From 24313bd938fd9aa85dccc2235f4eab4e1086d185 Mon Sep 17 00:00:00 2001
From: Armin Samii <artoonie@gmail.com>
Date: Fri, 23 Feb 2024 13:16:15 -0500
Subject: [PATCH] include modules hash in golden hash, windows

---
 .github/actions/Sha-Of-Directory.ps1 | 31 ++++++++++++++++++++++++++++
 .github/actions/sha-of-zip.bat       | 28 +++++++++++++++++--------
 .github/workflows/release.yml        |  1 +
 3 files changed, 51 insertions(+), 9 deletions(-)
 create mode 100644 .github/actions/Sha-Of-Directory.ps1

diff --git a/.github/actions/Sha-Of-Directory.ps1 b/.github/actions/Sha-Of-Directory.ps1
new file mode 100644
index 000000000..8681e4bf5
--- /dev/null
+++ b/.github/actions/Sha-Of-Directory.ps1
@@ -0,0 +1,31 @@
+## Creates a SHA of all files in the directory but ignores their metadata
+## This is useful when you want to ignore all timestamps of a zip, for example:
+## You can extract the contents to a directory, then run this.
+## Usage: powershell Sha-Of-Directory.ps1 <DIRECTORY> <sha version: 1, 256, or 512>
+
+$Directory=$args[0]
+$ShaA=$args[1]
+
+# First, create a hash algorithm object using SHA256.
+$Algorithm = [System.Security.Cryptography.HashAlgorithm]::Create("SHA" + $ShaA)
+
+# Next, create a cryptographic stream of data using the SHA256 hash algorithm.
+$CryptoStream = [System.Security.Cryptography.CryptoStream]::new(
+    ([System.IO.Stream]::Null), 
+    $Algorithm, 
+    "Write"
+)
+
+# Retrieve each file and copy the data into the cryptographic stream.
+echo $Directory
+foreach ($File in Get-ChildItem -Recurse -Path $Directory -File) {
+    # Write-Host $File
+    $FileStream = [io.file]::OpenRead($File.FullName)
+    $FileStream.CopyTo($CryptoStream)
+}
+
+# Close all files and close out the cryptographic stream.
+$CryptoStream.FlushFinalBlock()
+
+# Combine all of the hashes as hexadecimal formats "X2" and join the values.
+($Algorithm.Hash | ForEach-Object {$_.ToString("X2")}) -join ''
diff --git a/.github/actions/sha-of-zip.bat b/.github/actions/sha-of-zip.bat
index 4dc99a5fd..a02625096 100644
--- a/.github/actions/sha-of-zip.bat
+++ b/.github/actions/sha-of-zip.bat
@@ -9,11 +9,13 @@ set SHA_A=%2
 
 setlocal EnableExtensions EnableDelayedExpansion
 
+:: All paths relative to pwd -- where this script is called from
+set "EXTRACTIONDIR=.\rcv\zip_extracted"
+set "MODULESFILE=.\rcv\zip_extracted\rcv\lib\modules"
+set "MODULESDIR=.\rcv\zip_extracted\rcv\lib\modules_extracted"
 set "HASHFILE_UNSORTED=all_hashes_unsorted.txt"
 set "HASHFILE_PATH_STRIPPED=all_hashes_path_stripped.txt"
 set "HASHFILE_SORTED=all_hashes_sorted.txt"
-set "EXTRACTIONDIR=.\rcv\zip_extracted"
-set "MODULESFILE=.\rcv\lib\modules"
 
 if exist %HASHFILE_UNSORTED% (
   del %HASHFILE_UNSORTED%
@@ -23,20 +25,28 @@ if exist %EXTRACTIONDIR% (
   rmdir /s /q %EXTRACTIONDIR%
 )
 
-mkdir %EXTRACTIONDIR%
-powershell -command Expand-Archive -Path %ZIP_FILEPATH% -Destination %EXTRACTIONDIR%
-cd %EXTRACTIONDIR%
+if exist %MODULESDIR% (
+  rmdir /s /q %EXTRACTIONDIR%
+)
  
-:: Remove modules file, which doesn't vary on the same machine but does vary across machines
+powershell -command Expand-Archive -Path %ZIP_FILEPATH% -Destination %EXTRACTIONDIR%
+
+:: Extract modules, get the SHA-512 of it, and add it to the top of the hashfile
+jimage extract --dir %MODULESDIR% %MODULESFILE%
+
+powershell .github\actions\Sha-Of-Directory.ps1 %MODULESDIR% 512 > %HASHFILE_UNSORTED%
+
+:: Delete both modules and the extracted dir
 del %MODULESFILE%
+rmdir /s /q %MODULESDIR%
 
 :: Calculate the hash for every file here and in all subdirectories, appending to the file (format "(filename) = (hash)")
 (
-  for /r . %%f in (*) do (
+  for /r %EXTRACTIONDIR% %%f in (*) do (
       <NUL set /p ="%%f = "
       C:\Windows\System32\certutil.exe -hashfile "%%f" SHA%SHA_A% | findstr /v ":"
   )
-) > %HASHFILE_UNSORTED%
+) >> %HASHFILE_UNSORTED%
 
 :: Replace the absolute paths to each file with relative paths (e.g. C:\temp\rcv => .\rcv)
 set "SEARCHTEXT=%cd%"
@@ -52,7 +62,7 @@ sort "%HASHFILE_PATH_STRIPPED%" > "%HASHFILE_SORTED%"
 C:\Windows\System32\certutil.exe -hashfile %HASHFILE_SORTED% SHA%SHA_A% | findstr /v ":"
 
 :: For debugging, enable printing the file-by-file hash
-:: echo "File-by-file hash"
+:: echo File-by-file hash
 :: type "%HASHFILE_SORTED%"
 
 endlocal
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cda17fa72..abe14b239 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -169,6 +169,7 @@ jobs:
           name: Package
           if-no-files-found: error
           path: |
+            ${{ github.workspace }}/all_hashes_sorted.txt
             ${{ github.workspace }}/${{    steps.zipfn.outputs.FILEPATH    }}
             ${{ github.workspace }}/${{    steps.zipfn.outputs.FILEPATH    }}.sha512
             ${{ github.workspace }}/${{    steps.zipfn.outputs.FILEPATH    }}.golden.sha512