From d8ed3b282306b0beb3c96acbb9c91845a6d64978 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Mon, 13 May 2024 14:34:23 -0400
Subject: [PATCH 1/3] impl: stream into sha256

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 src/pypi_attestation_models/_impl.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/pypi_attestation_models/_impl.py b/src/pypi_attestation_models/_impl.py
index b0b5316..019d284 100644
--- a/src/pypi_attestation_models/_impl.py
+++ b/src/pypi_attestation_models/_impl.py
@@ -7,7 +7,6 @@
 
 import binascii
 from base64 import b64decode, b64encode
-from hashlib import sha256
 from typing import TYPE_CHECKING, Annotated, Any, Literal, NewType
 
 import rfc8785
@@ -17,6 +16,7 @@
 from cryptography.hazmat.primitives import serialization
 from pydantic import BaseModel
 from pydantic_core import ValidationError
+from sigstore._utils import _sha256_streaming
 from sigstore.models import Bundle, LogEntry
 
 if TYPE_CHECKING:
@@ -116,9 +116,12 @@ class AttestationPayload(BaseModel):
     @classmethod
     def from_dist(cls, dist: Path) -> AttestationPayload:
         """Create an `AttestationPayload` from a distribution file."""
+        with dist.open(mode="rb", buffering=0) as io:
+            digest = _sha256_streaming(io).hex()
+
         return AttestationPayload(
             distribution=dist.name,
-            digest=sha256(dist.read_bytes()).hexdigest(),
+            digest=digest,
         )
 
     def sign(self, signer: Signer) -> Attestation:

From ebb7f9f7d6732782043ffd71d1754191b9f2bb00 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Mon, 13 May 2024 14:40:20 -0400
Subject: [PATCH 2/3] test_impl: add a JSON loads test

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 test/test_impl.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/test_impl.py b/test/test_impl.py
index f69d639..5fc34bc 100644
--- a/test/test_impl.py
+++ b/test/test_impl.py
@@ -160,3 +160,4 @@ def test_attestation_payload(self) -> None:
         expected = f'{{"digest":"{payload.digest}","distribution":"{payload.distribution}"}}'
 
         assert bytes(payload) == bytes(expected, "utf-8")
+        assert json.loads(bytes(payload)) == json.loads(expected)

From f8eee84dd84ae0d7c17fbf9539531e193e036b26 Mon Sep 17 00:00:00 2001
From: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Date: Tue, 14 May 2024 15:13:48 +0200
Subject: [PATCH 3/3] fixup! impl: stream into sha256

---
 src/pypi_attestation_models/_impl.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/pypi_attestation_models/_impl.py b/src/pypi_attestation_models/_impl.py
index 019d284..690ef64 100644
--- a/src/pypi_attestation_models/_impl.py
+++ b/src/pypi_attestation_models/_impl.py
@@ -117,6 +117,8 @@ class AttestationPayload(BaseModel):
     def from_dist(cls, dist: Path) -> AttestationPayload:
         """Create an `AttestationPayload` from a distribution file."""
         with dist.open(mode="rb", buffering=0) as io:
+            # Replace this with `hashlib.file_digest()` once
+            # our minimum supported Python is >=3.11
             digest = _sha256_streaming(io).hex()
 
         return AttestationPayload(