Closed FranklinYu closed 1 year ago
This shouldn’t be too hard to do, but I think that just having hash
or checksum
will be insufficient, as it may not be clear what algorithm to use. I think that instead we have a verify
dictionary with multiple keys:
[".oh-my-zsh/custom/themes/powerlevel10k"]
type = "archive"
url = "https://github.com/romkatv/powerlevel10k/archive/v1.15.0.tar.gz"
exact = true
stripComponents = 1
[".oh-my-zsh/custom/themes/powerlevel10k".verify]
size = 7501 # verify the number of bytes in the download
sha256 = "deadbeef" # verify the sha256 of the download
rmd160 = "decafbad" # verify the ripemd
Of the listed types, I think we should support SHA256, SHA384, SHA512, and RIPEMD160, as well as the code size. This could be extended in the future to support cosign signature validation (sort-of easy) and/or GPG key validation (harder) and/or some sort of external validation (custom = { expected = "d00dab1de5", command = "…", arguments = [ … ] }
).
This would be sort of like what MacPorts does with its checksums field:
checksums rmd160 4dd4e2e784b3fd79a1fd06b7e2430ad14ca0f061 \
sha256 242e8fe19a3cc8a55f422b424802fd7283e594fc8d3493cf9d9108811e4529a7 \
size 79418
Good idea. Implemented in #2621.
I’m thinking about Hex v.s. Base64 encoding. Hex is easier to produce, but Base64 is shorter. Base64 can be achieved with OpenSSL CLI.
I've used hex as that's the output used by all (?) command line tools like sha256sum
etc.
Is your feature request related to a problem? Please describe.
This is about external files. I like pinning all my dependencies, but even if I specify a URL like
https://github.com/twpayne/chezmoi/releases/download/v2.27.3/chezmoi-2.27.3-riscv64.rpm
It’s still possible that the account get compromised and a different file is uploaded with the same name.
Describe the solution you'd like
Add a string field called
hash
orchecksum
or whatever name; the value would be encoded hash-sum.Algorithms in standard library: https://pkg.go.dev/crypto@go1.19.4#Hash
I’m thinking about Hex v.s. Base64 encoding. Hex is easier to produce, but Base64 is shorter. Base64 can be achieved with OpenSSL CLI.
Describe alternatives you've considered
(Just not implement this feature?)
Additional context
N/A