Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support checksum verification in registry #1183

Closed
NobodyXu opened this issue Jun 28, 2023 · 1 comment · Fixed by #1260
Closed

Support checksum verification in registry #1183

NobodyXu opened this issue Jun 28, 2023 · 1 comment · Fixed by #1260

Comments

@NobodyXu
Copy link
Member

All registries (https://crates.io , sparse, git) support sha256 checksum for the tarball of crate.
We can implement sha256 checksum in binstalk-downloader and use it in registry first, before doing it for pre-built binaries.
@NobodyXu NobodyXu mentioned this issue Aug 7, 2023
Open
3 tasks
@NobodyXu
Copy link
Member Author

NobodyXu commented Aug 8, 2023

cargo registry uses sha256 checksum:

    // A SHA256 checksum of the `.crate` file.
    "cksum": "d867001db0e2b6e0496f9fac96930e2d42233ecd3ca0413e0753d4c7695d289c",

NobodyXu added a commit that referenced this issue Aug 8, 2023
@NobodyXu
feat: Verify cksum of crate tarball from cargo registry
1d8343d 
Fixed #1183

Since the crate tarball could be downloaded from a different set of
servers than where the cargo registry is hosted, verifying the checksum
is necessary to verify its integrity.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
@NobodyXu NobodyXu mentioned this issue Aug 8, 2023
Merged
NobodyXu added a commit that referenced this issue Aug 8, 2023
@NobodyXu
feat: Verify cksum of crate tarball from cargo registry
466d3f0 
Fixed #1183

Since the crate tarball could be downloaded from a different set of
servers than where the cargo registry is hosted, verifying the checksum
is necessary to verify its integrity.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
NobodyXu added a commit that referenced this issue Aug 9, 2023
@NobodyXu
feat: Verify cksum of crate tarball from cargo registry
9f0c57d 
Fixed #1183

Since the crate tarball could be downloaded from a different set of
servers than where the cargo registry is hosted, verifying the checksum
is necessary to verify its integrity.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
NobodyXu added a commit that referenced this issue Aug 9, 2023
@NobodyXu
feat: Verify cksum of crate tarball from cargo registry
46f486b 
Fixed #1183

Since the crate tarball could be downloaded from a different set of
servers than where the cargo registry is hosted, verifying the checksum
is necessary to verify its integrity.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
NobodyXu added a commit that referenced this issue Aug 9, 2023
@NobodyXu
feat: Verify cksum of crate tarball from cargo registry
6d4c2c3 
Fixed #1183

Since the crate tarball could be downloaded from a different set of
servers than where the cargo registry is hosted, verifying the checksum
is necessary to verify its integrity.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
github-merge-queue bot pushed a commit that referenced this issue Aug 9, 2023
@NobodyXu
feat: Verify cksum of crate tarball from cargo registry (#1260)
3e80b12 
Fixed #1183

Since the crate tarball could be downloaded from a different set of
servers than where the cargo registry is hosted, verifying the checksum
is necessary to verify its integrity.

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
This was referenced Aug 10, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Verify cksum of crate tarball from cargo registry cargo-bins/cargo-binstall
1 participant
@NobodyXu