Move to sha512 for download signing (and drop md5)

Rakefile

@@ -221,7 +221,7 @@ task :"create-checksums" => [:"build-checksum-util"] do
   files = Dir["#{DEPLOY_DIR}/*.{zip,exe}"]
 
   create_checksums(File.join(DEPLOY_DIR, 'sha1sum.txt.asc'), password, 'sha1', files)
-  create_checksums(File.join(DEPLOY_DIR, 'md5sum.txt.asc'), password, 'md5', files)
+  create_checksums(File.join(DEPLOY_DIR, 'sha512sum.txt.asc'), password, 'sha512', files)
 end
 
 desc 'Clean portable and installer, all architectures'

server/version_check.php

@@ -79,6 +79,7 @@ $versions = [
          ],
       ],     
       'sha1sum_download_url' => 'https://github.com/canton7/SyncTrayzor/releases/download/v{version}/sha1sum.txt.asc',
+      'sha512sum_download_url' => 'https://github.com/canton7/SyncTrayzor/releases/download/v{version}/sha512sum.txt.asc',
       'release_page_url' => 'https://github.com/canton7/SyncTrayzor/releases/tag/v{version}',
       'release_notes' => "- Handle thousands of conflicts in the conflict editor without crashing (#224)\n- Handle crash when syncing many files (reappearance of #112) (#227)\n- Fix rendering of some strings\n- Add logging to file to portable upgrades, in case of error",
    ]
@@ -177,6 +178,21 @@ $response_formatters = [
          'release_notes' => isset($overrides['release_notes']) ? $overrides['release_notes'] : $to_version_info['release_notes'],
       ];
 
+      return $data;
+   },
+   // Learnt about sha512sum
+   '5' => function($arch, $variant, $to_version, $to_version_info, $overrides)
+   {
+      $variant_info = isset($overrides[$variant]) ? get_with_wildcard($overrides, $variant) : get_with_wildcard($to_version_info, $variant);
+
+      $data = [
+         'version' => $to_version,
+         'direct_download_url' => get_with_wildcard($variant_info['direct_download_url'], $arch),
+         'sha512sum_download_url' => $to_version_info['sha512sum_download_url'],
+         'release_page_url' => $to_version_info['release_page_url'],
+         'release_notes' => isset($overrides['release_notes']) ? $overrides['release_notes'] : $to_version_info['release_notes'],
+      ];
+
       return $data;
    },
 ];

src/SyncTrayzor/Pages/ThirdPartyComponentsViewModel.cs

@@ -112,7 +112,7 @@ namespace SyncTrayzor.Pages
                     Description = "BouncyCastle.Crypto is a cryptography API",
                     Homepage = "http://www.bouncycastle.org/csharp/",
                     License = "MIT",
-                    Notes = "Used to sign and verify sha1sum / md5sum files",
+                    Notes = "Used to sign and verify sha1sum / sha512 files",
                     LicenseText = this.LoadLicense("BouncyCastle.txt")
                 },
                 new ThirdPartyComponent()

src/SyncTrayzor/Services/UpdateManagement/InstalledUpdateVariantHandler.cs

@@ -27,9 +27,9 @@ namespace SyncTrayzor.Services.UpdateManagement
 
         public async Task<bool> TryHandleUpdateAvailableAsync(VersionCheckResults checkResult)
         {
-            if (!String.IsNullOrWhiteSpace(checkResult.DownloadUrl) && !String.IsNullOrWhiteSpace(checkResult.Sha1sumDownloadUrl))
+            if (!String.IsNullOrWhiteSpace(checkResult.DownloadUrl) && !String.IsNullOrWhiteSpace(checkResult.Sha512sumDownloadUrl))
             {
-                this.installerPath = await this.updateDownloader.DownloadUpdateAsync(checkResult.DownloadUrl, checkResult.Sha1sumDownloadUrl, checkResult.NewVersion, updateDownloadFileName);
+                this.installerPath = await this.updateDownloader.DownloadUpdateAsync(checkResult.DownloadUrl, checkResult.Sha512sumDownloadUrl, checkResult.NewVersion, updateDownloadFileName);
                 this.CanAutoInstall = true;
 
                 // If we return false, the upgrade will be aborted

src/SyncTrayzor/Services/UpdateManagement/InstallerCertificateVerifier.cs

@@ -8,8 +8,8 @@ namespace SyncTrayzor.Services.UpdateManagement
 {
     public interface IInstallerCertificateVerifier
     {
-        bool VerifySha1sum(string filePath, out Stream cleartext);
-        bool VerifyUpdate(string filePath, Stream sha1sumFile, string originalFileName);
+        bool VerifySha512sum(string filePath, out Stream cleartext);
+        bool VerifyUpdate(string filePath, Stream sha512sumFile, string originalFileName);
     }
 
     public class InstallerCertificateVerifier : IInstallerCertificateVerifier
@@ -31,7 +31,7 @@ namespace SyncTrayzor.Services.UpdateManagement
             return this.assemblyProvider.GetManifestResourceStream(certificateName);
         }
 
-        public bool VerifySha1sum(string filePath, out Stream cleartext)
+        public bool VerifySha512sum(string filePath, out Stream cleartext)
         {
             using (var file = this.filesystemProvider.OpenRead(filePath))
             using (var certificate = this.LoadCertificate())
@@ -40,14 +40,14 @@ namespace SyncTrayzor.Services.UpdateManagement
             }
         }
 
-        public bool VerifyUpdate(string filePath, Stream sha1sumFile, string originalFileName)
+        public bool VerifyUpdate(string filePath, Stream sha512sumFile, string originalFileName)
         {
-            using (var hashAlgorithm = new SHA1Managed())
+            using (var hashAlgorithm = new SHA512Managed())
             using (var file = this.filesystemProvider.OpenRead(filePath))
             {
                 try
                 {
-                    return ChecksumFileUtilities.ValidateChecksum(hashAlgorithm, sha1sumFile, originalFileName, file);
+                    return ChecksumFileUtilities.ValidateChecksum(hashAlgorithm, sha512sumFile, originalFileName, file);
                 }
                 catch (ArgumentException)
                 {

src/SyncTrayzor/Services/UpdateManagement/PortableUpdateVariantHandler.cs

@@ -47,9 +47,9 @@ namespace SyncTrayzor.Services.UpdateManagement
 
         public async Task<bool> TryHandleUpdateAvailableAsync(VersionCheckResults checkResult)
         {
-            if (!String.IsNullOrWhiteSpace(checkResult.DownloadUrl) && !String.IsNullOrWhiteSpace(checkResult.Sha1sumDownloadUrl))
+            if (!String.IsNullOrWhiteSpace(checkResult.DownloadUrl) && !String.IsNullOrWhiteSpace(checkResult.Sha512sumDownloadUrl))
             {
-                var zipPath = await this.updateDownloader.DownloadUpdateAsync(checkResult.DownloadUrl, checkResult.Sha1sumDownloadUrl, checkResult.NewVersion, updateDownloadFileName);
+                var zipPath = await this.updateDownloader.DownloadUpdateAsync(checkResult.DownloadUrl, checkResult.Sha512sumDownloadUrl, checkResult.NewVersion, updateDownloadFileName);
                 if (zipPath == null)
                     return false;
 

src/SyncTrayzor/Services/UpdateManagement/UpdateChecker.cs

@@ -10,27 +10,27 @@ namespace SyncTrayzor.Services.UpdateManagement
     {
         public Version NewVersion { get; }
         public string DownloadUrl { get; }
-        public string Sha1sumDownloadUrl { get; }
+        public string Sha512sumDownloadUrl { get; }
         public string ReleaseNotes { get; }
         public string ReleasePageUrl { get; }
 
         public VersionCheckResults(
             Version newVersion,
             string downloadUrl,
-            string sha1sumDownloadUrl,
+            string sha512sumDownloadUrl,
             string releaseNotes,
             string releasePageUrl)
         {
             this.NewVersion = newVersion;
             this.DownloadUrl = downloadUrl;
-            this.Sha1sumDownloadUrl = sha1sumDownloadUrl;
+            this.Sha512sumDownloadUrl = sha512sumDownloadUrl;
             this.ReleaseNotes = releaseNotes;
             this.ReleasePageUrl = releasePageUrl;
         }
 
         public override string ToString()
         {
-            return $"<VersionCheckResults NewVersion={this.NewVersion} DownloadUrl={this.DownloadUrl} Sha1sumDownloadUrl={this.Sha1sumDownloadUrl} " +
+            return $"<VersionCheckResults NewVersion={this.NewVersion} DownloadUrl={this.DownloadUrl} Sha512sumDownloadUrl={this.Sha512sumDownloadUrl} " +
                 $"ReleaseNotes={this.ReleaseNotes} ReleasePageUrl={this.ReleasePageUrl}>";
         }
     }
@@ -100,7 +100,7 @@ namespace SyncTrayzor.Services.UpdateManagement
                     return null;
                 }
 
-                var results = new VersionCheckResults(updateData.Version, updateData.DirectDownloadUrl, update.Data.Sha1sumDownloadUrl, updateData.ReleaseNotes, updateData.ReleasePageUrl);
+                var results = new VersionCheckResults(updateData.Version, updateData.DirectDownloadUrl, update.Data.Sha512sumDownloadUrl, updateData.ReleaseNotes, updateData.ReleasePageUrl);
                 logger.Info("Found new version: {0}", results);
                 return results;
             }

src/SyncTrayzor/Services/UpdateManagement/UpdateDownloader.cs

@@ -11,7 +11,7 @@ namespace SyncTrayzor.Services.UpdateManagement
 {
     public interface IUpdateDownloader
     {
-        Task<string> DownloadUpdateAsync(string updateUrl, string sha1sumUrl, Version version, string downloadedFileNameTemplate);
+        Task<string> DownloadUpdateAsync(string updateUrl, string sha512sumUrl, Version version, string downloadedFileNameTemplate);
     }
 
     public class UpdateDownloader : IUpdateDownloader
@@ -19,7 +19,7 @@ namespace SyncTrayzor.Services.UpdateManagement
         private static readonly Logger logger = LogManager.GetCurrentClassLogger();
 
         private static readonly TimeSpan fileMaxAge = TimeSpan.FromDays(3); // Arbitrary, but long
-        private const string sham1sumDownloadFileName = "sha1sum-{0}.txt.asc";
+        private const string sha512sumDownloadFileName = "sha512sum-{0}.txt.asc";
 
         private readonly string downloadsDir;
         private readonly IFilesystemProvider filesystemProvider;
@@ -32,30 +32,30 @@ namespace SyncTrayzor.Services.UpdateManagement
             this.installerVerifier = installerVerifier;
         }
 
-        public async Task<string> DownloadUpdateAsync(string updateUrl, string sha1sumUrl, Version version, string downloadedFileNameTemplate)
+        public async Task<string> DownloadUpdateAsync(string updateUrl, string sha512sumUrl, Version version, string downloadedFileNameTemplate)
         {
-            var sha1sumDownloadPath = Path.Combine(this.downloadsDir, String.Format(sham1sumDownloadFileName, version.ToString(3)));
+            var sha512sumDownloadPath = Path.Combine(this.downloadsDir, String.Format(sha512sumDownloadFileName, version.ToString(3)));
             var updateDownloadPath = Path.Combine(this.downloadsDir, String.Format(downloadedFileNameTemplate, version.ToString(3)));
 
-            var sha1sumOutcome = await this.DownloadAndVerifyFileAsync<Stream>(sha1sumUrl, version, sha1sumDownloadPath, false, () =>
+            var sha512sumOutcome = await this.DownloadAndVerifyFileAsync<Stream>(sha512sumUrl, version, sha512sumDownloadPath, false, () =>
                 {
-                    Stream sha1sumContents;
-                    var passed = this.installerVerifier.VerifySha1sum(sha1sumDownloadPath, out sha1sumContents);
-                    return Tuple.Create(passed, sha1sumContents);
+                    Stream sha512sumContents;
+                    var passed = this.installerVerifier.VerifySha512sum(sha512sumDownloadPath, out sha512sumContents);
+                    return Tuple.Create(passed, sha512sumContents);
                 });
 
             // Might be null, but if it's not make sure we dispose it (it's actually a MemoryStream, but let's be proper)
             bool updateSucceeded = false;
-            using (var sha1sumContents = sha1sumOutcome.Item2)
+            using (var sha512sumContents = sha512sumOutcome.Item2)
             {
-                if (sha1sumOutcome.Item1)
+                if (sha512sumOutcome.Item1)
                 {
                     updateSucceeded = (await this.DownloadAndVerifyFileAsync<object>(updateUrl, version, updateDownloadPath, false, () =>
                     {
                         var updateUri = new Uri(updateUrl);
                         // Make sure this is rewound - we might read from it multiple times
-                        sha1sumOutcome.Item2.Position = 0;
-                        var updatePassed = this.installerVerifier.VerifyUpdate(updateDownloadPath, sha1sumOutcome.Item2, updateUri.Segments.Last());
+                        sha512sumOutcome.Item2.Position = 0;
+                        var updatePassed = this.installerVerifier.VerifyUpdate(updateDownloadPath, sha512sumOutcome.Item2, updateUri.Segments.Last());
                         return Tuple.Create(updatePassed, (object)null);
                     })).Item1;
                 }

src/SyncTrayzor/Services/UpdateManagement/UpdateNotificationResponse.cs

@@ -17,8 +17,8 @@ namespace SyncTrayzor.Services.UpdateManagement
         [JsonProperty("direct_download_url")]
         public string DirectDownloadUrl { get; set; }
 
-        [JsonProperty("sha1sum_download_url")]
-        public string Sha1sumDownloadUrl { get; set; }
+        [JsonProperty("sha512sum_download_url")]
+        public string Sha512sumDownloadUrl { get; set; }
 
         [JsonProperty("release_page_url")]
         public string ReleasePageUrl { get; set; }
@@ -28,7 +28,7 @@ namespace SyncTrayzor.Services.UpdateManagement
 
         public override string ToString()
         {
-            return $"<UpdateNotificationData version={this.Version.ToString(3)} direct_download_url={this.DirectDownloadUrl} sha1sum_download_url={this.Sha1sumDownloadUrl} " +
+            return $"<UpdateNotificationData version={this.Version.ToString(3)} direct_download_url={this.DirectDownloadUrl} sha512sum_download_url={this.Sha512sumDownloadUrl} " +
                 $"release_page_url={this.ReleasePageUrl} release_notes={this.ReleaseNotes}>";
         }
     }

src/SyncTrayzor/Utils/PgpClearsignUtilities.cs

@@ -28,10 +28,12 @@ namespace SyncTrayzor.Utils
 
         public static void SignFile(Stream input, Stream outputStream, Stream keyIn, char[] pass)
         {
+            var hashAlgorithm = HashAlgorithmTag.Sha512;
+
             var secretKey = ReadSecretKey(keyIn);
             var privateKey = secretKey.ExtractPrivateKey(pass);
 
-            var signatureGenerator = new PgpSignatureGenerator(secretKey.PublicKey.Algorithm, HashAlgorithmTag.Sha1);
+            var signatureGenerator = new PgpSignatureGenerator(secretKey.PublicKey.Algorithm, hashAlgorithm);
             var subpacketGenerator = new PgpSignatureSubpacketGenerator();
 
             signatureGenerator.InitSign(PgpSignature.CanonicalTextDocument, privateKey);
@@ -48,7 +50,7 @@ namespace SyncTrayzor.Utils
             var armouredOutputStream = new ArmoredOutputStream(outputStream);
             using (var bcpgOutputStream = new BcpgOutputStream(armouredOutputStream))
             {
-                armouredOutputStream.BeginClearText(HashAlgorithmTag.Sha1);
+                armouredOutputStream.BeginClearText(hashAlgorithm);
 
                 int chr;
                 while ((chr = input.ReadByte()) > 0)