Hashing and/or cryptographic verification?

[hendursaga]

While thinking over how to fix https://github.com/aartaka/nx-dark-reader/issues/2, I was wondering if, especially for remote-files, files could optionally be hashed and compared to (a) hard-coded value(s), like in SRI, or even cryptographically verified with, say, PGP? This could also be useful for a few other projects I've been mulling over.

[Ambrevar]

It's already implemented as checksum and check, isn't it?

[hendursaga]

@Ambrevar it partially solves the problem?? https://github.com/atlas-engineer/nfiles/blob/master/nfiles.lisp#L178 suggests there's no checksumming algorithms actually implemented. Perhaps that's by choice? I'm not sure how you'd do it with ASDF, but perhaps opt-in additions that would include solutions that would pull in additional dependencies or whatnot would work?

Plus there still doesn't appear to be any PGP signature verification, or other cryptographic tools like age, signify, etc.

[Ambrevar]

I've exposed the API, now it's relatively trivial to perform the checksum on the user side. If the user wishes to use Ironclad to perform a sha3 checksum, they can:

(defmethod check ((file remote-file))
  (let ((path (expand file))
  (ironclad:digest-file :sha3 path))))

I'm not aware of a PGP library for Common Lisp. However it's equally easy to invoke the gpg command line tool with uiop:run-program. Let me know if you want an example.

Are you suggesting something else?

[hendursaga]

it's equally easy to invoke the gpg command line tool

As a check method? That could work, sure.

I believe we can close this now.

[Ambrevar]

Maybe I should add some example to the documentation?

[hendursaga]

@Ambrevar the only bad documentation is stale or incorrect documentation :smile:

[Ambrevar]

I've added an example to the readme with a26cf2dd3b85e9dd0244feae6362422b5ab9bb61.

Thanks for asking!