Skip to content
Browse files

integrity: Add support for sha384

Fixes #5815
  • Loading branch information...
bep committed Apr 5, 2019
1 parent 1d9dde8 commit d1553b4b0f83e4a4305d2b4ab9ba6e305637f134
@@ -18,7 +18,7 @@ draft: false

Fingerprinting and [SRI]( can be applied to any asset file using `resources.Fingerpint` which takes two arguments, the resource object and a [hash function](

The default hash function is `sha256`. Other available functions are `sha512` and `md5`.
The default hash function is `sha256`. Other available functions are `sha384` (from Hugo `0.55`), `sha512` and `md5`.

Any so processed asset will bear a `.Data.Integrity` property containing an integrity string, which is made up of the name of the hash function, one hyphen and the base64-encoded hash sum.

@@ -19,11 +19,12 @@ import (


@@ -52,19 +53,10 @@ func (t *fingerprintTransformation) Key() resources.ResourceTransformationKey {
// Transform creates a MD5 hash of the Resource content and inserts that hash before
// the extension in the filename.
func (t *fingerprintTransformation) Transform(ctx *resources.ResourceTransformationCtx) error {
algo := t.algo

var h hash.Hash

switch algo {
case "md5":
h = md5.New()
case "sha256":
h = sha256.New()
case "sha512":
h = sha512.New()
return fmt.Errorf("unsupported crypto algo: %q, use either md5, sha256 or sha512", algo)
h, err := newHash(t.algo)
if err != nil {
return err

io.Copy(io.MultiWriter(h, ctx.To), ctx.From)
@@ -73,11 +65,26 @@ func (t *fingerprintTransformation) Transform(ctx *resources.ResourceTransformat
return err

ctx.Data["Integrity"] = integrity(algo, d)
ctx.Data["Integrity"] = integrity(t.algo, d)
ctx.AddOutPathIdentifier("." + hex.EncodeToString(d[:]))
return nil

func newHash(algo string) (hash.Hash, error) {
switch algo {
case "md5":
return md5.New(), nil
case "sha256":
return sha256.New(), nil
case "sha384":
return sha512.New384(), nil
case "sha512":
return sha512.New(), nil
return nil, errors.Errorf("unsupported crypto algo: %q, use either md5, sha256, sha384 or sha512", algo)

// Fingerprint applies fingerprinting of the given resource and hash algorithm.
// It defaults to sha256 if none given, and the options are md5, sha256 or sha512.
// The same algo is used for both the fingerprinting part (aka cache busting) and
@@ -0,0 +1,48 @@
// Copyright 2019 The Hugo Authors. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.

package integrity

import (


func TestHashFromAlgo(t *testing.T) {

for _, algo := range []struct {
name string
bits int
{"md5", 128},
{"sha256", 256},
{"sha384", 384},
{"sha512", 512},
{"shaman", -1},
} {

t.Run(, func(t *testing.T) {
assert := require.New(t)
h, err := newHash(
if algo.bits > 0 {
assert.Equal(algo.bits/8, h.Size())
} else {
assert.Contains(err.Error(), "use either md5, sha256, sha384 or sha512")


0 comments on commit d1553b4

Please sign in to comment.
You can’t perform that action at this time.