar.gz from macOS and Linux packages and replaced them with .sha512 hash caches. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] Verified that fleetd runs on macOS, Linux and Windows - [x] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Bug Fixes * Eliminated duplicate osqueryd and Fleet Desktop binaries in Linux and macOS packages, preventing duplicate entries in .deb/.pkg and ensuring cleaner installs. * Chores * Added packaging cleanup to remove leftover tar.gz artifacts, reducing package size and avoiding accidental inclusion in builds. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-09-09 22:13:30 +00:00			`"strings"`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00
When building Linux and macOS fleetd packages, removed duplicate copies of osqueryd and fleet-desktop (#32697) Fixes #32280 - Removed osqueryd.tar.gz from macOS package and desktop.tar.gz from macOS and Linux packages and replaced them with .sha512 hash caches. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] Verified that fleetd runs on macOS, Linux and Windows - [x] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Bug Fixes * Eliminated duplicate osqueryd and Fleet Desktop binaries in Linux and macOS packages, preventing duplicate entries in .deb/.pkg and ensuring cleaner installs. * Chores * Added packaging cleanup to remove leftover tar.gz artifacts, reducing package size and avoiding accidental inclusion in builds. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-09-09 22:13:30 +00:00			`"github.com/rs/zerolog/log"`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`"github.com/theupdateframework/go-tuf/data"`
			`)`

Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`// checkFileHash checks the file at the local path against the provided hash functions.`
			`func checkFileHash(meta *data.TargetFileMeta, localPath string) error {`
			`metaHash, localHash, err := fileHashes(meta, localPath)`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`if err != nil {`
Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`return fmt.Errorf("failed to calculate local file hash: %s", err)`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`}`
Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`if !bytes.Equal(localHash, metaHash) {`
			`return fmt.Errorf("hash %x does not match expected: %x", localHash, metaHash)`
			`}`
			`return nil`
			`}`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00
Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`func fileHashes(meta *data.TargetFileMeta, localPath string) (metaHash []byte, localHash []byte, err error) {`
			`hashFn, metaHash, err := selectHashFunction(meta)`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`if err != nil {`
Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`return nil, nil, err`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`}`

Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`f, err := os.Open(localPath)`
			`if err != nil {`
When building Linux and macOS fleetd packages, removed duplicate copies of osqueryd and fleet-desktop (#32697) Fixes #32280 - Removed osqueryd.tar.gz from macOS package and desktop.tar.gz from macOS and Linux packages and replaced them with .sha512 hash caches. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] Verified that fleetd runs on macOS, Linux and Windows - [x] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Bug Fixes * Eliminated duplicate osqueryd and Fleet Desktop binaries in Linux and macOS packages, preventing duplicate entries in .deb/.pkg and ensuring cleaner installs. * Chores * Added packaging cleanup to remove leftover tar.gz artifacts, reducing package size and avoiding accidental inclusion in builds. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-09-09 22:13:30 +00:00			`// If tar.gz doesn't exist but a hash file does, use the cached hash file`
			`if os.IsNotExist(err) && strings.HasSuffix(localPath, ".tar.gz") {`
			`cachedHash, err := readCachedHash(localPath, meta)`
			`if err == nil {`
			`return metaHash, cachedHash, nil`
			`}`
			`log.Info().Err(err).Msg("failed to read cached hash file")`
			`}`
Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`return nil, nil, fmt.Errorf("open file for hash: %w", err)`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`}`
Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`defer f.Close()`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00
Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`if _, err := io.Copy(hashFn, f); err != nil {`
			`return nil, nil, fmt.Errorf("read file for hash: %w", err)`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`}`
Fix update checks for orbit at startup (#3835) * Fix update checks for orbit at startup * Add tests * Add scripts for testing local TUF server * Remove -x used for debugging 2022-02-23 17:58:07 +00:00			`return metaHash, hashFn.Sum(nil), nil`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`}`

			`// selectHashFunction returns the first matching hash function and expected`
Fix handling of enroll secret env vars in Orbit (#3458) 2021-12-22 23:57:09 +00:00			`// hash, otherwise returning an error if no matching hash can be found.`
Cleanup and rename version to channel 2021-02-20 19:24:44 +00:00			`//`
			`// SHA512 is preferred, and SHA256 is returned if 512 is not available.`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`func selectHashFunction(meta *data.TargetFileMeta) (hash.Hash, []byte, error) {`
			`for hashName, hashVal := range meta.Hashes {`
Cleanup and rename version to channel 2021-02-20 19:24:44 +00:00			`if hashName == "sha512" {`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`return sha512.New(), hashVal, nil`
Cleanup and rename version to channel 2021-02-20 19:24:44 +00:00			`}`
			`}`

			`for hashName, hashVal := range meta.Hashes {`
			`if hashName == "sha256" {`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`return sha256.New(), hashVal, nil`
			`}`
			`}`

Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`return nil, nil, fmt.Errorf("no matching hash function found: %v", meta.HashAlgorithms())`
Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`}`
When building Linux and macOS fleetd packages, removed duplicate copies of osqueryd and fleet-desktop (#32697) Fixes #32280 - Removed osqueryd.tar.gz from macOS package and desktop.tar.gz from macOS and Linux packages and replaced them with .sha512 hash caches. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] Verified that fleetd runs on macOS, Linux and Windows - [x] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Bug Fixes * Eliminated duplicate osqueryd and Fleet Desktop binaries in Linux and macOS packages, preventing duplicate entries in .deb/.pkg and ensuring cleaner installs. * Chores * Added packaging cleanup to remove leftover tar.gz artifacts, reducing package size and avoiding accidental inclusion in builds. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-09-09 22:13:30 +00:00
			`// readCachedHash reads a cached hash from a .sha512 file`
			`// created during packaging when the tar.gz was removed to save space.`
			`func readCachedHash(tarGzPath string, meta *data.TargetFileMeta) ([]byte, error) {`
			`// Check if TUF metadata has SHA512 (currently the only hash file used)`
			`for hashName := range meta.Hashes {`
			`if hashName == "sha512" {`
			`hashPath := tarGzPath + ".sha512"`
			`var hashHex []byte`
			`var err error`
			`if hashHex, err = os.ReadFile(hashPath); err != nil {`
			`return nil, err`
			`}`
			`return hex.DecodeString(strings.TrimSpace(string(hashHex)))`
			`}`
			`}`

			`return nil, fmt.Errorf("no cached hash file found for %s", tarGzPath)`
			`}`