halostatue
commented
1 year ago This shouldn’t be too hard to do, but I think that just having hash or checksum will be insufficient, as it may not be clear what algorithm to use. I think that instead we have a verify dictionary with multiple keys:
[".oh-my-zsh/custom/themes/powerlevel10k"]
type = "archive"
url = "https://github.com/romkatv/powerlevel10k/archive/v1.15.0.tar.gz"
exact = true
stripComponents = 1
[".oh-my-zsh/custom/themes/powerlevel10k".verify]
size = 7501 # verify the number of bytes in the download
sha256 = "deadbeef" # verify the sha256 of the download
rmd160 = "decafbad" # verify the ripemdOf the listed types, I think we should support SHA256, SHA384, SHA512, and RIPEMD160, as well as the code size. This could be extended in the future to support cosign signature validation (sort-of easy) and/or GPG key validation (harder) and/or some sort of external validation (custom = { expected = "d00dab1de5", command = "…", arguments = [ … ] }).
This would be sort of like what MacPorts does with its checksums field:
checksums rmd160 4dd4e2e784b3fd79a1fd06b7e2430ad14ca0f061 \
sha256 242e8fe19a3cc8a55f422b424802fd7283e594fc8d3493cf9d9108811e4529a7 \
size 79418
twpayne
Is your feature request related to a problem? Please describe.
This is about external files. I like pinning all my dependencies, but even if I specify a URL like
https://github.com/twpayne/chezmoi/releases/download/v2.27.3/chezmoi-2.27.3-riscv64.rpm
It’s still possible that the account get compromised and a different file is uploaded with the same name.
Describe the solution you'd like
Add a string field called
hashorchecksumor whatever name; the value would be encoded hash-sum.Algorithms in standard library: https://pkg.go.dev/crypto@go1.19.4#Hash
I’m thinking about Hex v.s. Base64 encoding. Hex is easier to produce, but Base64 is shorter. Base64 can be achieved with OpenSSL CLI.
Describe alternatives you've considered
(Just not implement this feature?)
Additional context
N/A