feat: add .AppImage.DIGEST verification support (#197)

Author: Cyber-Syntax

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## v1.4.0-alpha
 ## v1.3.0-alpha
 ## v1.2.0-alpha
 ### CHANGES

my_unicorn/github_client.py

@@ -58,6 +58,7 @@ class GitHubReleaseFetcher:
         r".*\.sum$",
         r".*\.hash$",
         r".*\.digest$",
+        r".*\.DIGEST$",
         r".*appimage\.sha256$",
         r".*appimage\.sha512$",
     ]

my_unicorn/services/verification_service.py

@@ -312,6 +312,77 @@ def _build_checksum_url(
             f"https://github.com/{owner}/{repo}/releases/download/{tag_name}/{checksum_file}"
         )
 
+    def _prioritize_checksum_files(
+        self,
+        checksum_files: list[ChecksumFileInfo],
+        target_filename: str,
+    ) -> list[ChecksumFileInfo]:
+        """Prioritize checksum files to try the most relevant one first.
+
+        For a target file like 'app.AppImage', this will prioritize:
+        1. Exact match: 'app.AppImage.DIGEST'
+        2. Platform-specific: 'app.AppImage.sha256'
+        3. Generic files: 'checksums.txt', etc.
+
+        Args:
+            checksum_files: List of detected checksum files
+            target_filename: Name of the file being verified
+
+        Returns:
+            Reordered list with most relevant checksum files first
+
+        """
+        if not checksum_files:
+            return checksum_files
+
+        logger.debug(
+            "🔍 Prioritizing %d checksum files for target: %s",
+            len(checksum_files),
+            target_filename,
+        )
+
+        def get_priority(checksum_file: ChecksumFileInfo) -> tuple[int, str]:
+            """Get priority score for checksum file (lower = higher priority)."""
+            filename = checksum_file.filename
+
+            # Priority 1: Exact match (e.g., app.AppImage.DIGEST)
+            if (
+                filename == f"{target_filename}.DIGEST"
+                or filename == f"{target_filename}.digest"
+            ):
+                logger.debug("   📌 Priority 1 (exact .DIGEST): %s", filename)
+                return (1, filename)
+
+            # Priority 2: Platform-specific hash files (e.g., app.AppImage.sha256)
+            target_extensions = [".sha256", ".sha512", ".sha1", ".md5"]
+            for ext in target_extensions:
+                if filename == f"{target_filename}{ext}":
+                    logger.debug("   📌 Priority 2 (platform-specific): %s", filename)
+                    return (2, filename)
+
+            # Priority 3: YAML files (usually most comprehensive)
+            if checksum_file.format_type == "yaml":
+                logger.debug("   📌 Priority 3 (YAML): %s", filename)
+                return (3, filename)
+
+            # Priority 4: Other .DIGEST files (might contain multiple files)
+            if filename.lower().endswith((".digest",)):
+                logger.debug("   📌 Priority 4 (other .DIGEST): %s", filename)
+                return (4, filename)
+
+            # Priority 5: Generic checksum files
+            logger.debug("   📌 Priority 5 (generic): %s", filename)
+            return (5, filename)
+
+        # Sort by priority (lower number = higher priority)
+        prioritized = sorted(checksum_files, key=get_priority)
+
+        logger.debug("   📋 Final priority order:")
+        for i, cf in enumerate(prioritized, 1):
+            logger.debug("      %d. %s", i, cf.filename)
+
+        return prioritized
+
     async def verify_file(
         self,
         file_path: Path,
@@ -384,9 +455,12 @@ async def verify_file(
                     # Enable digest verification in config for future use
                     updated_config["digest"] = True
 
-        # Try checksum file verification for all detected files
+        # Try checksum file verification with smart prioritization
         if checksum_files:
-            for i, checksum_file in enumerate(checksum_files):
+            # Prioritize checksum files to try the most likely match first
+            prioritized_files = self._prioritize_checksum_files(checksum_files, file_path.name)
+
+            for i, checksum_file in enumerate(prioritized_files):
                 method_key = f"checksum_file_{i}" if i > 0 else "checksum_file"
 
                 checksum_result = await self._verify_checksum_file(

my_unicorn/strategies/install_url.py

@@ -15,8 +15,8 @@
 )
 from ..icon import IconManager
 from ..logger import get_logger
+from ..services.verification_service import VerificationService
 from ..utils import extract_and_validate_version
-from ..verify import Verifier
 from .install import InstallationError, InstallStrategy, ValidationError
 
 logger = get_logger(__name__)
@@ -161,7 +161,7 @@ async def _install_single_repo(
                 # Verify download if requested
                 if kwargs.get("verify_downloads", True):
                     await self._perform_verification(
-                        download_path, appimage_asset, owner, repo_name
+                        download_path, appimage_asset, release_data, owner, repo_name
                     )
 
                 # Move to install directory
@@ -258,13 +258,19 @@ async def _install_single_repo(
                 }
 
     async def _perform_verification(
-        self, path: Path, asset: GitHubAsset, owner: str, repo_name: str
+        self,
+        path: Path,
+        asset: GitHubAsset,
+        release_data: GitHubReleaseDetails,
+        owner: str,
+        repo_name: str,
     ) -> None:
-        """Perform download verification using available methods.
+        """Perform download verification using VerificationService with optimization.
 
         Args:
             path: Path to downloaded file
             asset: GitHub asset information
+            release_data: Full GitHub release data with all assets
             owner: Repository owner
             repo_name: Repository name
 
@@ -273,35 +279,63 @@ async def _perform_verification(
 
         """
         logger.debug("🔍 Starting verification for %s", path.name)
-        verifier = Verifier(path)
-        verification_passed = False
 
-        # Try digest verification first if available
-        if asset.get("digest"):
-            try:
-                logger.debug("🔐 Attempting digest verification")
-                verifier.verify_digest(asset["digest"])
-                logger.debug("✅ Digest verification passed")
-                verification_passed = True
-            except Exception as e:
-                logger.warning("⚠️ Digest verification failed: %s", e)
+        # Use VerificationService for comprehensive verification including optimized checksum files
+        verification_service = VerificationService(self.download_service)
+
+        # Convert GitHubReleaseDetails assets to the format expected by verification service
+        all_assets = []
+        for release_asset in release_data["assets"]:
+            all_assets.append(
+                {
+                    "name": release_asset.get("name", ""),
+                    "size": release_asset.get("size", 0),
+                    "browser_download_url": release_asset.get("browser_download_url", ""),
+                    "digest": release_asset.get("digest", ""),
+                }
+            )
+
+        # Create verification config
+        config = {
+            "skip": False,
+            "checksum_file": None,  # Let it auto-detect with prioritization
+            "checksum_hash_type": "sha256",
+            "digest_enabled": bool(asset.get("digest")),
+        }
+
+        # Convert asset to expected format
+        asset_data = {
+            "name": asset.get("name", ""),
+            "size": asset.get("size", 0),
+            "browser_download_url": asset.get("browser_download_url", ""),
+            "digest": asset.get("digest", ""),
+        }
 
-        # Always perform basic file size verification
         try:
-            expected_size = asset.get("size", 0)
-            if expected_size > 0:
-                if not self.download_service.verify_file_size(path, expected_size):
-                    if not verification_passed:
-                        raise InstallationError("File size verification failed")
-                    else:
-                        logger.warning("⚠️ File size verification failed, but digest passed")
-                else:
-                    logger.debug("✅ File size verification passed")
-            else:
-                logger.debug("⚠️ No expected file size available")
+            # Perform comprehensive verification with optimized checksum file prioritization
+            result = await verification_service.verify_file(
+                file_path=path,
+                asset=asset_data,
+                config=config,
+                owner=owner,
+                repo=repo_name,
+                tag_name=release_data["version"],
+                app_name=repo_name,
+                assets=all_assets,
+            )
+
+            if not result.passed:
+                raise InstallationError(
+                    "File verification failed - no verification methods succeeded"
+                )
+
+            # Log verification methods used
+            methods_used = list(result.methods.keys())
+            logger.debug("✅ Verification passed using methods: %s", ", ".join(methods_used))
+
         except Exception as e:
-            if not verification_passed:
-                raise InstallationError(f"File verification failed: {e}")
+            logger.error("❌ Verification failed: %s", e)
+            raise InstallationError(f"File verification failed: {e}")
 
         logger.debug("✅ Verification completed")
 

my_unicorn/verify.py

@@ -385,7 +385,7 @@ def _parse_traditional_checksum_file(
                 logger.debug("   Full filename in checksum: %s", file_name)
                 return hash_value
 
-        logger.warning("⚠️  Target file %s not found in traditional checksum file", filename)
+        logger.info("⚠️  Target file %s not found in traditional checksum file", filename)
         logger.debug("   Found %d entries:", len(found_entries))
         for hash_val, full_name, base_name in found_entries:
             logger.debug("      • %s (full: %s) -> %s...", base_name, full_name, hash_val[:16])
@@ -422,6 +422,8 @@ def _detect_hash_type_from_filename(self, filename: str) -> HashType:
             return "sha1"
         elif "md5" in filename_lower:
             return "md5"
+        elif filename_lower.endswith(".digest"):
+            return "sha256"  # .DIGEST files typically use sha256
         else:
             return "sha256"  # Default fallback
 

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = 'my-unicorn'
-version = '1.3.0-alpha'
+version = '1.4.0-alpha'
 maintainers = [{ name = "Cyber-Syntax" }]
 license = { text = "GPL-3.0-or-later" }
 description = 'It downloads/updates appimages via GitHub API. It also validates the appimage with SHA256 and SHA512.'