tools: verify with gpg if md5 is not present in update-icu

[islandryu]

Fix: #50498

The problem may be that md5 is not present in the icu, but even in such a case, I used .asc to pass the validation.

If the absence of md5 is clearly an icu issue, this PR will be closed.

[nodejs-github-bot]

Review requested:

• @nodejs/security-wg

[islandryu]

I don't know myself if the key is correct at this URL.

[targos]

We need to decide what to do with https://github.com/nodejs/node/blob/main/tools/icu/current_ver.dep if we can't use md5 anymore (I don't know what's the purpose of that file)

[richardlau]

We need to decide what to do with https://github.com/nodejs/node/blob/main/tools/icu/current_ver.dep if we can't use md5 anymore (I don't know what's the purpose of that file)

It's used to validate ICU downloads if configure is run with --with-icu-source with a URL.

node/BUILDING.md

Lines 778 to 782 in a037b88

	From a tarball URL:
	```bash
	./configure --with-intl=full-icu --with-icu-source=http://url/to/icu.tgz
	```

node/configure.py

Lines 1646 to 1679 in a037b88

	def configure_intl(o):
	def icu_download(path):
	depFile = tools_path / 'icu' / 'current_ver.dep'
	icus = json.loads(depFile.read_text(encoding='utf-8'))
	# download ICU, if needed
	if not os.access(options.download_path, os.W_OK):
	error('''Cannot write to desired download path.
	Either create it or verify permissions.''')
	attemptdownload = nodedownload.candownload(auto_downloads, "icu")
	for icu in icus:
	url = icu['url']
	(expectHash, hashAlgo, allAlgos) = nodedownload.findHash(icu)
	if not expectHash:
	error(f'''Could not find a hash to verify ICU download.
	{depFile} may be incorrect.
	For the entry {url},
	Expected one of these keys: {' '.join(allAlgos)}''')
	local = url.split('/')[-1]
	targetfile = Path(options.download_path, local)
	if not targetfile.is_file():
	if attemptdownload:
	nodedownload.retrievefile(url, targetfile)
	else:
	print(f'Re-using existing {targetfile}')
	if targetfile.is_file():
	print(f'Checking file integrity with {hashAlgo}:\r')
	gotHash = nodedownload.checkHash(targetfile, hashAlgo)
	print(f'{hashAlgo}: {gotHash} {targetfile}')
	if expectHash == gotHash:
	return targetfile
	warn(f'Expected: {expectHash} *MISMATCH*')
	warn(f'\n ** Corrupted ZIP? Delete {targetfile} to retry download.\n')
	return None

[islandryu]

It's used to validate ICU downloads if configure is run with --with-icu-source with a URL.

If we're going to verify it based on .asc, we're going to need a dedicated process at the point you indicated.

I think it would be good to save the public key and signature information in current_ver.dep or a separate file and verify it as well as md5.

[islandryu]

gpg verification of modification based on url stored in current_ver.dep

[bnoordhuis]

cc @srl295 in case you missed this pull request

[srl295]

cc @srl295 in case you missed this pull request

I missed it, but it's fixed upstream

[srl295]

makes sense

[islandryu]

conflict resolved
and changed writing of current_ver.dep to be done after icu file change

[aduh95]

This needs a rebase.

[islandryu]

The rebase is done.

[srl295]

If gpg isn't installed AND the md5 is present, then the md5 should be used.

https://unicode-org.atlassian.net/jira/software/c/projects/ICU/issues/ICU-22567 was a bug and not a new direction for ICU.

I would suggest a logic change here:

• if the md5 signature is available, verify it.
• if gpg is installed AND the signature is available, verify it.

Warn if neither are available.
Warn if gpg wasn't installed (that is, could not verify provenance.)

[srl295]

Should this also verify that gpg is present and installed?

[islandryu]

@srl295

Changed to check both gpg and md5.

• Only warn when md5 cannot be obtained.
• Only warn if gpg signature cannot be obtained or gpg is not installed
• If neither is available, warn and no update.
• If either fails verification, warn out and no update

[srl295]

Absence of md5 is an ICU issue and was fixed, However verifying with gpg is not a bad idea.