Version v1.64.2

This was caused by a change to the upstream library
ProtonMail/go-crypto checking the flags on the keys more strictly.

However the signing key for rclone is very old and does not have those
flags. Adding those flags using `gpg --edit-key` and then the
`change-usage` subcommand to remove, save, quite then re-add, save
quit the signing capabilities caused the key to work.

This also adds tests for the verification and adds the selfupdate
tests into the integration test harness as they had been disabled on
CI because they rely on external sources and are sometimes unreliable.

Fixes #7373

.github/workflows/build_publish_release_docker_image.yml

@@ -10,6 +10,15 @@ jobs:
         runs-on: ubuntu-latest
         name: Build image job
         steps:
+            - name: Free some space
+              shell: bash
+              run: |
+                df -h .
+                # Remove android SDK
+                sudo rm -rf /usr/local/lib/android || true
+                # Remove .net runtime
+                sudo rm -rf /usr/share/dotnet || true
+                df -h .
             - name: Checkout master
               uses: actions/checkout@v4
               with:
@@ -39,6 +48,15 @@ jobs:
         runs-on: ubuntu-latest
         name: Build docker plugin job
         steps:
+            - name: Free some space
+              shell: bash
+              run: |
+                df -h .
+                # Remove android SDK
+                sudo rm -rf /usr/local/lib/android || true
+                # Remove .net runtime
+                sudo rm -rf /usr/share/dotnet || true
+                df -h .
             - name: Checkout master
               uses: actions/checkout@v4
               with:

MANUAL.html

@@ -81,7 +81,7 @@
 <header id="title-block-header">
 <h1 class="title">rclone(1) User Manual</h1>
 <p class="author">Nick Craig-Wood</p>
-<p class="date">Oct 17, 2023</p>
+<p class="date">Oct 19, 2023</p>
 </header>
 <h1 id="rclone-syncs-your-files-to-cloud-storage">Rclone syncs your files to cloud storage</h1>
 <p><img width="50%" src="https://rclone.org/img/logo_on_light__horizontal_color.svg" alt="rclone logo" style="float:right; padding: 5px;" ></p>
@@ -10056,7 +10056,7 @@ Showing nodes accounting for 1537.03kB, 100% of 1537.03kB total
       --tpslimit float                     Limit HTTP transactions per second to this
       --tpslimit-burst int                 Max burst of transactions for --tpslimit (default 1)
       --use-cookies                        Enable session cookiejar
-      --user-agent string                  Set the user-agent to a specified string (default &quot;rclone/v1.64.1&quot;)</code></pre>
+      --user-agent string                  Set the user-agent to a specified string (default &quot;rclone/v1.64.2&quot;)</code></pre>
 <h2 id="performance">Performance</h2>
 <p>Flags helpful for increasing performance.</p>
 <pre><code>      --buffer-size SizeSuffix   In memory buffer size when reading files for each --transfer (default 16Mi)
@@ -34087,6 +34087,15 @@ $ tree /tmp/b
 <li>"error": return an error based on option value</li>
 </ul>
 <h1 id="changelog-1">Changelog</h1>
+<h2 id="v1.64.2---2023-10-19">v1.64.2 - 2023-10-19</h2>
+<p><a href="https://github.com/rclone/rclone/compare/v1.64.1...v1.64.2">See commits</a></p>
+<ul>
+<li>Bug Fixes
+<ul>
+<li>selfupdate: Fix "invalid hashsum signature" error (Nick Craig-Wood)</li>
+<li>build: Fix docker build running out of space (Nick Craig-Wood)</li>
+</ul></li>
+</ul>
 <h2 id="v1.64.1---2023-10-17">v1.64.1 - 2023-10-17</h2>
 <p><a href="https://github.com/rclone/rclone/compare/v1.64.0...v1.64.1">See commits</a></p>
 <ul>

MANUAL.md

@@ -1,6 +1,6 @@
 % rclone(1) User Manual
 % Nick Craig-Wood
-% Oct 17, 2023
+% Oct 19, 2023
 
 # Rclone syncs your files to cloud storage
 
@@ -16951,7 +16951,7 @@ General networking and HTTP stuff.
       --tpslimit float                     Limit HTTP transactions per second to this
       --tpslimit-burst int                 Max burst of transactions for --tpslimit (default 1)
       --use-cookies                        Enable session cookiejar
-      --user-agent string                  Set the user-agent to a specified string (default "rclone/v1.64.1")
+      --user-agent string                  Set the user-agent to a specified string (default "rclone/v1.64.2")
 ```
 
 
@@ -46448,6 +46448,14 @@ Options:
 
 # Changelog
 
+## v1.64.2 - 2023-10-19
+
+[See commits](https://github.com/rclone/rclone/compare/v1.64.1...v1.64.2)
+
+* Bug Fixes
+    * selfupdate: Fix "invalid hashsum signature" error (Nick Craig-Wood)
+    * build: Fix docker build running out of space (Nick Craig-Wood)
+
 ## v1.64.1 - 2023-10-17
 
 [See commits](https://github.com/rclone/rclone/compare/v1.64.0...v1.64.1)

MANUAL.txt

@@ -1,6 +1,6 @@
 rclone(1) User Manual
 Nick Craig-Wood
-Oct 17, 2023
+Oct 19, 2023
 
 Rclone syncs your files to cloud storage
 
@@ -16285,7 +16285,7 @@ General networking and HTTP stuff.
           --tpslimit float                     Limit HTTP transactions per second to this
           --tpslimit-burst int                 Max burst of transactions for --tpslimit (default 1)
           --use-cookies                        Enable session cookiejar
-          --user-agent string                  Set the user-agent to a specified string (default "rclone/v1.64.1")
+          --user-agent string                  Set the user-agent to a specified string (default "rclone/v1.64.2")
 
 Performance
 
@@ -44059,6 +44059,15 @@ Options:
 
 Changelog
 
+v1.64.2 - 2023-10-19
+
+See commits
+
+-   Bug Fixes
+    -   selfupdate: Fix "invalid hashsum signature" error (Nick
+        Craig-Wood)
+    -   build: Fix docker build running out of space (Nick Craig-Wood)
+
 v1.64.1 - 2023-10-17
 
 See commits

VERSION

@@ -1 +1 @@
-v1.64.1
+v1.64.2

cmd/selfupdate/selfupdate_test.go

@@ -14,6 +14,7 @@ import (
 	"time"
 
 	"github.com/rclone/rclone/fs"
+	_ "github.com/rclone/rclone/fstest" // needed to run under integration tests
 	"github.com/rclone/rclone/fstest/testy"
 	"github.com/stretchr/testify/assert"
 )

cmd/selfupdate/testdata/verify/SHA256SUMS

@@ -0,0 +1,10 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+b20b47f579a2c790ca752fb5d8e5651fade7d5867cbac0a4f71e805fc5c468d0  archive.zip
+-----BEGIN PGP SIGNATURE-----
+
+iF0EARECAB0WIQT79zfs6firGGBL0qyTk14C/ztU+gUCZS+oVQAKCRCTk14C/ztU
++lNsAJ9XRiODlM4fIW9yqiltO3N+lLeucwCfRzD3cXk6BCB5wdz7pTgnItk9N74=
+=1GTr
+-----END PGP SIGNATURE-----

cmd/selfupdate/verify.go

@@ -26,24 +26,37 @@ QbogRGodbKhqY4v+cMNkKiemBuTQiWPkpKjifwNsD1fNjNKfDP3pJ64Yz7a4fuzV
 X1YwBACpKVuEen34lmcX6ziY4jq8rKibKBs4JjQCRO24kYoHDULVe+RS9krQWY5b
 e0foDhru4dsKccefK099G+WEzKVCKxupstWkTT/iJwajR8mIqd4AhD0wO9W3MCfV
 Ov8ykMDZ7qBWk1DHc87Ep3W1o8t8wq74ifV+HjhhWg8QAylXg7QlTmljayBDcmFp
-Zy1Xb29kIDxuaWNrQGNyYWlnLXdvb2QuY29tPohxBBMRCAAxBQsHCgMEAxUDAgMW
-AgECF4AWIQT79zfs6firGGBL0qyTk14C/ztU+gUCXjg2UgIZAQAKCRCTk14C/ztU
-+lmmAJ4jH5FyULzStjisuTvHLTVz6G44eQCfaR5QGZFPseenE5ic2WeQcBcmtoG5
-Ag0EO7LdgRAIAI6QdFBg3/xa1gFKPYy1ihV9eSdGqwWZGJvokWsfCvHy5180tj/v
-UNOLAJrdqglMSvevNTXe8bT65D6423AAsLhch9wq/aNqrHolTYABzxRigjcS1//T
-yln5naGUzlVQXDVfrDk3Md/NrkdOFj7r/YyMF0+iWwpFz2qAjL95i5wfVZ1kWGrT
-2AmivE1wD1sWT/Ja3FDI0NRkU0Nbz/a0TKe4ml8iLVtZXpTRbxxCCPdkHXXgSyu1
-eZ4NrF/wTJuvwGn12TJ1EF95aVkHxAUw0+KmLGdcyBG+IKuHamrsjWIAXGXV///K
-AxPgUthccQ03HMjltFsrdmen5Q034YM3eOsAAwUH/jAKiIAA8LpZmZPnt9GZ4+Ol
-Zp22VAfyfDOFl4Ol+cWjkLAgjAFsm5gnOKcRSE/9XPxnQqkhw7+ZygYuUMgTDJ99
-/5IM1UQL3ooS+oFrDaE99S8bLeOe17skcdXcA/K83VqD9m93rQRnbtD+75zqKkZn
-9WNFyKCXg5P6PFPdNYRtlQKOcwFR9mHRLUmapQSAM8Y2pCgALZ7GViKQca8/TT1T
-gZk9fJMZYGez+IlOPxTJxjn80+vywk4/wdIWSiQj+8u5RzT9sjmm77wbMVNGRqYd
-W/EemW9Zz9vi0CIvJGgbPMqcuxw8e/5lnuQ6Mi3uDR0P2RNIAhFrdZpVSME8xQaI
-RgQYEQIABgUCO7LdgQAKCRCTk14C/ztU+mLBAKC2cdFy7eLaQAvyzcE2VK6HVIjn
-JACguA00bxLQuJ4+RCJrLFZP8ZlN2sc=
-=TtR5
------END PGP PUBLIC KEY BLOCK-----`
+Zy1Xb29kIDxuaWNrQGNyYWlnLXdvb2QuY29tPoh0BBMRCAA0BQsHCgMEAxUDAgMW
+AgECF4ACGQEWIQT79zfs6firGGBL0qyTk14C/ztU+gUCZS/mXAIbIwAKCRCTk14C
+/ztU+tX+AJ9CUAnPvT4w5yRAPRfDiwWIPUqBOgCgiTelkzvUxvLWnYmpowwzKmsx
+qaSJAjMEEAEIAB0WIQTjs1jchY+zB/SBcLnLDb68XzLIHQUCZPRnNAAKCRDLDb68
+XzLIHZSAD/oCk9Z0xJfbpriphTBxFy7bWyPKF1lM1GZZaLKkktGfunf1i0Q7rhwp
+Nu+u1launlOTp6ZoY36Ce2Qa1eSxWAQdjVajw9kOHXCAewrTREOMY/mb7RVGjajo
+0Egl8T9iD3JRyaxu2iVtbpZYuqehtGG28CaCzmtqE+EJcx1cGqAGSuuaDWRYlVX8
+KDip44GQB5Lut30vwSIoZG1CPCR6VE82u4cl3mYZUfcJkCHsiLzoeadVzb+fOd+2
+ybzBn8Y77ifGgM+dSFSHe03mFfcHPdp0QImF9HQR7XI0UMZmEJsw7c2vDrRa+kRY
+2A4/amGn4Tahuazq8g2yqgGm3yAj49qGNarAau849lDr7R49j73ESnNVBGJ9ShzU
+4Ls+S1A5gohZVu2s1fkE3mbAmoTfU4JCrpRydOuL9xRJk5gbL44sKeuGODNshyTP
+JzG9DmRHpLsBn59v8mg5tqSfBIGqcqBxxnYHJnkK801MkaLW2m7wDmtz6P3TW86g
+GukzfIN3/OufLjnpN3Nx376JwWDDIyif7sn6/q+ZMwGz9uLKZkAeM5c3Dh4ygpgl
+iSLoV2bZzDz0iLxKWW7QOVVdWHmlEqbTldpQ7gUEPG7mxpzVo0xd6nHncSq0M91x
+29It4B3fATx/iJB2eardMzSsbzHiwTg0eswhYYGpSKZLgp4RShnVAbkCDQQ7st2B
+EAgAjpB0UGDf/FrWAUo9jLWKFX15J0arBZkYm+iRax8K8fLnXzS2P+9Q04sAmt2q
+CUxK9681Nd7xtPrkPrjbcACwuFyH3Cr9o2qseiVNgAHPFGKCNxLX/9PKWfmdoZTO
+VVBcNV+sOTcx382uR04WPuv9jIwXT6JbCkXPaoCMv3mLnB9VnWRYatPYCaK8TXAP
+WxZP8lrcUMjQ1GRTQ1vP9rRMp7iaXyItW1lelNFvHEII92QddeBLK7V5ng2sX/BM
+m6/AafXZMnUQX3lpWQfEBTDT4qYsZ1zIEb4gq4dqauyNYgBcZdX//8oDE+BS2Fxx
+DTccyOW0Wyt2Z6flDTfhgzd46wADBQf+MAqIgADwulmZk+e30Znj46VmnbZUB/J8
+M4WXg6X5xaOQsCCMAWybmCc4pxFIT/1c/GdCqSHDv5nKBi5QyBMMn33/kgzVRAve
+ihL6gWsNoT31Lxst457XuyRx1dwD8rzdWoP2b3etBGdu0P7vnOoqRmf1Y0XIoJeD
+k/o8U901hG2VAo5zAVH2YdEtSZqlBIAzxjakKAAtnsZWIpBxrz9NPVOBmT18kxlg
+Z7P4iU4/FMnGOfzT6/LCTj/B0hZKJCP7y7lHNP2yOabvvBsxU0ZGph1b8R6Zb1nP
+2+LQIi8kaBs8ypy7HDx7/mWe5DoyLe4NHQ/ZE0gCEWt1mlVIwTzFBohGBBgRAgAG
+BQI7st2BAAoJEJOTXgL/O1T6YsEAoLZx0XLt4tpAC/LNwTZUrodUiOckAKC4DTRv
+EtC4nj5EImssVk/xmU3axw==
+=VUqh
+-----END PGP PUBLIC KEY BLOCK-----
+`
 
 func verifyHashsum(ctx context.Context, siteURL, version, archive string, hash []byte) error {
 	sumsURL := fmt.Sprintf("%s/%s/SHA256SUMS", siteURL, version)
@@ -52,16 +65,26 @@ func verifyHashsum(ctx context.Context, siteURL, version, archive string, hash [
 		return err
 	}
 	fs.Debugf(nil, "downloaded hashsum list: %s", sumsURL)
+	return verifyHashsumDownloaded(ctx, sumsBuf, archive, hash)
+}
 
+func verifyHashsumDownloaded(ctx context.Context, sumsBuf []byte, archive string, hash []byte) error {
 	keyRing, err := openpgp.ReadArmoredKeyRing(strings.NewReader(ncwPublicKeyPGP))
 	if err != nil {
-		return errors.New("unsupported signing key")
+		return fmt.Errorf("unsupported signing key: %w", err)
 	}
+
 	block, rest := clearsign.Decode(sumsBuf)
-	// block.Bytes = block.Bytes[1:] // uncomment to test invalid signature
+	if block == nil {
+		return errors.New("invalid hashsum signature: couldn't find detached signature")
+	}
+	if len(rest) > 0 {
+		return fmt.Errorf("invalid hashsum signature: %d bytes of unsigned data", len(rest))
+	}
+
 	_, err = openpgp.CheckDetachedSignature(keyRing, bytes.NewReader(block.Bytes), block.ArmoredSignature.Body, nil)
-	if err != nil || len(rest) > 0 {
-		return errors.New("invalid hashsum signature")
+	if err != nil {
+		return fmt.Errorf("invalid hashsum signature: %w", err)
 	}
 
 	wantHash, err := findFileHash(sumsBuf, archive)

cmd/selfupdate/verify_test.go

@@ -0,0 +1,40 @@
+package selfupdate
+
+import (
+	"context"
+	"encoding/hex"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestVerify(t *testing.T) {
+	ctx := context.Background()
+	sumsBuf, err := os.ReadFile("testdata/verify/SHA256SUMS")
+	require.NoError(t, err)
+	hash, err := hex.DecodeString("b20b47f579a2c790ca752fb5d8e5651fade7d5867cbac0a4f71e805fc5c468d0")
+	require.NoError(t, err)
+
+	t.Run("NoError", func(t *testing.T) {
+		err = verifyHashsumDownloaded(ctx, sumsBuf, "archive.zip", hash)
+		require.NoError(t, err)
+	})
+	t.Run("BadSig", func(t *testing.T) {
+		sumsBuf[0x60] ^= 1 // change the signature by one bit
+		err = verifyHashsumDownloaded(ctx, sumsBuf, "archive.zip", hash)
+		assert.ErrorContains(t, err, "invalid signature")
+		sumsBuf[0x60] ^= 1 // undo the change
+	})
+	t.Run("BadSum", func(t *testing.T) {
+		hash[0] ^= 1 // change the SHA256 by one bit
+		err = verifyHashsumDownloaded(ctx, sumsBuf, "archive.zip", hash)
+		assert.ErrorContains(t, err, "archive hash mismatch")
+		hash[0] ^= 1 // undo the change
+	})
+	t.Run("BadName", func(t *testing.T) {
+		err = verifyHashsumDownloaded(ctx, sumsBuf, "archive.zipX", hash)
+		assert.ErrorContains(t, err, "unable to find hash")
+	})
+}

docs/content/changelog.md

@@ -5,6 +5,14 @@ description: "Rclone Changelog"
 
 # Changelog
 
+## v1.64.2 - 2023-10-19
+
+[See commits](https://github.com/rclone/rclone/compare/v1.64.1...v1.64.2)
+
+* Bug Fixes
+    * selfupdate: Fix "invalid hashsum signature" error (Nick Craig-Wood)
+    * build: Fix docker build running out of space (Nick Craig-Wood)
+
 ## v1.64.1 - 2023-10-17
 
 [See commits](https://github.com/rclone/rclone/compare/v1.64.0...v1.64.1)

docs/content/commands/rclone.md

@@ -784,7 +784,7 @@ rclone [flags]
       --use-json-log                                        Use json log format
       --use-mmap                                            Use mmap allocator (see docs)
       --use-server-modtime                                  Use server modified time instead of object metadata
-      --user-agent string                                   Set the user-agent to a specified string (default "rclone/v1.64.1")
+      --user-agent string                                   Set the user-agent to a specified string (default "rclone/v1.64.2")
   -v, --verbose count                                       Print lots more stuff (repeat for more)
   -V, --version                                             Print the version number
       --webdav-bearer-token string                          Bearer token instead of user/pass (e.g. a Macaroon)

docs/content/flags.md

@@ -111,7 +111,7 @@ General networking and HTTP stuff.
       --tpslimit float                     Limit HTTP transactions per second to this
       --tpslimit-burst int                 Max burst of transactions for --tpslimit (default 1)
       --use-cookies                        Enable session cookiejar
-      --user-agent string                  Set the user-agent to a specified string (default "rclone/v1.64.1")
+      --user-agent string                  Set the user-agent to a specified string (default "rclone/v1.64.2")
 ```
 
 

docs/layouts/partials/version.html

@@ -1 +1 @@
-v1.64.1
+v1.64.2

fs/versiontag.go

@@ -1,4 +1,4 @@
 package fs
 
 // VersionTag of rclone
-var VersionTag = "v1.64.1"
+var VersionTag = "v1.64.2"

fstest/test_all/config.yaml

@@ -10,6 +10,8 @@ tests:
  - path: vfs
  - path: cmd/serve/restic
    localonly: true
+ - path: cmd/selfupdate
+   localonly: true
 backends:
  # - backend:  "amazonclouddrive"
  #   remote:   "TestAmazonCloudDrive:"

rclone.1

@@ -1,7 +1,7 @@
 .\"t
 .\" Automatically generated by Pandoc 2.9.2.1
 .\"
-.TH "rclone" "1" "Oct 17, 2023" "User Manual" ""
+.TH "rclone" "1" "Oct 19, 2023" "User Manual" ""
 .hy
 .SH Rclone syncs your files to cloud storage
 .PP
@@ -22784,7 +22784,7 @@ General networking and HTTP stuff.
       --tpslimit float                     Limit HTTP transactions per second to this
       --tpslimit-burst int                 Max burst of transactions for --tpslimit (default 1)
       --use-cookies                        Enable session cookiejar
-      --user-agent string                  Set the user-agent to a specified string (default \[dq]rclone/v1.64.1\[dq])
+      --user-agent string                  Set the user-agent to a specified string (default \[dq]rclone/v1.64.2\[dq])
 \f[R]
 .fi
 .SS Performance
@@ -55374,6 +55374,18 @@ Options:
 .IP \[bu] 2
 \[dq]error\[dq]: return an error based on option value
 .SH Changelog
+.SS v1.64.2 - 2023-10-19
+.PP
+See commits (https://github.com/rclone/rclone/compare/v1.64.1...v1.64.2)
+.IP \[bu] 2
+Bug Fixes
+.RS 2
+.IP \[bu] 2
+selfupdate: Fix \[dq]invalid hashsum signature\[dq] error (Nick
+Craig-Wood)
+.IP \[bu] 2
+build: Fix docker build running out of space (Nick Craig-Wood)
+.RE
 .SS v1.64.1 - 2023-10-17
 .PP
 See commits (https://github.com/rclone/rclone/compare/v1.64.0...v1.64.1)