You are here

protected function Verifier::verifyTrustedChecksumList in Automatic Updates 7

Same name and namespace in other branches
  1. 8 vendor/drupal/php-signify/src/Verifier.php \Drupal\Signify\Verifier::verifyTrustedChecksumList()
2 calls to Verifier::verifyTrustedChecksumList()
Verifier::verifyChecksumList in vendor/drupal/php-signify/src/Verifier.php
Verify a signed checksum list, and then verify the checksum for each file in the list.
Verifier::verifyCsigChecksumList in vendor/drupal/php-signify/src/Verifier.php
Verify a signed checksum list, and then verify the checksum for each file in the list.

File

vendor/drupal/php-signify/src/Verifier.php, line 172

Class

Verifier

Namespace

Drupal\Signify

Code

protected function verifyTrustedChecksumList($checksum_list_raw, $working_directory) {
  $checksum_list = new ChecksumList($checksum_list_raw, true);
  $failed_checksum_list = new FailedCheckumFilter($checksum_list, $working_directory);
  foreach ($failed_checksum_list as $file_checksum) {

    // Don't just rely on a list of failed checksums, throw a more
    // specific exception.
    $actual_hash = @hash_file(strtolower($file_checksum->algorithm), $working_directory . DIRECTORY_SEPARATOR . $file_checksum->filename);

    // If file doesn't exist or isn't readable, hash_file returns false.
    if ($actual_hash === false) {
      throw new VerifierException("File \"{$file_checksum->filename}\" in the checksum list could not be read.");
    }

    // Any hash less than 64 is not secure.
    if (empty($actual_hash) || strlen($actual_hash) < 64) {
      throw new VerifierException("Failure computing hash for file \"{$file_checksum->filename}\" in the checksum list.");
    }

    // This method is used because hash_equals was added in PHP 5.6.
    // And we don't need timing safe comparisons.
    if ($actual_hash !== $file_checksum->hex_hash) {
      throw new VerifierException("File \"{$file_checksum->filename}\" does not pass checksum verification.");
    }
  }
  return $checksum_list
    ->count();
}