"AM" 9.9.5 - add checksum verification (#2125)

ivan-hc · vishnu350 · web-flow · commit 860000dd57b3 · 2026-03-09T05:09:37.000+01:00
* Added _use_verify() function into APP-MANAGER for checksum verification (#2124) * Update APP-MANAGER * Update install.am - Add checksum to post-installation processes * Refactoring on new function "_use_verify" * Reduce checksum messages when updating * Prevent duplicated checksum message in updates * Fit checksum message while updating * Do not specify the program name in the checksum... ...it is already specified in the options that use this function * Update APP-MANAGER Two changes: - If the checksum fails, do not prompt reinstallation. - The precaution to avoid repeating the message about missing shasum/md5sum dependencies no longer works. Removed. * Add spaces in updates to increase readability * Fix checksum in apps from third-party databases * Set DIVIDING_LINE dynamically * Update APP-MANAGER Keep update messages compat * Enable translation in checksum messages * Add checksum file after that ownership of directory is changed * Checksum is not required for tarball/zip files, also if direct download * Green check marks in version number :eyes * Update management.am - Checksum in "downgrade" and "nolibfuse" - "downgrade", run _use_verify - "nolibfuse", remove AM-VERIFIED if exists * Allow checksum on "$pure_arg" (used in "-i") * Validate checksum for auto-updatable portable apps for example firefox*, thunderbird*, tor-browser* and zotero * Fix checksum for archives * If no hashes & no AppImage, "Checksum verification not supported" * Checksum messages in variables to prevent syntax errors in translations * Update APP-MANAGER * Update APP-MANAGER, v9.9.5 --------- Co-authored-by: Vishnu <5123344+vishnu350@users.noreply.github.com>
diff --git a/APP-MANAGER b/APP-MANAGER
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-AMVERSION="9.9.4-1"
+AMVERSION="9.9.5"
 
 # Determine main repository and branch
 AMREPO="https://raw.githubusercontent.com/ivan-hc/AM/main"
@@ -93,11 +93,13 @@ RED='\033[0;31m'
 Gold='\033[0;33m'
 Green='\033[0;32m'
 LightBlue='\033[1;34m'
-DIVIDING_LINE="-----------------------------------------------------------------------------"
+
+command -v tput >/dev/null 2>&1 && TERMINAL_WIDTH="$(("$(tput cols)"-"3"))" || TERMINAL_WIDTH="${COLUMNS:-80}"
+DIVIDING_LINE=$(printf '%*s' "$TERMINAL_WIDTH" '' | tr ' ' '-')
 
 # Fit texts to an acceptable width
 _fit() {
-	command -v tput >/dev/null 2>&1 && fold -sw "$(("$(tput cols)"-"3"))" | sed 's/^/ /g' || fold -sw 77 | sed 's/^/ /g'
+	command -v tput >/dev/null 2>&1 && fold -sw "$TERMINAL_WIDTH" | sed 's/^/ /g' || fold -sw 77 | sed 's/^/ /g'
 }
 
 # DEVELOPER MODE
@@ -845,6 +847,9 @@ _check_version() {
 			if echo "$archived_apps" | grep -q "^$arg$"; then
 				APPVERSION="$APPVERSION is ARCHIVED"
 			fi
+			if [ -f "$argpath"/AM-VERIFIED ]; then
+				APPVERSION=$(echo "$APPVERSION✓" | awk '{gsub(/✓/, "\033[32m✓\033[0m"); print}')
+			fi
 			if echo "$obsolete_apps" | grep -q "^$arg [0-9]"; then
 				obsolete_last_release=$(echo "$obsolete_apps" | grep "^$arg " | awk '{print $2}')
 				APPVERSION="$APPVERSION, of $obsolete_last_release"
@@ -1402,6 +1407,80 @@ _use_sync() {
 	echo "$DIVIDING_LINE"
 }
 
+_use_verify() {
+	# Check if checksum calc tools exist
+	if command -v shasum &> /dev/null && command -v md5sum &> /dev/null; then
+		# Check if the download was a tarball/zip file
+		if { [ -f "$argpath/version" ] && grep -q '\.xz$\|\.zip$\|\.gz$' "$argpath/version"; } \
+		|| { [ -f "$argpath/AM-updater" ] && grep -q 'wget.*\.xz \|wget.*\.zip \|wget.*\.gz ' "$argpath/AM-updater"; } \
+		|| { [ ! -f "$argpath/version" ] && [ ! -f "$argpath/AM-updater" ] && [ -f "$argpath/updater.ini" ]; }; then
+			checksum_msg=$(echo $"Checksum is not required for tarball/zip files.")
+			printf "%b✔\033[0m %b \n" "${Green}" "$checksum_msg" | _fit
+			printf "Source is tarball/zip" > "$argpath"/AM-VERIFIED
+			return 1
+		# Search for hash files
+		elif [ -f "$argpath"/version ] && grep -qi "^http" "$argpath"/version; then
+			download_url=$(sort "$argpath"/version)
+		elif [ -f "$argpath"/AM-updater ] && grep -q "wget .*am-extras" "$argpath"/AM-updater; then
+			download_url=$(eval "$(grep "wget .*am-extras" "$argpath"/AM-updater | tr '()' '\n' | grep curl | head -1)" | xargs)
+		fi
+		if [ -n "$download_url" ]; then
+			# Search for zsync file
+			digest=$(curl -Ls "$download_url.zsync" | grep -a "SHA\|MD5")
+			# Search for DIGEST file if no zsync file
+			if [ -z "$digest" ]; then
+				digest=$(curl -Ls "$download_url.DIGEST")
+				if echo "$digest" | grep -qi "not found"; then
+					if head -c10 "$argpath"/"$arg" 2>/dev/null | grep -qa '^.ELF....AI$' || head -c10 "$argpath"/"$pure_arg" 2>/dev/null | grep -qa '^.ELF....AI$'; then
+						checksum_msg=$(echo $"Checksum cannot be verified, no hashes found.")
+						printf "%b⚠️\033[0m %b \n" "${Gold}" "$checksum_msg" | _fit
+						return 1
+					else
+						checksum_msg=$(echo $"Checksum verification not yet supported for this program.")
+						printf "%b?\033[0m %b \n" "${LightBlue}" "$checksum_msg" | _fit
+						return 1
+					fi
+				fi
+			fi
+		else
+			checksum_msg=$(echo $"Checksum cannot be verified, missing download URL.")
+			printf "%b⚠️\033[0m %b \n" "${Gold}" "$checksum_msg" | _fit
+			return 1
+		fi
+		# Calculate checksums and remove verified status
+		if [ -f "$argpath"/"$arg" ]; then
+			rm -f "$argpath"/AM-VERIFIED
+			checksum_sha1=$(shasum -a 1 "$argpath/$arg" | awk '{print $1}')
+			checksum_sha256=$(shasum -a 256 "$argpath/$arg" | awk '{print $1}')
+			checksum_sha512=$(shasum -a 512 "$argpath/$arg" | awk '{print $1}')
+			checksum_md5=$(md5sum "$argpath/$arg" | awk '{print $1}')
+		elif [ -f "$argpath"/"$pure_arg" ]; then
+			rm -f "$argpath"/AM-VERIFIED
+			checksum_sha1=$(shasum -a 1 "$argpath/$pure_arg" | awk '{print $1}')
+			checksum_sha256=$(shasum -a 256 "$argpath/$pure_arg" | awk '{print $1}')
+			checksum_sha512=$(shasum -a 512 "$argpath/$pure_arg" | awk '{print $1}')
+			checksum_md5=$(md5sum "$argpath/$pure_arg" | awk '{print $1}')
+		else
+			checksum_msg=$(echo $"Checksum cannot be verified, mismatch in binary name.")
+			printf "%b✖\033[0m %b \n" "${RED}" "$checksum_msg" | _fit
+			return 1
+		fi
+		# Grep for any matching checksum
+		results=$(echo "$digest" | grep -a "$checksum_md5\|$checksum_sha1\|$checksum_sha256\|$checksum_sha512")
+		if [ -z "$results" ]; then
+			checksum_msg=$(echo $"Checksum does not match, please manually verify file integrity.")
+			printf "%b✖\033[0m %b \n" "${RED}" "$checksum_msg" | _fit
+		else
+			checksum_msg=$(echo $"Checksum matches, verification successful.")
+			printf "%b✔\033[0m %b \n" "${Green}" "$checksum_msg" | _fit
+			printf "MD5: %b\nSHA1: %b\nSHA256: %b\nSHA512: %b" "$checksum_sha1" "$checksum_sha256" "$checksum_sha512" "$checksum_md5" > "$argpath"/AM-VERIFIED
+		fi
+	else
+		echo $"Checksum calculation tools do not exist, please install shasum/md5sum."
+	fi
+	unset checksum_sha1 checksum_sha256 checksum_sha512 checksum_md5 digest download_url results
+}
+
 ################################################################################################################################################################
 #				UPDATE
 ################################################################################################################################################################
@@ -1475,9 +1554,15 @@ _update_run_updater() {
 		"$argpath"/AM-updater
 	fi
 	sed -i "s#$ALT_GH#https://api.github.com#g" "$argpath"/AM-updater 2>/dev/null
+	checksum_msg=$(_use_verify | xargs)
 	end=$(date +%s)
 	timelapsed=$((end - start))
-	[ "$timelapsed" = 1 ] && printf $" %b✔\033[0m $APPNAME is updated, $timelapsed second elapsed! \n" "${Green}" || printf $" %b✔\033[0m $APPNAME is updated, $timelapsed seconds elapsed! \n" "${Green}"
+	if [ "$timelapsed" = 1 ]; then
+		timelapsed_msg=$(printf $" %b✔\033[0m $APPNAME is updated, $timelapsed second elapsed! \n" "${Green}")
+	else
+		timelapsed_msg=$(printf $" %b✔\033[0m $APPNAME is updated, $timelapsed seconds elapsed! \n" "${Green}")
+	fi
+	printf -- "%b%b\n" "$timelapsed_msg" "$checksum_msg" | sed 's/^ //g; s/^/ /g'
 	[ -n "$debug_update" ] && echo "$DIVIDING_LINE"
 }
 
diff --git a/modules/install.am b/modules/install.am
@@ -219,6 +219,10 @@ _post_installation_processes() {
 			"${LASTDIRPATH}"/remove 2>/dev/null
 		$SUDOCMD chown -R "$USER" "${LASTDIRPATH}" 2>/dev/null
 	fi
+	# Add checksum file
+	argpath="$LASTDIRPATH"
+	_use_verify
+	echo ""
 	# Check for AM-updater script sothat CLI can manage updates
 	if [ -f "${LASTDIRPATH}"/AM-updater ]; then
 		mkdir "${LASTDIRPATH}"/.am-installer 2>/dev/null
diff --git a/modules/management.am b/modules/management.am
@@ -206,6 +206,7 @@ _downgrade() {
 	mv ./"$2".zsync.old ./"$2".zsync 2>/dev/null
 	echo "$d" > ./version
 	echo $"ROLLBACK SUCCESSFUL!"
+	_use_verify
 }
 
 ################################################################################################################################################################
@@ -447,6 +448,7 @@ _nolibfuse() {
 		echo $" so I added this command to the bottom of the \"AM-updater\" script!"
 	fi
 	echo $" Contact the upstream developers to make them officially upgrade!"
+	rm -f ./AM-VERIFIED
 	read -r -p $" Do you wish to remove the old libfuse2 AppImage? (Y/n) " yn
 	if echo "$yn" | grep -i '^n' >/dev/null 2>&1; then
 		return 1
