validate latest build of binary using releases' SHA512 checksum

[2bndy5]

The releases that we download the binary from include a file that contains the SHA512 checksum calculated on the corresponding version of the tool. However, if there is a new release (which updates all builds of all versions), then it would be good to know if the installed binary executable needs to be updated.

I wrote a function to experiment with the releases' checksums that uses python's std hashlib:

from pathlib import Path
import hashlib

def verify_sha512(checksum: str, exe: str) -> bool:
    """Verify the executable binary's SHA512 hash matches the valid checksum.
    
    :param checksum: The path to the downloaded file containing the SHA512 checksum.
    :param exe: The path to the binary executable that is to be verified.

    :returns: `True` if the ``exe`` hash matches the ``checksum`` given,
        otherwise `False`.
    """
    valid_sum = Path(checksum).read_text(encoding="utf-8")
    if " " in valid_sum:
        valid_sum = valid_sum[: valid_sum.find(" ")]
    valid_hash = bytes(
        [
            int(valid_sum[i * 2 : i * 2 + 2], 16)
            for i in range(int(len(valid_sum) / 2), -1, -1)
        ]
    )
    bin_hash = hashlib.sha512(Path(exe).read_bytes()).digest()
    return valid_hash == bin_hash

This can be invoked using:

checksum_url = clang_tools_binary_url(tool_name, version).replace(".exe", "") + ".sha512sum"
checksum_file = download_file(checksum_url, f"{tool_name}-{version}.sha512sum")

# let `path_to_installed_exe` be declared elsewhere (depending on directory) assuming it exists.
is_valid = verify_sha512(checksum_file, path_to_installed_exe)

[shenxianpeng]

This enhancement looks great

[2bndy5]

I'm working up to a PR right now. This should be easy enough to get into the next release.