diff --git a/.github/workflows/check-shell-validation.yml b/.github/workflows/check-shell-validation.yml new file mode 100644 index 0000000..3f80b24 --- /dev/null +++ b/.github/workflows/check-shell-validation.yml @@ -0,0 +1,19 @@ +name: "[Check] Shell validation" + +on: + pull_request: + paths: + - "**.sh" + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: shellcheck + run: ./scripts/shellcheck.sh diff --git a/.github/workflows/check_releases.yml b/.github/workflows/check_releases.yml index 6f79b7a..096bef8 100644 --- a/.github/workflows/check_releases.yml +++ b/.github/workflows/check_releases.yml @@ -14,6 +14,15 @@ jobs: - uses: actions/setup-python@v5 - run: python check_releases.py + releases-json-integrity-check: + name: releases.json integrity check + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Check releases.json files changes + run: ./scripts/run-releases-json-for-all-devices.sh + releases-revision-checks: name: Check firmware releases revisions runs-on: ubuntu-latest diff --git a/firmware/1/releases.json b/firmware/1/releases.json index eac4267..f772af3 100644 --- a/firmware/1/releases.json +++ b/firmware/1/releases.json @@ -444,122 +444,5 @@ "firmware_revision": "36b9d80120348700264bba518a533d4f82d79cbd", "changelog": "* Enable advanced transactions such as ones with REPLACE-BY-FEE and CHECKLOCKTIMEVERIFY\n* Fix message signing for altcoins\n* Message verification now shows address\n* Enable GPG signing support\n* Enable Ed25519 curve (for SSH and GPG)\n* Use separate deterministic hierarchy for NIST256P1 and Ed25519 curves\n* Users using SSH already need to regenerate their keys using the new firmware!!!", "notes": "https://blog.trezor.io/trezor-firmware-1-3-6-20a7df6e692" - }, - { - "required": false, - "version": [1, 3, 5], - "min_bridge_version": [1, 1, 2], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.3.5.bin", - "fingerprint": "7d5d2c7defb93081a7fb7a2d1e57677fbac2a3e3e50f22fa3ff83ec4ddaafd9d", - "firmware_revision": "7675a0aa5ff6e82f300c50df13a71ff0b81f9b44", - "changelog": "* Double size font for recovery words during the device setup\n* Optimizations for simultaneous access when more applications try communicate with the device", - "notes": "https://blog.trezor.io/trezor-firmware-1-3-5-allows-for-multisession-operation-cc4c25197855" - }, - { - "required": false, - "version": [1, 3, 4], - "min_bridge_version": [1, 1, 2], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.3.4.bin", - "fingerprint": "49e044eec84a9c210a09319d27a3ab8ba889ddeaa4d68f99d163f65267fce134", - "firmware_revision": "db93a50f76204418a2cf7d2c7e0391f486729bf3", - "changelog": "* Screensaver active on ClearSession message\n* Support for NIST P-256 curve\n* Updated SignIdentity to v2 format\n* Show seconds counter during PIN lockdown\n* Updated maxfee per kb for coins", - "notes": "https://blog.trezor.io/trezor-firmware-1-3-4-enables-ssh-login-86a622d7e609" - }, - { - "required": true, - "version": [1, 3, 3], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.3.3.bin", - "fingerprint": "7fcee4c0459c22109f3fcfe0040148e9be6d30947f7fffb76c66cc500681257c", - "firmware_revision": "0cc270e6df3eca352eb8c72b602b7d5a0633b086", - "changelog": "* Ask for PIN on GetAddress and GetPublicKey\n* Signing speed improved", - "notes": "http://satoshilabs.com/old/news/2015-04-07-trezor-firmware-1-3-3-connect-api/" - }, - { - "required": false, - "version": [1, 3, 2], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.3.2.bin", - "fingerprint": "180656fbf94e43e0092eaf22c30ab3451a547b4213119bd62763dc97b94ad0d0", - "firmware_revision": "9761dd23e0cd28d7a98ce331e1676f7466336b7d", - "changelog": "* Fix check during transaction streaming\n* Login feature via SignIdentity message\n* GetAddress for multisig shows M of N description\n* PIN checking in constant time", - "notes": "" - }, - { - "required": false, - "version": [1, 3, 1], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.3.1.bin", - "fingerprint": "8030e257fc4c75a8f4a0325f8ea37428dd8fc68a5f9ec5f8e2d1a0de328860cc", - "firmware_revision": "f2f50aa1886429aaeab5aa88e8c6e106ac5224b1", - "changelog": "* Optimized signing speed\n* Enabled OP_RETURN\n* Added option to change home screen\n* Moved fee calculation before any signing\n* Made PIN delay increase immune against hardware hacking", - "notes": "http://satoshilabs.com/old/news/2015-02-18-trezor-firmware-1-3-1-smart-property-notary-service-customized-home-screen/" - }, - { - "required": false, - "version": [1, 3, 0], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.3.0.bin", - "fingerprint": "1d417e1e99a4880f7e03b991cf318eebe7b6cb453d2f55b8112adc5fd1a8293c", - "firmware_revision": "b5eecb30be7712855cfa76fe671ef0b2e98e4aa9", - "changelog": "* Added multisig support\n* Added visual validation of receiving address\n* Added ECIES encryption capabilities", - "notes": "http://satoshilabs.com/old/news/2015-01-13-trezor-firmware-1-3-0-update-multisig/" - }, - { - "required": true, - "version": [1, 2, 1], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.2.1.bin", - "fingerprint": "0f8685ee46632162b549eb22b99a1e4e013d6796ae536ea6acb877a491f564f6", - "firmware_revision": "524f2a957afb66e6a869384aceaca1cb7f9cba60", - "changelog": "* Added stack overflow protection\n* Added compatibility with Trezor Bridge", - "notes": "http://satoshilabs.com/old/news/2014-08-01-trezor-firmware-1-2-1-released/" - }, - { - "required": false, - "version": [1, 2, 0], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.2.0.bin", - "fingerprint": "0eec6fd320730acfa40963f0f470a47109378663907cc78b9c5797c19938c873", - "firmware_revision": "df524b9f35fd5cdba14eaa2bf2d948e3dc75254a", - "changelog": "* Fix false positives for fee warning\n* Better UI for signing/verifying messages\n* Smaller firmware size" - }, - { - "required": false, - "version": [1, 1, 0], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.1.0.bin", - "fingerprint": "a1709ead62659851933830f494cf9aa40047d1f098955aa93bd483b92df88c8e", - "firmware_revision": "272e10152ffc85c4f4114ed0762aeae45e97cd8e", - "changelog": "* Minor UI fixes\n* Better handling of unexpected messages\n* Added AES support" - }, - { - "required": true, - "version": [1, 0, 0], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/1/trezor-1.0.0.bin", - "fingerprint": "79371ee2ed2db8489aa4a5bce6907c24afc6de47e9658fef4cc12e2d902d9c51", - "firmware_revision": "0d0a1ab5f2987a926c7a717b93a2a3e59bf3344b", - "changelog": "* Added support for streaming of transactions into the device\n* Removed all current limits on size of signed transaction" } ] diff --git a/firmware/t1b1/releases.json b/firmware/t1b1/releases.json index 7e43a27..5dac54a 100644 --- a/firmware/t1b1/releases.json +++ b/firmware/t1b1/releases.json @@ -445,122 +445,5 @@ "firmware_revision": "36b9d80120348700264bba518a533d4f82d79cbd", "changelog": "* Enable advanced transactions such as ones with REPLACE-BY-FEE and CHECKLOCKTIMEVERIFY\n* Fix message signing for altcoins\n* Message verification now shows address\n* Enable GPG signing support\n* Enable Ed25519 curve (for SSH and GPG)\n* Use separate deterministic hierarchy for NIST256P1 and Ed25519 curves\n* Users using SSH already need to regenerate their keys using the new firmware!!!", "notes": "https://blog.trezor.io/trezor-firmware-1-3-6-20a7df6e692" - }, - { - "required": false, - "version": [1, 3, 5], - "min_bridge_version": [1, 1, 2], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.3.5.bin", - "fingerprint": "7d5d2c7defb93081a7fb7a2d1e57677fbac2a3e3e50f22fa3ff83ec4ddaafd9d", - "firmware_revision": "7675a0aa5ff6e82f300c50df13a71ff0b81f9b44", - "changelog": "* Double size font for recovery words during the device setup\n* Optimizations for simultaneous access when more applications try communicate with the device", - "notes": "https://blog.trezor.io/trezor-firmware-1-3-5-allows-for-multisession-operation-cc4c25197855" - }, - { - "required": false, - "version": [1, 3, 4], - "min_bridge_version": [1, 1, 2], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.3.4.bin", - "fingerprint": "49e044eec84a9c210a09319d27a3ab8ba889ddeaa4d68f99d163f65267fce134", - "firmware_revision": "db93a50f76204418a2cf7d2c7e0391f486729bf3", - "changelog": "* Screensaver active on ClearSession message\n* Support for NIST P-256 curve\n* Updated SignIdentity to v2 format\n* Show seconds counter during PIN lockdown\n* Updated maxfee per kb for coins", - "notes": "https://blog.trezor.io/trezor-firmware-1-3-4-enables-ssh-login-86a622d7e609" - }, - { - "required": true, - "version": [1, 3, 3], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.3.3.bin", - "fingerprint": "7fcee4c0459c22109f3fcfe0040148e9be6d30947f7fffb76c66cc500681257c", - "firmware_revision": "0cc270e6df3eca352eb8c72b602b7d5a0633b086", - "changelog": "* Ask for PIN on GetAddress and GetPublicKey\n* Signing speed improved", - "notes": "http://satoshilabs.com/old/news/2015-04-07-trezor-firmware-1-3-3-connect-api/" - }, - { - "required": false, - "version": [1, 3, 2], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.3.2.bin", - "fingerprint": "180656fbf94e43e0092eaf22c30ab3451a547b4213119bd62763dc97b94ad0d0", - "firmware_revision": "9761dd23e0cd28d7a98ce331e1676f7466336b7d", - "changelog": "* Fix check during transaction streaming\n* Login feature via SignIdentity message\n* GetAddress for multisig shows M of N description\n* PIN checking in constant time", - "notes": "" - }, - { - "required": false, - "version": [1, 3, 1], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.3.1.bin", - "fingerprint": "8030e257fc4c75a8f4a0325f8ea37428dd8fc68a5f9ec5f8e2d1a0de328860cc", - "firmware_revision": "f2f50aa1886429aaeab5aa88e8c6e106ac5224b1", - "changelog": "* Optimized signing speed\n* Enabled OP_RETURN\n* Added option to change home screen\n* Moved fee calculation before any signing\n* Made PIN delay increase immune against hardware hacking", - "notes": "http://satoshilabs.com/old/news/2015-02-18-trezor-firmware-1-3-1-smart-property-notary-service-customized-home-screen/" - }, - { - "required": false, - "version": [1, 3, 0], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.3.0.bin", - "fingerprint": "1d417e1e99a4880f7e03b991cf318eebe7b6cb453d2f55b8112adc5fd1a8293c", - "firmware_revision": "b5eecb30be7712855cfa76fe671ef0b2e98e4aa9", - "changelog": "* Added multisig support\n* Added visual validation of receiving address\n* Added ECIES encryption capabilities", - "notes": "http://satoshilabs.com/old/news/2015-01-13-trezor-firmware-1-3-0-update-multisig/" - }, - { - "required": true, - "version": [1, 2, 1], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.2.1.bin", - "fingerprint": "0f8685ee46632162b549eb22b99a1e4e013d6796ae536ea6acb877a491f564f6", - "firmware_revision": "524f2a957afb66e6a869384aceaca1cb7f9cba60", - "changelog": "* Added stack overflow protection\n* Added compatibility with Trezor Bridge", - "notes": "http://satoshilabs.com/old/news/2014-08-01-trezor-firmware-1-2-1-released/" - }, - { - "required": false, - "version": [1, 2, 0], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.2.0.bin", - "fingerprint": "0eec6fd320730acfa40963f0f470a47109378663907cc78b9c5797c19938c873", - "firmware_revision": "df524b9f35fd5cdba14eaa2bf2d948e3dc75254a", - "changelog": "* Fix false positives for fee warning\n* Better UI for signing/verifying messages\n* Smaller firmware size" - }, - { - "required": false, - "version": [1, 1, 0], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.1.0.bin", - "fingerprint": "a1709ead62659851933830f494cf9aa40047d1f098955aa93bd483b92df88c8e", - "firmware_revision": "272e10152ffc85c4f4114ed0762aeae45e97cd8e", - "changelog": "* Minor UI fixes\n* Better handling of unexpected messages\n* Added AES support" - }, - { - "required": true, - "version": [1, 0, 0], - "min_bridge_version": [1, 1, 0], - "min_firmware_version": [1, 0, 0], - "min_bootloader_version": [1, 0, 0], - "url": "data/firmware/t1b1/trezor-t1b1-1.0.0.bin", - "fingerprint": "79371ee2ed2db8489aa4a5bce6907c24afc6de47e9658fef4cc12e2d902d9c51", - "firmware_revision": "0d0a1ab5f2987a926c7a717b93a2a3e59bf3344b", - "changelog": "* Added support for streaming of transactions into the device\n* Removed all current limits on size of signed transaction" } ] diff --git a/scripts/check-firmware-presence-in-releases-json.sh b/scripts/check-firmware-presence-in-releases-json.sh new file mode 100755 index 0000000..aafada5 --- /dev/null +++ b/scripts/check-firmware-presence-in-releases-json.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +PARENT_PATH=$( cd "$(dirname "${BASH_SOURCE[0]}")" || exit ; pwd -P ) + +RED='\033[0;31m' +NC='\033[0m' # No Color + +if [[ $# -ne 1 ]] + then + echo "must provide 1 argument. $# provided" + exit 1 +fi + +DEVICE=$1 + +extract_file_paths_from_json() { + local json_file="$1" + + # Filter out 'null' from missing .url_bitcoinonly for older firmwares + + jq -r '.[] | select(.url) | .url, .url_bitcoinonly' "$json_file" | xargs -n1 --no-run-if-empty | sort | uniq \ + | grep -vF "null" +} + +list_files_in_directory() { + local dir="$1" + find "$dir" -type f -name "*.bin" -exec basename {} \; | sort \ + | grep -v "trezor-inter-" | grep -v "trezor-t1tb-inter-" # Filter out Intermediary firmwares +} + +compare_files() { + local json_file="$1" + local directory="$2" + + # TEST 1: All files in releases.json exist + + files_in_releases_json=$(extract_file_paths_from_json "$json_file") + + all_exist=true + for file in $files_in_releases_json; do + file_to_test="$directory/../../../$file" + if [ ! -e "$file_to_test" ]; then + echo -e "${RED}File does not exist: $file_to_test${NC}" + all_exist=false + fi + done + + if ! $all_exist ; then + exit 1 + fi + + # TEST 2: All files in directory are in releases.json + + actual_files=$(list_files_in_directory "$directory") # All files in the directory + full_path_actual_files=$(for i in $actual_files; do echo "data/firmware/${DEVICE}/${i}"; done) # Prefixed to match the expected format in releases.json + extra_files=$(comm -13 <(echo "$files_in_releases_json") <(echo "$full_path_actual_files")) + + if [[ -n "$extra_files" ]]; then + echo -e "${RED}Extra files in directory:" + echo "$extra_files" | awk '{print " " $0}' + echo -e "${NC}" + exit 1 + fi +} + +json_file=$PARENT_PATH"/../firmware/"$DEVICE/"releases.json" +directory=$PARENT_PATH"/../firmware/"$DEVICE + +echo "Checking directory: $directory" + +compare_files "$json_file" "$directory" diff --git a/scripts/deploy-data.sh b/scripts/deploy-data.sh index ced114d..60d05c2 100755 --- a/scripts/deploy-data.sh +++ b/scripts/deploy-data.sh @@ -6,11 +6,9 @@ DIRS="bootloader bridge firmware legal registry udev suite connect security transparency misc" BUCKET=data.trezor.io -ROLLBACK=rollback-data.trezor.io DISTRIBUTION_ID="E1ERY5K2OTKKI1" -./check_releases.py -if [ "$?" != "0" ]; then +if ! ./check_releases.py; then echo "check_releases.py failed." exit fi @@ -21,10 +19,10 @@ set -e # aws s3 sync s3://$BUCKET s3://$ROLLBACK for DIR in $DIRS; do - if [ "x$1" == "x-d" ]; then - aws s3 sync --delete --cache-control 'public, max-age=3600' $DIR s3://$BUCKET/$DIR + if [ "$1" == "-d" ]; then + aws s3 sync --delete --cache-control 'public, max-age=3600' "$DIR" s3://$BUCKET/"$DIR" else - aws s3 sync --cache-control 'public, max-age=3600' $DIR s3://$BUCKET/$DIR + aws s3 sync --cache-control 'public, max-age=3600' "$DIR" s3://$BUCKET/"$DIR" fi done diff --git a/scripts/run-releases-json-for-all-devices.sh b/scripts/run-releases-json-for-all-devices.sh new file mode 100755 index 0000000..b3f3ed5 --- /dev/null +++ b/scripts/run-releases-json-for-all-devices.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +DEVICE_PATHS=$(find firmware -maxdepth 1 -type d ! -name 'translations' ! -name 'README.md' ! -name 'firmware') + +for FILE in $DEVICE_PATHS; + do + DEVICE_MODEL=$(basename "$FILE") + if ! ./scripts/check-firmware-presence-in-releases-json.sh "$DEVICE_MODEL" ; then + exit 1 + fi; + + echo + done diff --git a/scripts/shellcheck.sh b/scripts/shellcheck.sh new file mode 100755 index 0000000..9254743 --- /dev/null +++ b/scripts/shellcheck.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +set -e +set -u +set -x +set -o pipefail + +shellcheck --version + +find . -type f -name '*.sh' -exec shellcheck {} +