`AttestationPayload.from_dist` should probably do SHA256 in a streaming fashion

trailofbits / pypi-attestations

A library to convert between Sigstore Bundles and PEP 740 Attestation objects

https://trailofbits.github.io/pypi-attestations

Apache License 2.0

1 stars 1 forks source link

`AttestationPayload.from_dist` should probably do SHA256 in a streaming fashion #13

Closed woodruffw closed 4 months ago

woodruffw commented 5 months ago

Distribution files can unfortunately be pretty large, so we should probably stream into SHA256 rather than the current sha256(dist.read_bytes()), since that'll buffer the whole thing in memory.

There should be a sha256_streaming helper within sigstore-python that we can reuse 🙂