Document recommendation for generating bzlmod integrity value

[keith]

Currently the documentation for the integrity field:

integrity: The Subresource Integrity checksum of the archive.

links to the spec of the subresource integrity format. I think ideally given the community has generally standardized on using sha256s of the archives, there should be a quick snippet recommendation folks can copy and paste to generate what they need. I guess that is something like:

openssl dgst -sha256 -binary ARCHIVE.tar.gz | openssl base64 -A | sed 's/^/sha256-/'

[zachgrayio]

Maybe now is a good time to discuss different guidance on this field so we don't put ourselves back into the situation that allowed a recent Github change to break all of our Bazel builds; should we discuss providing a standard CLI tool or script for hashing the files, not the archive, since that may change underneath us at any point if compression algorithms change, etc?

[lbhdc]

:wave: I ran into this error. I found this really confusing. After consulting the docs and not seeing any guidance, I searched around github, but didn't find any actually using the integrity field.

I asked in slack and was helpfully shown the blessed way to translate the sha sum bazel provides (thread).

More documentation around this would be really helpful!

[blackliner]

And who decided on using base64 encoded sha256 sums? What is the purpose of this? Why not just go for the plain sha256 like every other project on this world?

[dws]

When I went to bazel.build and used "subresource integrity format" in the search box, it found uses of this phrase, but no definitions...

[realtimetodie]

Why is Bazel using base64 encoded sha256 sums all of a sudden? This is not a format that is readable for humans.

[AustinSchuhBRT]

Thank you, this post saved me a bunch of time trying to track down how to do this. These are not easy to generate.