Merge pull request #22 from JeremKOYTB/main

Massive Upgrade: Implement Strict NCA Crypto-Verification and Deterministic Archives

.github/workflows/firmware-autodl.yml

@@ -28,105 +28,70 @@ jobs:
 
       - name: ⬇️ Setup hactool-linux
         run: |
-          cp hactool-linux hactool
+          if [ -f "hactool-linux" ]; then
-          chmod +x hactool
+            cp hactool-linux hactool
+            chmod +x hactool
+          else
+            echo "Warning: hactool-linux non trouvé."
+          fi
 
-      - name: 🔍 Check firmware version (Switch 1 only, >=21.0.0 strict)
+      - name: 🔍 Check firmware version (Switch 1 only, >=21.0.0)
         id: version_check
         shell: bash
         run: |
           set +e
-
           RSS=$(curl -sL --fail https://yls8.mtheall.com/ninupdates/feed.php)
-          CURL_STATUS=$?
+          if [ $? -ne 0 ] || [ -z "$RSS" ]; then
-
-          if [ $CURL_STATUS -ne 0 ] || [ -z "$RSS" ]; then
-            echo "INFO: Impossible de récupérer le RSS."
             echo "new_version=false" >> $GITHUB_OUTPUT
             exit 0
           fi
 
-          # Extraire description Switch (ignore Switch 2)
+          # Extraction stricte Switch 1 (hac) + Tri version
-          DESCRIPTION=$(echo "$RSS" | grep -oE '<description>Switch [0-9]+\.[0-9]+\.[0-9]+' | \
+          LATEST_VERSION=$(echo "$RSS" | tr -d '\n' | sed 's/<item>/\n<item>/g' | \
-                        grep -v 'Switch 2' | \
+            grep 'sys=hac' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1)
-                        head -n 1)
 
-          if [ -z "$DESCRIPTION" ]; then
+          if [ -z "$LATEST_VERSION" ]; then
-            echo "INFO: Aucun firmware Switch valide trouvé."
             echo "new_version=false" >> $GITHUB_OUTPUT
             exit 0
           fi
 
-          echo "Description détectée : $DESCRIPTION"
+          MAJOR=$(echo "$LATEST_VERSION" | cut -d. -f1)
-
-          VERSION=$(echo "$DESCRIPTION" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
-
-          if [ -z "$VERSION" ]; then
-            echo "INFO: Impossible d'extraire la version."
-            echo "new_version=false" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          MAJOR=$(echo "$VERSION" | cut -d. -f1)
-
-          # Autorise uniquement 21+
           if [ "$MAJOR" -lt 21 ]; then
-            echo "INFO: Firmware $VERSION ignoré (<21.x)."
             echo "new_version=false" >> $GITHUB_OUTPUT
             exit 0
           fi
 
-          echo "Version valide détectée : $VERSION"
+          # Check si la Release existe
-
           HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
             -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-            "https://api.github.com/repos/${{ github.repository }}/releases/tags/$VERSION")
+            "https://api.github.com/repos/${{ github.repository }}/releases/tags/$LATEST_VERSION")
 
           if [ "$HTTP_STATUS" = "200" ]; then
-            echo "INFO: La release $VERSION existe déjà."
             echo "new_version=false" >> $GITHUB_OUTPUT
           else
-            echo "INFO: Nouvelle version $VERSION détectée !"
             echo "new_version=true" >> $GITHUB_OUTPUT
-            echo "firmware_version=$VERSION" >> $GITHUB_OUTPUT
+            echo "firmware_version=$LATEST_VERSION" >> $GITHUB_OUTPUT
           fi
-
           set -e
 
-      - name: 💻 Execute download script and capture changelog
+      - name: 💻 Execute download script & Extract Release Notes
         id: download
         if: steps.version_check.outputs.new_version == 'true'
         run: |
-          python3 firmware_downloader.py | tee firmware_output.txt
+          VERSION="${{ steps.version_check.outputs.firmware_version }}"
-          FIRMWARE_VERSION=$(grep 'Folder: Firmware ' firmware_output.txt | awk '{print $NF}')
+          
-          echo "firmware_version=$FIRMWARE_VERSION" >> $GITHUB_OUTPUT
+          # Exécution SANS paramètre pour que le script interroge lui-même l'API Nintendo
-          tail -n 4 firmware_output.txt > changelog_body.txt
+          python3 firmware_downloader.py | tee script_output.log
-
+          echo "firmware_version=$VERSION" >> $GITHUB_OUTPUT
-      - name: 🧹 Clean and zip firmware
+          
-        if: steps.version_check.outputs.new_version == 'true'
+          # Extraction stricte des dernières lignes générées par le script Python
-        run: |
+          sed -n '/Archive created:/,$p' script_output.log > changelog_body.txt
-          VERSION="${{ steps.download.outputs.firmware_version }}"
+          
-
+          # Stockage sécurisé et multi-lignes du texte pour GitHub Actions
-          find . -type f -name "*.nca.*" -delete
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
-
+          echo "CHANGELOG_CONTENT<<$EOF" >> $GITHUB_ENV
-          if [ -d "Firmware $VERSION" ]; then
+          cat changelog_body.txt >> $GITHUB_ENV
-            rm -f "Firmware $VERSION.zip"
+          echo "$EOF" >> $GITHUB_ENV
-            zip -rj "Firmware $VERSION.zip" "Firmware $VERSION/" -i "*.nca"
-          fi
-
-      - name: 📝 Prepare Release Body
-        id: prepare_body
-        if: steps.version_check.outputs.new_version == 'true'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            if (fs.existsSync('changelog_body.txt')) {
-              const changelogBody = fs.readFileSync('changelog_body.txt', 'utf8');
-              core.setOutput('release_body', changelogBody);
-            } else {
-              core.setOutput('release_body', 'No changelog available.');
-            }
 
       - name: 📦 Create Tag and Release
         if: steps.version_check.outputs.new_version == 'true'
@@ -135,13 +100,10 @@ jobs:
           tag_name: ${{ steps.download.outputs.firmware_version }}
           name: Firmware ${{ steps.download.outputs.firmware_version }}
           body: |
-            Automatic download of the official Nintendo Switch firmware version **${{ steps.download.outputs.firmware_version }}**.
+            Automatic download of the official Nintendo Switch firmware version ${{ steps.download.outputs.firmware_version }}.
             
-            ---
+            Downloaded file details:
-            
+            ${{ env.CHANGELOG_CONTENT }}
-            **Downloaded file details:**
-            
-            ${{ steps.prepare_body.outputs.release_body }}
           files: |
             Firmware ${{ steps.download.outputs.firmware_version }}.zip
         env:

firmware_downloader.py

@@ -13,7 +13,7 @@ from os import makedirs, remove
 from os.path import basename, exists, join
 from configparser import ConfigParser
 from sys import argv
-from zipfile import ZipFile, ZIP_DEFLATED 
+from zipfile import ZipFile, ZIP_STORED, ZipInfo
 
 from requests import request
 from requests.exceptions import HTTPError
@@ -121,15 +121,15 @@ def nin_request(method, url, headers=None):
 def parse_cnmt(nca):
     ncaf = basename(nca)
     
-    # --- MODIFICATION CLÉ ---
+    # --- KEY MODIFICATION ---
-    # Force l'utilisation de l'exécutable hactool dans le répertoire courant.
+    # Force the use of the hactool executable in the current directory.
-    # Dans le workflow, hactool-linux a été renommé en hactool et rendu exécutable.
+    # In the workflow, hactool-linux was renamed to hactool and made executable.
     hactool_bin = "hactool.exe" if os.name == "nt" else "./hactool" 
     # -----------------------
     
     cnmt_temp_dir = f"cnmt_tmp_{ncaf}"
     
-    # Le script tente de lancer './hactool'
+    # The script attempts to run './hactool'
     run(
         [hactool_bin, "-k", "prod.keys", nca, "--section0dir", cnmt_temp_dir],
         stdout=PIPE, stderr=PIPE
@@ -181,7 +181,7 @@ def dltitle(title_id, version, is_su=False):
     except HTTPError as e:
         if e.response is not None and e.response.status_code == 404:
             print(f"INFO: Title {title_id} version {version} not found (404).")
-            if title_id == "010000000000081B":
+            if title_id.lower() == "010000000000081b":
                 sv_nca_exfat = ""
             return
         raise
@@ -201,9 +201,9 @@ def dltitle(title_id, version, is_su=False):
             dltitle(t_id, ver)
     else:
         for nca_id, nca_hash in parse_cnmt(cnmt_nca):
-            if title_id == "0100000000000809":
+            if title_id.lower() == "0100000000000809":
                 sv_nca_fat = f"{nca_id}.nca"
-            elif title_id == "010000000000081B":
+            elif title_id.lower() == "010000000000081b":
                 sv_nca_exfat = f"{nca_id}.nca"
 
             if nca_id not in queued_ncas:
@@ -217,12 +217,22 @@ def dltitle(title_id, version, is_su=False):
                 ))
 
 def zipdir(src_dir, out_zip):
-    with ZipFile(out_zip, "w", compression=ZIP_DEFLATED) as zf:
+    with ZipFile(out_zip, "w", compression=ZIP_STORED) as zf:
-        for root, _, files in os.walk(src_dir):
+        for root, dirs, files in os.walk(src_dir):
-            for name in files:
+            dirs.sort()
+            for name in sorted(files):
                 full = os.path.join(root, name)
                 rel  = os.path.relpath(full, start=src_dir) 
-                zf.write(full, arcname=rel)
+                os.utime(full, (1780315200, 1780315200))
+                
+                zinfo = ZipInfo.from_file(full, arcname=rel)
+                zinfo.date_time = (2026, 1, 1, 0, 0, 0)
+                zinfo.create_system = 0
+                zinfo.external_attr = 0 
+                zinfo.compress_type = ZIP_STORED
+                
+                with open(full, 'rb') as f:
+                    zf.writestr(zinfo, f.read())
 
 if __name__ == "__main__":
     if not exists("certificat.pem"):
@@ -296,8 +306,8 @@ if __name__ == "__main__":
     dlfiles(update_dls)
 
     if not sv_nca_exfat:
-        print("INFO: exFAT not found via meta — direct attempt 010000000000081B…")
+        print("INFO: exFAT not found via meta — direct attempt 010000000000081b…")
-        dltitle("010000000000081B", ver_raw, is_su=False)
+        dltitle("010000000000081b", ver_raw, is_su=False)
         if sv_nca_exfat:
             dlfiles(update_dls)
         else:
@@ -311,13 +321,48 @@ if __name__ == "__main__":
     if failed:
         exit(1)
 
+    print("\nINFO: Starting detailed verification of NCA hashes...")
+    hash_failed = False
+    for url, dirc, fname, expected_hash in update_dls:
+        fpath = join(dirc, fname)
+        if exists(fpath):
+            h = hashlib.sha256()
+            with open(fpath, "rb") as f:
+                for chunk in iter(lambda: f.read(1048576), b""):
+                    h.update(chunk)
+            actual_hash = h.hexdigest()
+            if actual_hash == expected_hash:
+                print(f"[OK] {fname}")
+                print(f"     -> Verified Hash: {actual_hash}")
+            else:
+                print(f"[ERROR] {fname}")
+                print(f"        Expected : {expected_hash}")
+                print(f"        Actual   : {actual_hash}")
+                hash_failed = True
+        else:
+            print(f"[MISSING] {fname}")
+            hash_failed = True
+
+    if hash_failed:
+        print("\nCRITICAL: Hash verification failed for one or more files. Archive will not be created.")
+        exit(1)
+    else:
+        print("\nINFO: All files successfully verified against CNMT records.")
+
     out_zip = f"{ver_dir}.zip" 
     if exists(out_zip):
         remove(out_zip)
     zipdir(ver_dir, out_zip)
 
+    h = hashlib.sha256()
+    with open(out_zip, "rb") as f:
+        for chunk in iter(lambda: f.read(1048576), b""):
+            h.update(chunk)
+    zip_sha256 = h.hexdigest()
+
     print("\nDOWNLOAD COMPLETE!")
     print(f"Archive created: {out_zip}")
     print(f"SystemVersion NCA FAT: {sv_nca_fat or 'Not Found'}")
     print(f"SystemVersion NCA exFAT: {sv_nca_exfat or 'Not Found'}")
-    print("Verify hashes before installation!")
+    print(f"Archive SHA256: {zip_sha256}")
+    print("Verify hashes before installation!")