Make ghasum update -force update existing checksums that are incorrect

Update the implementation of the `ghasum update` command to update any existing sums that are incorrect IF the `-force` flag is used. Here, "existing sums" refers to entries in the sumfile for which the whole ID matches before and after the update. This supports updating such entries natively (i.e. without having to manually edit the sumfile), which may be necessary if the incident has been reviewed and deemed acceptable. The CLI help message as well as the specification text has been updated accordingly.
chains-project · Jul 31, 2024 · 4fb902a · 4fb902a
1 parent a3b2e42
commit 4fb902a
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 11 deletions.
diff --git a/SPECIFICATION.md b/SPECIFICATION.md
@@ -48,10 +48,11 @@ before and releases the lock. In short, updating will only add new and remove
 old checksums from an existing sumfile.
 
 With the `-force` flag the process will ignore errors in the sumfile and fix
-those while updating. If the sumfile version can still be determined from
-sumfile it will be used, otherwise the latest available version is used instead.
-This option is disabled by default to avoid unknowingly fixing syntax errors in
-a sumfile, which is an important fact to know about from a security perspective.
+those while updating. It will also update existing checksums that are incorrect.
+If the sumfile version can still be determined from sumfile it will be used,
+otherwise the latest available version is used instead. This option is disabled
+by default to avoid unknowingly fixing syntax or other errors in a sumfile,
+which is an important fact to know about from a security perspective.
 
 This process does not verify any of the checksums currently in the sumfile.
 

diff --git a/cmd/ghasum/update.go b/cmd/ghasum/update.go
@@ -92,8 +92,8 @@ The available flags are:
         looks up repositories it needs.
         Defaults to a directory named .ghasum in the user's home directory.
     -force
-        Force updating the gha.sum file, ignoring errors and fixing them in the
-        process.
+        Force updating the gha.sum file, ignoring syntax errors and fixing them
+        in the process. This also fixes any existing checksums that are wrong.
     -no-cache
         Disable the use of the cache. Makes the -cache flag ineffective.
     -no-evict

diff --git a/internal/ghasum/operations.go b/internal/ghasum/operations.go
@@ -145,11 +145,13 @@ func Update(cfg *Config, force bool) error {
 		return err
 	}
 
-	for i, entry := range checksums {
-		for _, oldEntry := range oldChecksums {
-			if slices.Equal(entry.ID, oldEntry.ID) {
-				checksums[i] = oldEntry
-				break
+	if !force {
+		for i, entry := range checksums {
+			for _, oldEntry := range oldChecksums {
+				if slices.Equal(entry.ID, oldEntry.ID) {
+					checksums[i] = oldEntry
+					break
+				}
 			}
 		}
 	}

diff --git a/testdata/update/force.txtar b/testdata/update/force.txtar
@@ -34,6 +34,12 @@ stdout 'Ok'
 ! stderr .
 cmp no-version/.github/workflows/gha.sum .want/gha.sum
 
+# Invalid existing sum
+exec ghasum update -cache .cache/ -force invalid-sum/
+stdout 'Ok'
+! stderr .
+cmp invalid-sum/.github/workflows/gha.sum .want/gha.sum
+
 -- duplicate/.github/workflows/gha.sum --
 version 1
 
@@ -118,6 +124,21 @@ actions/[email protected] GGAV+/JnlPt41B9iINyvcX5z6a4ue+NblmwiDNVORz0=
 name: Example workflow
 on: [push]
 
+jobs:
+  example:
+    name: example
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout repository
+      uses: actions/[email protected]
+-- invalid-sum/.github/workflows/gha.sum --
+version 1
+
+actions/[email protected] GGAV+/JnlPt41B9iINyvcX5z6a4ue+NblmwiDNVORz0=
+-- invalid-sum/.github/workflows/workflow.yml --
+name: Example workflow
+on: [push]
+
 jobs:
   example:
     name: example