Add Ed25519 signature verification to auto-updater (v1.0.4)

src/notion.ts

@@ -55,7 +55,7 @@ export async function fetchProjects(token: string, dbId: string): Promise<Notion
     }),
   });
 
-  if (!resp.ok) throw new Error(`Notion error ${resp.status}: ${await resp.text()}`);
+  if (!resp.ok) throw new Error(`Notion error ${resp.status}`);
 
   const data = (await resp.json()) as { results: unknown[] };
   return data.results.map((page: any) => {
@@ -74,7 +74,7 @@ export async function startTimer(
   timingDbId: string,
   projectId: string,
   projectName: string,
-  userId: string,
+  userId: string
 ): Promise<string> {
   const now = new Date().toISOString();
   const date = new Date().toLocaleDateString("en-GB");
@@ -95,7 +95,7 @@ export async function startTimer(
     }),
   });
 
-  if (!resp.ok) throw new Error(`Failed to start timer: ${await resp.text()}`);
+  if (!resp.ok) throw new Error(`Failed to start timer: ${resp.status}`);
 
   const data = (await resp.json()) as { id: string };
   return data.id;
@@ -115,5 +115,5 @@ export async function stopTimer(token: string, entryId: string): Promise<void> {
     }),
   });
 
-  if (!resp.ok) throw new Error(`Failed to stop timer: ${await resp.text()}`);
+  if (!resp.ok) throw new Error(`Failed to stop timer: ${resp.status}`);
 }

src/plugin.ts

@@ -1,23 +1,48 @@
-const CURRENT_VERSION = "1.0.3";
+const CURRENT_VERSION = "1.0.4";
 const GITEA_BASE = "http://100.120.125.113:3000/pdm/stream_deck_notion_timer/raw/branch/master";
+const SIGNING_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAN7ko8TUpuPzPAJuKAZCRjV0c4ZSlou5d9pUAF6o12b4=
+-----END PUBLIC KEY-----`;
+
+function isNewerVersion(remote: string, current: string): boolean {
+  const parse = (v: string) => v.split(".").map(Number);
+  const [rMaj, rMin, rPat] = parse(remote);
+  const [cMaj, cMin, cPat] = parse(current);
+  if (rMaj !== cMaj) return rMaj > cMaj;
+  if (rMin !== cMin) return rMin > cMin;
+  return rPat > cPat;
+}
 
 async function checkForUpdates(): Promise<void> {
   try {
     const resp = await fetch(`${GITEA_BASE}/version.json`);
     if (!resp.ok) return;
     const { version } = await resp.json() as { version: string };
-    if (version === CURRENT_VERSION) return;
+    if (!/^\d+\.\d+\.\d+$/.test(version)) return;
+    if (!isNewerVersion(version, CURRENT_VERSION)) return;
 
-    const pluginResp = await fetch(`${GITEA_BASE}/com.pdma.notion-timer.sdPlugin/bin/plugin.js`);
-    if (!pluginResp.ok) return;
-    const newCode = await pluginResp.text();
+    const [pluginResp, sigResp] = await Promise.all([
+      fetch(`${GITEA_BASE}/com.pdma.notion-timer.sdPlugin/bin/plugin.js`),
+      fetch(`${GITEA_BASE}/com.pdma.notion-timer.sdPlugin/bin/plugin.js.sig`),
+    ]);
+    if (!pluginResp.ok || !sigResp.ok) return;
+
+    const newCode  = await pluginResp.text();
+    const sigBytes = Buffer.from(await sigResp.arrayBuffer());
+
+    const { verify } = await import("node:crypto");
+    const valid = verify(null, Buffer.from(newCode), SIGNING_PUBLIC_KEY, sigBytes);
+    if (!valid) {
+      streamDeck.logger.error("Update rejected: signature verification failed");
+      return;
+    }
 
     const fs = await import("fs");
     fs.writeFileSync(__filename, newCode);
     streamDeck.logger.info(`Updated to ${version}, restarting…`);
     process.exit(0);
-  } catch {
-    // Silently ignore — don't disrupt normal operation if update check fails
+  } catch (err) {
+    streamDeck.logger.error(`Update check failed: ${err instanceof Error ? err.message : String(err)}`);
   }
 }