From 91266ca8eb4dfb59df40baac1d61c1e93ea5e9d3 Mon Sep 17 00:00:00 2001
From: Martin Zuther <code@mzuther.de>
Date: Fri, 27 Dec 2019 17:13:25 +0100
Subject: [PATCH] Check encrypted files with SHA-512/256 checksums

---
 contrib/hooks/post_encrypt | 57 +++++++++++++++++++++++++++++++
 contrib/hooks/post_status  | 69 ++++++++++++++++++++++++++++++++++++++
 yadm                       |  2 ++
 3 files changed, 128 insertions(+)
 create mode 100755 contrib/hooks/post_encrypt
 create mode 100755 contrib/hooks/post_status

diff --git a/contrib/hooks/post_encrypt b/contrib/hooks/post_encrypt
new file mode 100755
index 0000000..eb35299
--- /dev/null
+++ b/contrib/hooks/post_encrypt
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# yadm - Yet Another Dotfiles Manager
+# Copyright (C) 2015-2019 Tim Byrne and Martin Zuther
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+YADM_DIRECTORY=$(dirname $YADM_HOOK_REPO)
+YADM_CHECKSUMS=$YADM_DIRECTORY/files.checksums
+
+
+# check if "shasum" exists
+if command -v shasum > /dev/null; then
+    # check if "shasum" supports SHA-512/256 algorithm
+    echo -n | shasum --algorithm 512256 2>&1 1> /dev/null
+
+    if [ $? -ne 0 ]; then
+        echo
+        echo "WARNING: \"shasum\" does not support SHA-512/256.  No checksums were created."
+        exit $YADM_HOOK_EXIT
+    fi
+
+    # empty checksum file
+    echo -n > $YADM_CHECKSUMS
+
+    # calculate checksums for encrypted files
+    for included in ${YADM_ENCRYPT_INCLUDE_FILES[@]}; do
+        shasum --algorithm 512256 $included >> $YADM_CHECKSUMS
+        ERROR_CODE=$?
+
+        # signal errors
+        if [ $ERROR_CODE -ne 0 ]; then
+            exit $ERROR_CODE
+        fi
+    done
+
+    echo "Wrote checksums: $YADM_CHECKSUMS (SHA-512/256)"
+else
+    echo
+    echo "WARNING: command \"shasum\" not found.  No checksums were created."
+    exit $YADM_HOOK_EXIT
+fi
+
+# return exit status of the yadm command
+exit $YADM_HOOK_EXIT
diff --git a/contrib/hooks/post_status b/contrib/hooks/post_status
new file mode 100755
index 0000000..f4a3b5d
--- /dev/null
+++ b/contrib/hooks/post_status
@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+
+# yadm - Yet Another Dotfiles Manager
+# Copyright (C) 2015-2019 Tim Byrne and Martin Zuther
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+YADM_DIRECTORY=$(dirname $YADM_HOOK_REPO)
+YADM_CHECKSUMS=$YADM_DIRECTORY/files.checksums
+
+
+# check whether file with checksums exists
+if [ -f $YADM_CHECKSUMS ]; then
+    # check if "shasum" exists
+    if command -v shasum > /dev/null; then
+        # check if "shasum" supports SHA-512/256 algorithm
+        echo -n | shasum --algorithm 512256 2>&1 1> /dev/null
+
+        if [ $? -ne 0 ]; then
+            echo
+            echo "WARNING: \"shasum\" does not support SHA-512/256.  Checksums were not verified."
+            exit $YADM_HOOK_EXIT
+        fi
+
+        # check encrypted files for differences and capture output
+        YADM_CHECKSUM_OUTPUT=$(shasum --algorithm 512256 --check $YADM_CHECKSUMS 2> /dev/null)
+        ERROR_CODE=$?
+        
+        # some checksums do not match
+        if [ $ERROR_CODE -ne 0 ]; then
+            echo
+            echo "Some SHA-512/256 sums do not match:"
+            
+            # set output color to red
+            echo -e "\033[0;31m"
+            
+            # display mismatching files
+            while IFS= read -r line; do
+                echo $line | grep -iv "\sok$" | sed 's/^/        / ; s/: FAILED$//'
+            done <<< "$YADM_CHECKSUM_OUTPUT"
+            
+            # reset output color
+            echo -e "\033[0m"
+            echo "Consider running either \"yadm encrypt\" or \"yadm decrypt\"."
+            
+            # signal error
+            exit $ERROR_CODE
+        fi
+    else
+        echo
+        echo "WARNING: command \"shasum\" not found.  Checksums were not verified."
+        exit $YADM_HOOK_EXIT
+    fi
+fi
+
+# return exit status of the yadm command
+exit $YADM_HOOK_EXIT
diff --git a/yadm b/yadm
index b8f42fd..0410482 100755
--- a/yadm
+++ b/yadm
@@ -1577,11 +1577,13 @@ function invoke_hook() {
     YADM_HOOK_FULL_COMMAND=$FULL_COMMAND
     YADM_HOOK_REPO=$YADM_REPO
     YADM_HOOK_WORK=$YADM_WORK
+    YADM_ENCRYPT_INCLUDE_FILES=${ENCRYPT_INCLUDE_FILES[@]}
     export YADM_HOOK_COMMAND
     export YADM_HOOK_EXIT
     export YADM_HOOK_FULL_COMMAND
     export YADM_HOOK_REPO
     export YADM_HOOK_WORK
+    export YADM_ENCRYPT_INCLUDE_FILES
 
     "$hook_command"
     hook_status=$?