light checksum for joomlaupdate

[alikon]

...from #17619 (comment)
add light checksum for joomla update

Summary of Changes

trigger the checksum check on update
if the update server manifest have an hash tag

Testing Instructions

• start with latest staging (for time of writing) version 3.8.0-beta5
• apply pr checksum extensions light #17619
• in order to simulate a joomlaupdate
• • run php bump version 3.8.0-beta4 (i.e one version before)
• set Update channel to custom URL for example (http://localhost/test/list_testpr17632.xml)
• create that file with something like this content

<extensionset name="Joomla Core Test Updateserver" description="The Joomla Core Update Server for Tests of Alpha, Beta and RC Releases">
 <extension name="Joomla" element="joomla" type="file" version="3.8.0-beta4" targetplatformversion="3.8" detailsurl="http://localhost/test/extension_testpr17632.xml" />
</extensionset>

• create http://localhost/test/extension_testpr17632.xml with something like this content

<?xml version="1.0" ?>
<updates>
	<update>
		<name>Joomla! 3.8</name>
		<description>Joomla! 3.8 CMS</description>
		<element>joomla</element>
		<type>file</type>
		<version>3.8.0-beta4</version>
		<infourl title="Joomla!">https://www.joomla.org</infourl>
		<downloads>
			<downloadurl type="full" format="zip">http://localhost/test/Joomla_pr17632-Update_Package.zip</downloadurl>
		</downloads>
		<tags>
			<tag>stable</tag>
		</tags>
		<maintainer>Joomla! PLT</maintainer>
		<maintainerurl>https://www.joomla.org</maintainerurl>
		<targetplatform name="joomla" version="3.[3456789]"/>
		<php_minimum>5.3.10</php_minimum>
	</update>
</updates>

• download the last joomla update package for example https://github.com/joomla/joomla-cms/releases/download/3.8.0-beta4/Joomla_3.8.0-beta4-Beta-Update_Package.zip

• copy & rename accordingly on the previous downloadurl tag (for example Joomla_pr17632-Update_Package.zip

• Go to Components -> Joomla! Updates
  you shoud see something like
  

Test case 1 - no checksum hashtag in the update server manifest

Expected result

a notice is showed

to test the next 2 cases we need to :

• calculate the hash value (for example sha256)
• -(on linux) run sha256sum Joomla_pr17632-Update_Package.zip
  

Test case 2 - correct checksum hashtag in the update server manifest

• add a <sha256>correcthashvalue</sha256> tag in the current update server instance something like:

Expected result

a info is showed

Test case 3 - wrong checksum hashtag in the update server manifest

• add a <sha256>wronghashvalue</sha256> tag in the current update server instance

Expected result

a warning is showed

Documentation Changes Required

new tags :

• <sha256></sha256>
• <sha384></sha384>
• <sha512></sha512>

[zero-24]

@mbabker can we have your final words on the algos as SHA1 and MD5 are very well known to be weak. Expecial as the core should provide a more secure algo.

[mbabker]

Personally I'd rather not support SHA1 and MD5 since they are weak. If SHA256 doesn't have the same weaknesses then that'd be fine.

[alikon]

ok now #17619 support only sha256

[alikon]

should we consider to add sha512 "longer is better" ?

[zero-24]

should we consider to add sha512 "longer is better" ?

Sounds good. ;)

[anibalsanchez]

@alikon detailed the steps to create list.xml and extension_sts.xml.... so I guess he was thinking to enter the Url on the "Custom URL" field.

In "Joomla Update", you have "Options", where you can play with "Update Channel"
For testing, you can change it to a "Custom URL".

[alikon]

@anibalsanchez , @NunoLopes96
added more clear test info ;)

[ghost]

@anibalsanchez , @NunoLopes96 are Test Info @alikon suggested unclear?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17632.}

[anibalsanchez]

It is OK for me.

[ghost]

@anibalsanchez can i alter above Comment as successfully Test?

[anibalsanchez]

I have tested this item ✅ successfully on f61f6ab

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17632.}

[anibalsanchez]

Test OK

My notes:

• Apply PR checksum extensions light #17619 AND PR light checksum for joomlaupdate #17632
• I tested updating from 3.8.0 to 3.8.1
• After every test, Joomla is updated... so the patches have to be re-applied for the next test

These are my xmls:

list_testpr17632.xml

<extensionset name="Joomla Core Test Updateserver" description="The Joomla Core Update Server for Tests of Alpha, Beta and RC Releases">
 <extension name="Joomla" element="joomla" type="file" version="3.8.1" targetplatformversion="3.8" detailsurl="http://local-server.extly.com/j38/extension_testpr17632.xml" />
</extensionset>

extension_testpr17632.xml

<?xml version="1.0" ?>
<updates>
	<update>
		<name>Joomla! 3.8</name>
		<description>Joomla! 3.8 CMS</description>
		<element>joomla</element>
		<type>file</type>
		<version>3.8.1</version>
		<infourl title="Joomla!">https://www.joomla.org</infourl>
		<downloads>
			<downloadurl type="full" format="zip">http://local-server.extly.com/j38/Joomla_pr17632-Update_Package.zip</downloadurl>
		</downloads>
		<tags>
			<tag>stable</tag>
		</tags>
		<sha256>e8339bed3cbba5eebb7d355e026d29594ec164420beebe97839b0019b630ed96</sha256>
		<maintainer>Joomla! PLT</maintainer>
		<maintainerurl>https://www.joomla.org</maintainerurl>
		<targetplatform name="joomla" version="3.[3456789]"/>
		<php_minimum>5.3.10</php_minimum>
	</update>
</updates>

[NunoLopesPT]

I have tested this item ✅ successfully on f61f6ab

Great Work !!

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17632.}

[alikon]

@NunoLopes96 just a follow up from your work at Joomla GSoC 17 project https://github.com/joomla-projects/gsoc17_expand_extension_manager

[ghost]

RTC after two successful tests.

[Quy]

@brianteeman Please retag for v3.9.0. Darn bot!

[alikon]

conflict solved