:stop_sign: adds pre-commit hook to protect against commiting real binary to git
:detective: downloads .sha512 manifest and compares it with sha512 of downloaded archive
Demo: caching and verifying in action
First time downloads archive to the cache:
Downloading https://dist.ipfs.io/go-ipfs/v0.7.0/go-ipfs_v0.7.0_linux-amd64.tar.gz to /home/lidel/.cache/npm-go-ipfs
Downloaded https://dist.ipfs.io/go-ipfs/v0.7.0/go-ipfs_v0.7.0_linux-amd64.tar.gz
Downloading go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
Downloaded go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
Verifying go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
OK (1d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086)
Unpacked /home/lidel/project/ipfs/npm-go-ipfs
Linking /home/lidel/project/ipfs/npm-go-ipfs/go-ipfs/ipfs to /home/lidel/project/ipfs/npm-go-ipfs/bin/ipfs
Second time reused archive from the cache:
https://dist.ipfs.io/go-ipfs/versions
Found /home/lidel/.cache/npm-go-ipfs/go-ipfs_v0.7.0_linux-amd64.tar.gz
Verifying go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
OK (1d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086)
Unpacked /home/lidel/project/ipfs/npm-go-ipfs
Linking /home/lidel/project/ipfs/npm-go-ipfs/go-ipfs/ipfs to /home/lidel/project/ipfs/npm-go-ipfs/bin/ipfs
Note that SHA512 is compared on every run.
If a single bit was flipped, it will return an error:
Found /home/lidel/.cache/npm-go-ipfs/go-ipfs_v0.7.0_linux-amd64.tar.gz
Verifying go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
Expected SHA512: 2d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086
Calculated SHA512: 1d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086
Error: SHA512 of /home/lidel/.cache/npm-go-ipfs/go-ipfs_v0.7.0_linux-amd64.tar.gz' (1d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086) does not match expected value from /home/lidel/.cache/npm-go-ipfs/go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512 (2d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086)
at cachingFetchAndVerify (/home/lidel/project/ipfs/npm-go-ipfs/src/download.js:67:11)
This PR saves us time on CI and gives more confidence that downloaded archive is valid:
node-fetch
withgot
)electron
,electron-builder
and even our ownaegir
already do this type of caching for big third-party downloadsgo-ipfs-dep
(https://github.com/ipfs/npm-go-ipfs-dep/issues/45).sha512
manifest and compares it with sha512 of downloaded archiveDemo: caching and verifying in action
First time downloads archive to the cache:
Second time reused archive from the cache:
Note that SHA512 is compared on every run. If a single bit was flipped, it will return an error:
cc @andrew