Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add shasum and mirrors to dist #1

Closed
2 tasks
tangrufus opened this issue May 27, 2019 · 4 comments · Fixed by #424
Closed
2 tasks

Add shasum and mirrors to dist #1

tangrufus opened this issue May 27, 2019 · 4 comments · Fixed by #424
Assignees
@LeoColomb @austinpray

Comments

@tangrufus
Copy link
Collaborator

tangrufus commented May 27, 2019
edited by austinpray
Loading

Summary

Add

  • shasum
  • mirrors

to dist.

Motivation

Why are we doing this? What use cases does it support? What is the expected outcome?

shasum - Until wp core team actually signing releases, we should let composer verify zip file checksums.

mirrors - Redundancy.

Additional context

See: https://github.com/ItinerisLtd/wordpress-packager/blob/d56ca71f450349fb8e910e12be888cc392cc1aa1/src/ReleaseFactory.php#L53-L72
@LeoColomb
Copy link
Collaborator

let composer verify zip file checksums

Are you sure Composer do verify shasum?
composer/composer#5940
composer/composer#2540

@tangrufus
Copy link
Collaborator Author

tangrufus commented May 28, 2019
edited
Loading

https://github.com/composer/composer/blob/d63bf33848f396c58c5e0de834cf15f9d7094b95/src/Composer/Downloader/FileDownloader.php#L181-L183

$ cat composer.json
{
    "repositories": {
        "0": {
            "type": "package",
            "package": [{
                "name": "cache-burst/invalid-shasum",
                "version": "5.2.1",
                "dist": {
                    "url": "https://wordpress.org/wordpress-5.2.1.zip",
                    "type": "zip",
                    "shasum": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                }
            },
            {
                "name": "cache-burst/valid-shasum",
                "version": "5.2.1",
                "dist": {
                    "url": "https://wordpress.org/wordpress-5.2.1.zip",
                    "type": "zip",
                    "shasum": "e3762b86f6c2d3bdf840a52d854e3143ab25bc33"
                }
            }
        ]
        },
        "packagist": false
    }
}

$ composer --version
Composer version 1.8.5 2019-04-09 17:46:47

$ composer clearcache

$ composer require cache-burst/invalid-shasum
Using version ^5.2 for cache-burst/invalid-shasum
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
    1/1:	https://wordpress.org/wordpress-5.2.1.zip
    Finished: success: 1, skipped: 0, failure: 0, total: 1
Package operations: 1 install, 0 updates, 0 removals
  - Installing cache-burst/invalid-shasum (5.2.1): Downloading (100%)
Installation failed, reverting ./composer.json to its original content.


  [UnexpectedValueException]
  The checksum verification of the file failed (downloaded from https://wordp
  ress.org/wordpress-5.2.1.zip)

$ composer require cache-burst/valid-shasum
Using version ^5.2 for cache-burst/valid-shasum
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
    1/1:	https://wordpress.org/wordpress-5.2.1.zip
    Finished: success: 1, skipped: 0, failure: 0, total: 1
Package operations: 1 install, 0 updates, 0 removals
  - Installing cache-burst/valid-shasum (5.2.1): Loading from cache
Writing lock file
Generating autoload files

@LeoColomb
Copy link
Collaborator

My bad, thanks! 😊

@austinpray austinpray self-assigned this May 28, 2019
@austinpray
Copy link
Contributor

Yep let's do this! shasum is required for mirrors so we can ensure mirrors don't return slightly different packages.

LeoColomb added a commit that referenced this issue Feb 14, 2022
@LeoColomb
Add shasum value into generated packages
abd2054 
Close #1
@LeoColomb LeoColomb mentioned this issue Feb 14, 2022
Merged
@LeoColomb LeoColomb self-assigned this Feb 14, 2022
LeoColomb added a commit that referenced this issue Feb 14, 2022
@LeoColomb
Add shasum value into generated packages
2b406d0 
Close #1
@LeoColomb LeoColomb mentioned this issue Aug 14, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LeoColomb LeoColomb

@austinpray austinpray

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add shasum value into generated packages roots/wordpress-packager
3 participants
@LeoColomb @austinpray @tangrufus