pdm/stream_deck_notion_timer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add Ed25519 signature verification to auto-updater (v1.0.4)

Browse Source
This commit is contained in:
pdmarf
2026-04-10 20:20:10 +01:00
parent acb90f2d69
commit 84d5e96487
7 changed files with 94 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
com.pdma.notion-timer.sdPlugin/bin/plugin.js
View File

@@ -6383,7 +6383,7 @@ async function fetchProjects(token, dbId) {
sorts: [{ property: "Project name", direction: "ascending" }] sorts: [{ property: "Project name", direction: "ascending" }]
}) })
}); });
if (!resp.ok) throw new Error(`Notion error ${resp.status}: ${await resp.text()}`); if (!resp.ok) throw new Error(`Notion error ${resp.status}`);
const data = await resp.json(); const data = await resp.json();
return data.results.map((page) => { return data.results.map((page) => {
const titleArr = page.properties?.["Project name"]?.title ?? []; const titleArr = page.properties?.["Project name"]?.title ?? [];
@@ -6413,7 +6413,7 @@ async function startTimer(token, timingDbId, projectId, projectName, userId) {
} }
}) })
}); });
if (!resp.ok) throw new Error(`Failed to start timer: ${await resp.text()}`); if (!resp.ok) throw new Error(`Failed to start timer: ${resp.status}`);
const data = await resp.json(); const data = await resp.json();
return data.id; return data.id;
} }
@@ -6429,26 +6429,49 @@ async function stopTimer(token, entryId) {
} }
}) })
}); });
if (!resp.ok) throw new Error(`Failed to stop timer: ${await resp.text()}`); if (!resp.ok) throw new Error(`Failed to stop timer: ${resp.status}`);
} }
// src/plugin.ts // src/plugin.ts
var CURRENT_VERSION = "1.0.3"; var CURRENT_VERSION = "1.0.4";
var GITEA_BASE = "http://100.120.125.113:3000/pdm/stream_deck_notion_timer/raw/branch/master"; var GITEA_BASE = "http://100.120.125.113:3000/pdm/stream_deck_notion_timer/raw/branch/master";
var SIGNING_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAN7ko8TUpuPzPAJuKAZCRjV0c4ZSlou5d9pUAF6o12b4=
-----END PUBLIC KEY-----`;
function isNewerVersion(remote, current) {
const parse = (v) => v.split(".").map(Number);
const [rMaj, rMin, rPat] = parse(remote);
const [cMaj, cMin, cPat] = parse(current);
if (rMaj !== cMaj) return rMaj > cMaj;
if (rMin !== cMin) return rMin > cMin;
return rPat > cPat;
}
async function checkForUpdates() { async function checkForUpdates() {
try { try {
const resp = await fetch(`${GITEA_BASE}/version.json`); const resp = await fetch(`${GITEA_BASE}/version.json`);
if (!resp.ok) return; if (!resp.ok) return;
const { version } = await resp.json(); const { version } = await resp.json();
if (version === CURRENT_VERSION) return; if (!/^\d+\.\d+\.\d+$/.test(version)) return;
const pluginResp = await fetch(`${GITEA_BASE}/com.pdma.notion-timer.sdPlugin/bin/plugin.js`); if (!isNewerVersion(version, CURRENT_VERSION)) return;
if (!pluginResp.ok) return; const [pluginResp, sigResp] = await Promise.all([
fetch(`${GITEA_BASE}/com.pdma.notion-timer.sdPlugin/bin/plugin.js`),
fetch(`${GITEA_BASE}/com.pdma.notion-timer.sdPlugin/bin/plugin.js.sig`)
]);
if (!pluginResp.ok || !sigResp.ok) return;
const newCode = await pluginResp.text(); const newCode = await pluginResp.text();
const sigBytes = Buffer.from(await sigResp.arrayBuffer());
const { verify } = await import("node:crypto");
const valid = verify(null, Buffer.from(newCode), SIGNING_PUBLIC_KEY, sigBytes);
if (!valid) {
plugin_default.logger.error("Update rejected: signature verification failed");
return;
}
const fs3 = await import("fs"); const fs3 = await import("fs");
fs3.writeFileSync(__filename, newCode); fs3.writeFileSync(__filename, newCode);
plugin_default.logger.info(`Updated to ${version}, restarting\u2026`); plugin_default.logger.info(`Updated to ${version}, restarting\u2026`);
process.exit(0); process.exit(0);
} catch { } catch (err) {
plugin_default.logger.error(`Update check failed: ${err instanceof Error ? err.message : String(err)}`);
} }
} }
var HARDCODED = { var HARDCODED = {

1
com.pdma.notion-timer.sdPlugin/bin/plugin.js.sig Normal file
View File

@@ -0,0 +1 @@
sRE¸ ć6TÝßţă<ćÝE]&Z¸pŚĐÝĽŤÓĐ^ßlt!°BDuÖs屟ę1)Žë€6Ç_/ř`9

3
package.json
View File

@@ -3,8 +3,9 @@
"version": "1.0.0", "version": "1.0.0",
"description": "Notion time tracking toggle for Stream Deck", "description": "Notion time tracking toggle for Stream Deck",
"scripts": { "scripts": {
"build": "esbuild src/plugin.ts --bundle --platform=node --target=node20 --outfile=com.pdma.notion-timer.sdPlugin/bin/plugin.js --external:electron", "build": "esbuild src/plugin.ts --bundle --platform=node --target=node20 --outfile=com.pdma.notion-timer.sdPlugin/bin/plugin.js --external:electron && node scripts/sign.js",
"dev": "esbuild src/plugin.ts --bundle --platform=node --target=node20 --outfile=com.pdma.notion-timer.sdPlugin/bin/plugin.js --external:electron --watch", "dev": "esbuild src/plugin.ts --bundle --platform=node --target=node20 --outfile=com.pdma.notion-timer.sdPlugin/bin/plugin.js --external:electron --watch",
"sign": "node scripts/sign.js",
"link": "ln -sf \"$(pwd)/com.pdma.notion-timer.sdPlugin\" \"$HOME/Library/Application Support/com.elgato.StreamDeck/Plugins/com.pdma.notion-timer.sdPlugin\"", "link": "ln -sf \"$(pwd)/com.pdma.notion-timer.sdPlugin\" \"$HOME/Library/Application Support/com.elgato.StreamDeck/Plugins/com.pdma.notion-timer.sdPlugin\"",
"unlink": "rm -f \"$HOME/Library/Application Support/com.elgato.StreamDeck/Plugins/com.pdma.notion-timer.sdPlugin\"" "unlink": "rm -f \"$HOME/Library/Application Support/com.elgato.StreamDeck/Plugins/com.pdma.notion-timer.sdPlugin\""
}, },

23
scripts/sign.js Normal file
View File

@@ -0,0 +1,23 @@
#!/usr/bin/env node
// Signs plugin.js with the Ed25519 private key, producing plugin.js.sig
// The private key lives at ~/.notion-timer-signing-key.pem and is never committed.
const { sign } = require("crypto");
const fs = require("fs");
const path = require("path");
const PLUGIN_JS = path.join(__dirname, "../com.pdma.notion-timer.sdPlugin/bin/plugin.js");
const SIG_FILE = PLUGIN_JS + ".sig";
const KEY_FILE = path.join(process.env.HOME, ".notion-timer-signing-key.pem");
if (!fs.existsSync(KEY_FILE)) {
console.error(`Signing key not found at ${KEY_FILE}`);
process.exit(1);
}
const privateKey = fs.readFileSync(KEY_FILE, "utf8");
const payload = fs.readFileSync(PLUGIN_JS);
const signature = sign(null, payload, privateKey);
fs.writeFileSync(SIG_FILE, signature);
console.log(`Signed: ${path.basename(SIG_FILE)} (${signature.length} bytes)`);

8
src/notion.ts
View File

@@ -55,7 +55,7 @@ export async function fetchProjects(token: string, dbId: string): Promise<Notion
}), }),
}); });
if (!resp.ok) throw new Error(`Notion error ${resp.status}: ${await resp.text()}`); if (!resp.ok) throw new Error(`Notion error ${resp.status}`);
const data = (await resp.json()) as { results: unknown[] }; const data = (await resp.json()) as { results: unknown[] };
return data.results.map((page: any) => { return data.results.map((page: any) => {
@@ -74,7 +74,7 @@ export async function startTimer(
timingDbId: string, timingDbId: string,
projectId: string, projectId: string,
projectName: string, projectName: string,
userId: string, userId: string
): Promise<string> { ): Promise<string> {
const now = new Date().toISOString(); const now = new Date().toISOString();
const date = new Date().toLocaleDateString("en-GB"); const date = new Date().toLocaleDateString("en-GB");
@@ -95,7 +95,7 @@ export async function startTimer(
}), }),
}); });
if (!resp.ok) throw new Error(`Failed to start timer: ${await resp.text()}`); if (!resp.ok) throw new Error(`Failed to start timer: ${resp.status}`);
const data = (await resp.json()) as { id: string }; const data = (await resp.json()) as { id: string };
return data.id; return data.id;
@@ -115,5 +115,5 @@ export async function stopTimer(token: string, entryId: string): Promise<void> {
}), }),
}); });
if (!resp.ok) throw new Error(`Failed to stop timer: ${await resp.text()}`); if (!resp.ok) throw new Error(`Failed to stop timer: ${resp.status}`);
} }

37
src/plugin.ts
View File

@@ -1,23 +1,48 @@
const CURRENT_VERSION = "1.0.3"; const CURRENT_VERSION = "1.0.4";
const GITEA_BASE = "http://100.120.125.113:3000/pdm/stream_deck_notion_timer/raw/branch/master"; const GITEA_BASE = "http://100.120.125.113:3000/pdm/stream_deck_notion_timer/raw/branch/master";
const SIGNING_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAN7ko8TUpuPzPAJuKAZCRjV0c4ZSlou5d9pUAF6o12b4=
-----END PUBLIC KEY-----`;
function isNewerVersion(remote: string, current: string): boolean {
const parse = (v: string) => v.split(".").map(Number);
const [rMaj, rMin, rPat] = parse(remote);
const [cMaj, cMin, cPat] = parse(current);
if (rMaj !== cMaj) return rMaj > cMaj;
if (rMin !== cMin) return rMin > cMin;
return rPat > cPat;
}
async function checkForUpdates(): Promise<void> { async function checkForUpdates(): Promise<void> {
try { try {
const resp = await fetch(`${GITEA_BASE}/version.json`); const resp = await fetch(`${GITEA_BASE}/version.json`);
if (!resp.ok) return; if (!resp.ok) return;
const { version } = await resp.json() as { version: string }; const { version } = await resp.json() as { version: string };
if (version === CURRENT_VERSION) return; if (!/^\d+\.\d+\.\d+$/.test(version)) return;
if (!isNewerVersion(version, CURRENT_VERSION)) return;
const [pluginResp, sigResp] = await Promise.all([
fetch(`${GITEA_BASE}/com.pdma.notion-timer.sdPlugin/bin/plugin.js`),
fetch(`${GITEA_BASE}/com.pdma.notion-timer.sdPlugin/bin/plugin.js.sig`),
]);
if (!pluginResp.ok || !sigResp.ok) return;
const pluginResp = await fetch(`${GITEA_BASE}/com.pdma.notion-timer.sdPlugin/bin/plugin.js`);
if (!pluginResp.ok) return;
const newCode = await pluginResp.text(); const newCode = await pluginResp.text();
const sigBytes = Buffer.from(await sigResp.arrayBuffer());
const { verify } = await import("node:crypto");
const valid = verify(null, Buffer.from(newCode), SIGNING_PUBLIC_KEY, sigBytes);
if (!valid) {
streamDeck.logger.error("Update rejected: signature verification failed");
return;
}
const fs = await import("fs"); const fs = await import("fs");
fs.writeFileSync(__filename, newCode); fs.writeFileSync(__filename, newCode);
streamDeck.logger.info(`Updated to ${version}, restarting…`); streamDeck.logger.info(`Updated to ${version}, restarting…`);
process.exit(0); process.exit(0);
} catch { } catch (err) {
// Silently ignore — don't disrupt normal operation if update check fails streamDeck.logger.error(`Update check failed: ${err instanceof Error ? err.message : String(err)}`);
} }
} }

2
version.json
View File

@@ -1 +1 @@
{ "version": "1.0.3" } { "version": "1.0.4" }