-
-
Notifications
You must be signed in to change notification settings - Fork 7.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nvm: support SHA256 instead of SHA1 #664
Conversation
Thanks for taking a crack at this! Not every version on http://nodejs.org/dist/ has If you want to change this PR to add |
elif nvm_has "shasum" && ! nvm_is_alias "shasum"; then | ||
NVM_CHECKSUM="$(shasum "$1" | command awk '{print $1}')" | ||
NVM_CHECKSUM="$(shasum -a 256 "$1" | command awk '{print $1}')" | ||
else | ||
echo "Unaliased sha1sum, sha1, or shasum not found." >&2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally this error message will contain all of the options that would work.
No worries! I actually wrote about 100 lines up last night with a rather complicated fallback mechanism, where it'd pull both the
Fair point. I kinda hate dealing with the older versions of Node these days, but the point of your script is to offer up that free choice and I don't want to kneecap that capability.
This sounds like a great compromise. I'll work on that tweak now. Thanks! 😺 |
Pushed some changes. Let me know how it looks now :). |
elif nvm_has "shasum" && ! nvm_is_alias "shasum"; then | ||
NVM_CHECKSUM="$(shasum -a 256 "$1" | command awk '{print $1}')" | ||
else | ||
echo "Unaliased sha256sum, sha2sum, shasum, openssl, libressl or bssl not found." >&2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oxford comma? :-D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done 😉
Awesome, this looks great! I'll play around with it on a couple systems and convince myself it will work - in the meantime, could you add unit tests for |
Cool! Let me know if you run into any troubles with it and I'll try and find more ways of expanding SHA256 coverage 😀.
Sure. Will look at that now. |
Added the unit test for |
All my local testing looks good, but it looks like there's a test failure. |
Still looks like there's a failure - you should be able to do |
Yeah, the failure is strange. If I run the test suite locally I still get the failure, but having checked the |
Still not quite to the bottom of that one failing test. It should be passing, If I run the commands manually I get everything back I expected to, but running the automatic tests results in the failure. Still working on debugging it, I remain hopeful for a positive soon 😸 |
Tested on 3 different machines, 3 different OS', and everything works fine aside that one test element. The SHA checksum is the same on every OS (as it should be), so I'm not quite sure what's going on. Will keep working on the test. It'll pass eventually, hopefully. |
nvm_checksum_256() { | ||
local NVM_CHECKSUM | ||
|
||
if nvm_has "sha256sum" && ! nvm_is_alias "sha256sum"; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would some debug output be helpful here to indicate which of these many branches is being run on travis? Specifically, which sha command is being used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, might help narrow it down a bit. Theoretically, if Travis is running Linux it should be using sha256sum
, unless they've done something unusual with their build boxes.
I tweaked the test to include the readout of the SHA256 sum, with an added Test:
Result:
So the checksum is actually matching the expected checksum, but we're still seeing the failure. Working on getting it to cough out the tool it's using to gain the checksum next. |
@DomT4 Any chance there's leading or trailing whitespace on one of the checksum values in the comparison? |
@ljharb It's possible. I'll play with this some more this evening and see if I can shake some more information on the failure out. I'll also try running the commands to an external file and see if it pumps in any unexpected whitespacing. |
I've kept working on this, but no dice so far. I changed the |
I've pushed some of the debugging stuff up here so Travis can take a run at it. See if Travis feels any less grumpy than my local machines 😸 |
This is what I see in actual usage with the new debug pointers included:
Which matches the SHA256SUM for Darwin here. More debug detail:
|
Supports iojs and hopefully later, Node. Should supports at least Ubuntu, Debian, Linux Mint, Arch Linux, Gentoo, OpenBSD, FreeBSD, CentOS, OS X and Cygwin. There's a whole range of fallbacks there, from the regular shasums to BSD & OS X's more centralised one `shasum` which does everything and then has fallbacks on 4 of the more popular/new/shiny SSL tools in PolarSSL, OpenSSL, LibreSSL and BoringSSL.
ah ha, so it looks like there's a leading newline perhaps? It should be trivial to use |
@DomT4 Have you had time to make any progress on this PR? |
@ljharb Hey Jordan. Yeah I keep looking at it every now and again. It got stuck behind a mountain of university work which is why the delay has occurred. Hoping to have that delay finally cleared by the start of next week and then I'll have more time free. I'm still not quite sure what the failure is, I've tried every whitespace-stripping method I know, including I think my next move will be to deliberately set up an extremely temporary fake mirror of Node and untar the tarball, touch a pointless document, retar it and upload it to the mirror, and then switch the download to that mirror. That way I know the checksum should fail, and if it does it should give me a better idea whether the broken code is in verification or testing. I'm fairly sure the error is coming out of testing, but it's a bit of a head-scratcher as to why or which little element is going awry and causing breakage. |
Thanks for the update, that all makes sense :-) |
This is an acknowledged partial implementation: to finalize it I'm waiting for nvm-sh#664 to be merged. All comments are welcome still. It's partial because it's only done for Node.js recent archives. But it may still be useful. At least it works for me :-)
This is an acknowledged partial implementation: to finalize it I'm waiting for nvm-sh#664 to be merged. All comments are welcome still. It's partial because it's only done for Node.js recent archives. But it may still be useful. At least it works for me :-)
@DomT4 ping! any chance you can take another look at this? |
Yikes, I hadn't even realised this has been sitting since the start of April, massively sorry. Will take a peek at it tonight. I think I'm going to tear this back to basics and then work up from a small starting point, rather than trying to make all the possible options work at the same time. Hopefully doing so will help narrow down why the test kept failing, which was the sticking point previously. |
Even in a rebased, extremely stripped down version of this PR we're still hitting identical test failures, hmm. |
I've tried a few times locally over the last couple weeks, but I can't get the tests to pass and I'm kind of at a loss as to why. The checksums matched the expected checksums of downloaded tarballs during verbose script output, but nonetheless the test is dying. I'm going to close this one out on the basis that I'm unable to resolve the testing failure and that's a fatal holdup on the PR (wholly understandably). I'll keep looking at it locally if I can, but at this point I'm lost and want to leave the door open for other people to work on this if they want to. Having an open PR for an issue tends to discourage others from wanting to work on it, from experience. Apologies for my failure on making the test work here Jordan. It's a disappointment on my part and generally a sad thing to not be able to contribute to a really useful tool. Thanks for your patience over the last way too many months. |
No worries - please feel free to reopen it if you ever figure it out! |
This commit adds (optional) support for additional sha256 checksum utilities for newer versions of node.js and io.js that use sha256 checksums rather than sha1. If nothing is found to do a sha256 checksum on the client machine, a warning is printed and things continue on as normal. Following comments from @ljharb on incorporating some of @DomT4's PR nvm-sh#664, and making this checksum optional. If I could I would gladly include this as an addon to the now closed PR nvm-sh#664. I am choosing not to file it onto that PR because it's closed and (currently) significantly behind the master branch. @DomT4 did the hard work of actually finding all the different ways in which one could verify a sha256 checksum, I've just included those here in an effort to move forward with sha256 checksum support.
This commit adds (optional) support for additional sha256 checksum utilities for newer versions of node.js and io.js that use sha256 checksums rather than sha1. If nothing is found to do a sha256 checksum on the client machine, a warning is printed and things continue on as normal. Following comments from @ljharb on incorporating some of @DomT4's PR nvm-sh#664, and making this checksum optional. If I could I would gladly include this as an addon to the now closed PR nvm-sh#664. I am choosing not to file it onto that PR because it's closed and (currently) significantly behind the master branch. @DomT4 did the hard work of actually finding all the different ways in which one could verify a sha256 checksum, I've just included those here in an effort to move forward with sha256 checksum support.
This commit adds (optional) support for additional sha256 checksum utilities for newer versions of node.js and io.js that use sha256 checksums rather than sha1. If nothing is found to do a sha256 checksum on the client machine, a warning is printed and things continue on as normal. Following comments from @ljharb on incorporating some of @DomT4's PR nvm-sh#664, and making this checksum optional. If I could I would gladly include this as an addon to the now closed PR nvm-sh#664. I am choosing not to file it onto that PR because it's closed and (currently) significantly behind the master branch. @DomT4 did the hard work of actually finding all the different ways in which one could verify a sha256 checksum, I've just included those here in an effort to move forward with sha256 checksum support.
This commit adds (optional) support for additional sha256 checksum utilities for newer versions of node.js and io.js that use sha256 checksums rather than sha1. If nothing is found to do a sha256 checksum on the client machine, a warning is printed and things continue on as normal. Following comments from @ljharb on incorporating some of @DomT4's PR nvm-sh#664, and making this checksum optional. If I could I would gladly include this as an addon to the now closed PR nvm-sh#664. I am choosing not to file it onto that PR because it's closed and (currently) significantly behind the master branch. @DomT4 did the hard work of actually finding all the different ways in which one could verify a sha256 checksum, I've just included those here in an effort to move forward with sha256 checksum support.
This commit adds (optional) support for additional sha256 checksum utilities for newer versions of node.js and io.js that use sha256 checksums rather than sha1. If nothing is found to do a sha256 checksum on the client machine, a warning is printed and things continue on as normal. Following comments from @ljharb on incorporating some of @DomT4's PR nvm-sh#664, and making this checksum optional. If I could I would gladly include this as an addon to the now closed PR nvm-sh#664. I am choosing not to file it onto that PR because it's closed and (currently) significantly behind the master branch. @DomT4 did the hard work of actually finding all the different ways in which one could verify a sha256 checksum, I've just included those here in an effort to move forward with sha256 checksum support.
This commit adds (optional) support for additional sha256 checksum utilities for newer versions of node.js and io.js that use sha256 checksums rather than sha1. If nothing is found to do a sha256 checksum on the client machine, a warning is printed and things continue on as normal. Following comments from @ljharb on incorporating some of @DomT4's PR nvm-sh#664, and making this checksum optional. If I could I would gladly include this as an addon to the now closed PR nvm-sh#664. I am choosing not to file it onto that PR because it's closed and (currently) significantly behind the master branch. @DomT4 did the hard work of actually finding all the different ways in which one could verify a sha256 checksum, I've just included those here in an effort to move forward with sha256 checksum support.
Supports iojs and Node SHA256 checksumming instead of SHA1 for Node and nothing for
iojs
. Should support at least Ubuntu, Debian, Linux Mint, Arch Linux, Gentoo, OpenBSD, FreeBSD, CentOS, OS X and Cygwin.There's a whole range of fallbacks there, from the regular shasums to BSD & OS X's more centralised one
shasum
which does everything and then has fallbacks on 4 of the more popular/new/shiny SSL tools in PolarSSL, OpenSSL, LibreSSL and BoringSSL.I know there were concerns about this sort of thing previously because of some systems lacking SHA256, but the introduction of the SSL Toolkits as backups should mitigate that quite a bit. I tested the OpenSSL branch way back to OpenSSL 0.9.8e and found that to support the method used here. OpenBSD is trying to kill off OpenSSL on their system slowly, so LibreSSL as well as the
shasum
BSD utility should cover those.