[#30076] - [4.0] abort update if checksum fails
- Fixed in Code Base
- 4 Aug 2020
- Medium
- Build: 4.0-dev
- # 30076
- Diff
- alikon:patch-122
User tests: Successful: Unsuccessful:
Pull Request for Issue #29695
Summary of Changes
abort if checksum fails
Testing Instructions
testing the Joomla Update
- apply this pr
- Joomla Update -> options
- change to Custom URL
- use a custom manifest url like
http://localhost/4beta/next_major_list4.xml - create your custom manifest something like
<extensionset name="Joomla! Core Nightly Builds" description="Joomla! Core Next Major Nightly Builds">
<extension name="Joomla" element="joomla" type="file" version="4.0.0-beta3-dev" targetplatformversion="3.10" detailsurl="https://update.joomla.org/core/nightlies/next_major_extension.xml" />
<extension name="Joomla" element="joomla" type="file" version="4.0.0-beta3-dev" targetplatformversion="4.0" detailsurl="http://localhost/4beta/next_major_extension4.xml" />
</extensionset>- create your update server manifest
next_major_extension4.xmlaccordingly - and put in the
<sha384>tag with a fake value after the</downloads> - change the
<downloadurl>to point to the prebuild pkg of this prJoomla_4.0.0-beta3-dev+pr.30076-Development-Update_Package.zipsomething like
<?xml version="1.0" ?>
<updates>
<update>
<name>Joomla! 4.0.0 Nightly Build</name>
<description>Joomla! CMS</description>
<element>joomla</element>
<type>file</type>
<version>4.0.0-beta3-dev</version>
<infourl title="Joomla! Nightly Builds">https://developer.joomla.org/nightly-builds.html</infourl>
<downloads>
<downloadurl type="full" format="zip">https://developer.joomla.org/nightlies/Joomla_4.0.0-beta3-dev-Development-Update_Package.zip</downloadurl>
</downloads>
<tags>
<tag>stable</tag>
</tags>
<supported_databases mysql="5.6" mariadb="10.1" postgresql="11.0" />
<php_minimum>7.2.5</php_minimum>
<maintainer>Joomla! Production Department</maintainer>
<maintainerurl>https://www.joomla.org</maintainerurl>
<targetplatform name="joomla" version="3.10" />
</update>
<update>
<name>Joomla! 4.0.0 Nightly Build</name>
<description>Joomla! CMS</description>
<element>joomla</element>
<type>file</type>
<version>4.0.0-beta4-dev</version>
<infourl title="Joomla! Nightly Builds">https://developer.joomla.org/nightly-builds.html</infourl>
<downloads>
<downloadurl type="full" format="zip">http://localhost/4beta/Joomla_4.0.0-beta3-dev+pr.30076-Development-Update_Package.zip</downloadurl>
</downloads>
<sha384>568b142e1e0571d4539ddc135f89ffddd051d67992efb58a1b73e0924aef87e96a9036920d23f4f93da157103782e444</sha384>
<tags>
<tag>stable</tag>
</tags>
<supported_databases mysql="5.6" mariadb="10.1" postgresql="11.0" />
<php_minimum>7.2.5</php_minimum>
<maintainer>Joomla! Production Department</maintainer>
<maintainerurl>https://www.joomla.org</maintainerurl>
<targetplatform name="joomla" version="4.0" />
</update>
</updates>- edit the version and downgrade from beta3-dev to beta2-dev https://github.com/joomla/joomla-cms/blob/4.0-dev/libraries/src/Version.php#L64
- go to Joomla Update you'll see that a new version is available for update something like
- install the update
testing the extension Update
- download the com_patchtester from https://github.com/joomla-extensions/patchtester/releases/tag/4.0.0-rc2
- hack the patchtester.xml and change the
<updateservers>to point to an your custom url something like
<updateservers>
<server type="extension" name="Patch Tester Component">http://localhost/4beta/UpdateManifestTest.xml</server>
</updateservers>- modify the update server manifest as if there is a new patchtester version
- add a new update for a 4.0.0-rc3 version something like
<?xml version="1.0" encoding="utf-8"?>
<updates>
<update>
<name>Patch Tester Component</name>
<description>Joomla! CMS Patch Tester Component</description>
<element>com_patchtester</element>
<type>component</type>
<version>2.0.1</version>
<client>administrator</client>
<infourl title="Patch Tester Component">https://github.com/joomla-extensions/patchtester/releases/tag/2.0.1</infourl>
<downloads>
<downloadurl type="full" format="zip">https://github.com/joomla-extensions/patchtester/releases/download/2.0.1/com_patchtester.zip</downloadurl>
</downloads>
<sha384>f54a41cbfdc672fc1f0318adc179bf25412a1a1a89c1e2720c35c62740eb35b35f43421b72085270d0b17f3c4729aa64</sha384>
<tags>
<tag>stable</tag>
</tags>
<targetplatform name="joomla" version="3.([56789]|10)" />
</update>
<update>
<name>Patch Tester Component</name>
<description>Joomla! CMS Patch Tester Component</description>
<element>com_patchtester</element>
<type>component</type>
<version>3.0.0-rc</version>
<client>administrator</client>
<infourl title="Patch Tester Component">https://github.com/joomla-extensions/patchtester/releases/tag/3.0.0.rc</infourl>
<downloads>
<downloadurl type="full" format="zip">https://github.com/joomla-extensions/patchtester/releases/download/3.0.0.rc/com_patchtester.zip</downloadurl>
</downloads>
<sha384>adb3d5521c136266eb110c42d466578bd4c8e16c4ef1d989aeeb4e383bdaee20a68297e069a0e9273ba918850bdd59a0</sha384>
<tags>
<tag>rc</tag>
</tags>
<targetplatform name="joomla" version="3.([789]|10)" />
</update>
<update>
<name>Patch Tester Component</name>
<description>Joomla! CMS Patch Tester Component</description>
<element>com_patchtester</element>
<type>component</type>
<version>4.0.0-rc2</version>
<client>administrator</client>
<infourl title="Patch Tester Component">https://github.com/joomla-extensions/patchtester/releases/tag/4.0.0-rc2</infourl>
<downloads>
<downloadurl type="full" format="zip">https://github.com/joomla-extensions/patchtester/releases/download/4.0.0-rc2/com_patchtester.zip</downloadurl>
</downloads>
<sha384>568b142e1e0571d4539ddc135f89ffddd051d67992efb58a1b73e0924aef87e96a9036920d23f4f93da157103782e333</sha384>
<tags>
<tag>rc2</tag>
</tags>
<targetplatform name="joomla" version="4.[0123]" />
</update>
<update>
<name>Patch Tester Component</name>
<description>Joomla! CMS Patch Tester Component</description>
<element>com_patchtester</element>
<type>component</type>
<version>4.0.0-rc3</version>
<client>administrator</client>
<infourl title="Patch Tester Component">https://github.com/joomla-extensions/patchtester/releases/tag/4.0.0-rc2</infourl>
<downloads>
<downloadurl type="full" format="zip">https://github.com/joomla-extensions/patchtester/releases/download/4.0.0-rc2/com_patchtester.zip</downloadurl>
</downloads>
<sha384>568b142e1e0571d4539ddc135f89ffddd051d67992efb58a1b73e0924aef87e96a9036920d23f4f93da157103782e444</sha384>
<tags>
<tag>rc3</tag>
</tags>
<targetplatform name="joomla" version="4.[0123]" />
</update>
</updates>- as you may notice i've added a fake
<sha384>tag value - go to System Extension Update
- you' ll notice that there is an update for com_patchtester
- select and update
Actual result BEFORE applying this Pull Request
only a warning if the <sha384> is present and wrong
Expected result AFTER applying this Pull Request
the update will abort if checksum fails if the <sha384> is present and wrong
for Joomla
for extensions
Documentation Changes Required
IDK some page already report this https://docs.joomla.org/Deploying_an_Update_Server
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_installer com_joomlaupdate Language & Strings |
| Labels |
Added:
?
?
|
||
added Testing Instructions
@alikon Testing instructions for Joomla Update and for Extensions Installer each are missing the step to check that it works when using a correct sha384 cheksum.
On Linux you can get the checksum e.g. with sha384sum ../test-2/Joomla_4.0.0-beta3-dev+pr.30076-Development-Update_Package.zip for the update package of this PR. The result is 090aa852bf11be487ef6d1b05f78b193c23837e231829fffc743eeec8f97b1deaeab615c9b41b3187bc6b3e62cc26f29.
For the PatchTester 4.0.0-rc3 installation zip package it is 568b142e1e0571d4539ddc135f89ffddd051d67992efb58a1b73e0924aef87e96a9036920d23f4f93da157103782e333.
Could you extend your testing instructions by that step for each Joomla Update and for Extensions Installer? I think that step should be done after having tested with wrong, fake checksum.
Test 1.1: Joomla Update with wrong checksum
=> OK.
Test 1.2: Joomla Update with correct checksum
The update processes and then succeeds as usual, i.e. without any additional alert or info or message about successful checksum verification. => OK for me.
Test 2.1: Extension update with wrong checksum
=> OK.
Test 2.2: Extension update with correct checksum
As you can see, the 2 blue alerts are not really consistent:
- One is an info, and one is a notice.
- The notice about checksum uses a complete sentence, the info about successful update uses brief words, a complete sentence would be "Updating the component was successful.". I.e. there is a little inconsistency with usage of "The".
- The notice about checksum uses present tense, "is", the info about successful update uses past tense, i.e. "was".
All that looks really inconsistent.
I suggest to not show the notice at all, as suggested above by @brianteeman and @zero-24 , or to change it to "Checksum verification was successful." to be consistent with the info.
And maybe you should also make the notice be an info or make the info be a notice, too, so both are of the same type?
-
I installed version 2.0.1 form here https://github.com/astridx/pkg_agosms/releases
i started the update:
sha384 wrong:
sha384 fine
-
Joomla Update
I changed to Custom URL but i am not sure where I have to create the custom manifest.
Offtopic: I wonder why my screens differ from @richard67 's?
Offtopic: I wonder why my screens differ from @richard67 's?
@astridx It seems your 4.0 is a bit outdated or something went wrong when updating it because the popup alerts have been changed as far as I remember a while ago to inline alerts.
@brianteeman might remember better or more detailed than I do.
the popup alerts have been changed as far as I remember a while ago to inline alerts.
Her screenshots show inline alerts afaik but the css are wrong (Background and border colors)
maybe probably due to the prebuilt package i guess
@alikon Hmm, drone PHPCS is still not happy: https://ci.joomla.org/joomla/joomla-cms/34225/1/9
Now PHPCS is ok.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30076.
I read the description for the Joomla update again and understood it :)
I had to change the checksum.
This my file:
<?xml version="1.0" ?>
<updates>
<update>
<name>Joomla! 4.0.0 Nightly Build</name>
<description>Joomla! CMS</description>
<element>joomla</element>
<type>file</type>
<version>4.0.0-beta3-dev</version>
<infourl title="Joomla! Nightly Builds">https://developer.joomla.org/nightly-builds.html</infourl>
<downloads>
<downloadurl type="full" format="zip">https://developer.joomla.org/nightlies/Joomla_4.0.0-beta3-dev-Development-Update_Package.zip</downloadurl>
</downloads>
<tags>
<tag>stable</tag>
</tags>
<supported_databases mysql="5.6" mariadb="10.1" postgresql="11.0" />
<php_minimum>7.2.5</php_minimum>
<maintainer>Joomla! Production Department</maintainer>
<maintainerurl>https://www.joomla.org</maintainerurl>
<targetplatform name="joomla" version="3.10" />
</update>
<update>
<name>Joomla! 4.0.0 Nightly Build</name>
<description>Joomla! CMS</description>
<element>joomla</element>
<type>file</type>
<version>4.0.0-beta4-dev</version>
<infourl title="Joomla! Nightly Builds">https://developer.joomla.org/nightly-builds.html</infourl>
<downloads>
<downloadurl type="full" format="zip">https://developer.joomla.org/nightlies/Joomla_4.0.0-beta3-dev-Development-Full_Package.zip</downloadurl>
</downloads>
<sha384>ee3992e152d63780867a6f691923268a8ac353cebfc0e002fe3c32824a87c7e3de0949805bc03cfaeb080d67277d98ba</sha384>
<tags>
<tag>stable</tag>
</tags>
<supported_databases mysql="5.6" mariadb="10.1" postgresql="11.0" />
<php_minimum>7.2.5</php_minimum>
<maintainer>Joomla! Production Department</maintainer>
<maintainerurl>https://www.joomla.org</maintainerurl>
<targetplatform name="joomla" version="4.0" />
</update>
</updates>
Before I started an update attempt with an incorrect checksum.
--
I repeated the test with my Foo component.
--
Offtopic. I usually only update with npm ci. Now I have set everything up again and now the css is correct.
I have tested this item
See comment
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30076.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30076.
| Labels |
Added:
?
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-08-04 22:28:48 |
| Closed_By | ⇒ | wilsonge |
Thanks!
I would increase the loglevel on update fail
Log::add($message, Log::INFO, 'Update');the rest looks good to me