sha1 tee

.goreleaser.yml

@@ -22,15 +22,15 @@ archive:
     linux: linux
     windows: win
 
-brew:
-  github:
-    owner: blacktop
-    name: homebrew-tap
-  folder: Formula
-  homepage: "https://github.com/blacktop/ipsw"
-  description: "Download and parse ipsw(s)"
-  test: |
-    system "#{bin}/ipsw --version"
+brews:
+  - github:
+      owner: blacktop
+      name: homebrew-tap
+    folder: Formula
+    homepage: "https://github.com/blacktop/ipsw"
+    description: "Download and parse ipsw(s)"
+    test: |
+      system "#{bin}/ipsw --version"
 
 checksum:
   name_template: "checksums.txt"

api/downloader.go

@@ -1,7 +1,10 @@
 package api
 
 import (
+	"bytes"
+	"crypto/sha1"
 	"crypto/tls"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"net/http"
@@ -12,6 +15,7 @@ import (
 	"time"
 
 	"github.com/apex/log"
+	"github.com/blacktop/ipsw/utils"
 	"github.com/pkg/errors"
 	"github.com/vbauerster/mpb/v4"
 	"github.com/vbauerster/mpb/v4/decor"
@@ -31,7 +35,7 @@ func getProxy(proxy string) func(*http.Request) (*url.URL, error) {
 // DownloadFile will download a url to a local file. It's efficient because it will
 // write as it downloads and not load the whole file into memory. We pass an io.TeeReader
 // into Copy() to report progress on the download.
-func DownloadFile(url, proxy string, insecure bool) error {
+func DownloadFile(url, sha1Hash, proxy string, insecure bool) error {
 
 	client := &http.Client{
 		Transport: &http.Transport{
@@ -86,11 +90,25 @@ func DownloadFile(url, proxy string, insecure bool) error {
 	// create proxy reader
 	reader := bar.ProxyReader(resp.Body)
 
-	// and copy from reader, ignoring errors
-	io.Copy(dest, reader)
+	tee := io.TeeReader(reader, dest)
+
+	h := sha1.New()
+	if _, err := io.Copy(h, tee); err != nil {
+		return err
+	}
 
 	p.Wait()
 
+	utils.Indent(log.Info, 1)("verifying sha1sum...")
+	checksum, _ := hex.DecodeString(sha1Hash)
+
+	if !bytes.Equal(h.Sum(nil), checksum) {
+		log.Error("BAD CHECKSUM")
+		if err := os.Remove(destName); err != nil {
+			return errors.Wrap(err, "cannot remove downloaded file with checksum mismatch")
+		}
+	}
+
 	return nil
 }
 

cmd/ipsw/cmd/download.go

@@ -156,14 +156,14 @@ var downloadCmd = &cobra.Command{
 							"signed":  i.Signed,
 						}).Info("Getting IPSW")
 						// download file
-						err = api.DownloadFile(url, proxy, insecure)
+						err = api.DownloadFile(url, i.SHA1, proxy, insecure)
 						if err != nil {
 							return errors.Wrap(err, "failed to download file")
 						}
 						// verify download
-						if ok, _ := utils.Verify(i.SHA1, destName); !ok {
-							return fmt.Errorf("bad download: ipsw %s sha1 hash is incorrect", destName)
-						}
+						// if ok, _ := utils.Verify(i.SHA1, destName); !ok {
+						// 	return fmt.Errorf("bad download: ipsw %s sha1 hash is incorrect", destName)
+						// }
 					} else {
 						log.Warnf("ipsw already exists: %s", destName)
 					}
@@ -184,13 +184,13 @@ var downloadCmd = &cobra.Command{
 						"version": i.Version,
 						"signed":  i.Signed,
 					}).Info("Getting IPSW")
-					err = api.DownloadFile(i.URL, proxy, insecure)
+					err = api.DownloadFile(i.URL, i.SHA1, proxy, insecure)
 					if err != nil {
 						return errors.Wrap(err, "failed to download file")
 					}
-					if ok, _ := utils.Verify(i.SHA1, destName); !ok {
-						return fmt.Errorf("bad download: ipsw %s sha1 hash is incorrect", destName)
-					}
+					// if ok, _ := utils.Verify(i.SHA1, destName); !ok {
+					// 	return fmt.Errorf("bad download: ipsw %s sha1 hash is incorrect", destName)
+					// }
 				} else {
 					log.Warnf("ipsw already exists: %s", destName)
 				}

cmd/ipsw/cmd/download_latest.go

@@ -119,14 +119,14 @@ var latestCmd = &cobra.Command{
 						"version": build.ProductVersion,
 					}).Info("Getting IPSW")
 					// download file
-					err = api.DownloadFile(build.FirmwareURL, proxy, insecure)
+					err = api.DownloadFile(build.FirmwareURL, build.FirmwareSHA1, proxy, insecure)
 					if err != nil {
 						return errors.Wrap(err, "failed to download file")
 					}
 					// verify download
-					if ok, _ := utils.Verify(build.FirmwareSHA1, destName); !ok {
-						return fmt.Errorf("bad download: ipsw %s sha1 hash is incorrect", destName)
-					}
+					// if ok, _ := utils.Verify(build.FirmwareSHA1, destName); !ok {
+					// 	return fmt.Errorf("bad download: ipsw %s sha1 hash is incorrect", destName)
+					// }
 				} else {
 					log.Warnf("ipsw already exists: %s", destName)
 				}

cmd/ipsw/cmd/dyld_split.go

@@ -1,26 +1,5 @@
-// +build cgo darwin
-
-/*
-Copyright © 2019 blacktop
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-*/
+// +build darwin,cgo
+
 package cmd
 
 import (