Snapcraft should allow the user to verify downloaded files with a checksum

Bug #1585913 reported by Simon Fels on 2016-05-26
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Snapcraft
Wishlist
Marc Peña

Bug Description

Right now we can't verify that the downloaded tarball is exactly what we expect. Snapcraft should a simple field

source-checksum: <sha256/sha512>

and verify the that the checksum of the downloaded file matches.

Changed in snapcraft:
status: New → Triaged
milestone: none → 2.11
Changed in snapcraft:
milestone: 2.12 → 2.13
Simon Quigley (tsimonq2) on 2016-06-28
Changed in snapcraft:
status: Triaged → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Changed in snapcraft:
importance: Undecided → Wishlist
Simon Quigley (tsimonq2) on 2016-06-30
summary: - Snapcraft should allow to verify downloaded files with a sha checksum
+ Snapcraft should allow the user to verify downloaded files with a
+ checksum

Good catch, with the checksum in the part definition :)

SHA3-384 only please, but make it alg/digest so we have future flex.

  source: http://path.to/foo.tgz
  digest:
sha3-384/dXPffNKalMcZq8O7t0At0z/sAscPPRMfUS2s3RPvFqrNwqY5ihZQWLH577C2TdZf

Mark

Simon Quigley (tsimonq2) wrote :

Mark, so are you saying that *only* SHA3-384 should be supported? If so, why not more formats?

Also, currently my code supports this through the source-checksum tag:
 - Raw md5, sha256, and sha512 checksums (support for more formats in progress)
 - Location of a file that has a supported checksum format
 - A URL for a file that has a supported checksum format

Are you suggesting that instead of going through source-checksum, that I use digest instead?

I'm just curious at what you are getting at, Mark.

Changed in snapcraft:
milestone: 2.13 → 2.14
Changed in snapcraft:
milestone: 2.13 → 2.14
Changed in snapcraft:
milestone: 2.14 → 2.15
Changed in snapcraft:
milestone: 2.15 → none
Mark Shuttleworth (sabdfl) wrote :

I think you want to be explicit about which algorithm you are providing, and you want to use sha3-384 in your examples and by convention.

Marc Peña (pachulo) wrote :

I've tried to implement a solution for this, based on the work done by tsimonq2.

The implementation still autodetects the lenght of the digest, but now is specific about the algorithm. For example:
source-checksum: sha2/035ae7da4bd0ff39960466353e0810f51d17193a13e8b75e767391820aed484c
source-checksum: sha1/30fdfacb19b557a762932c5a3a867cdc698e447f

SHA3 support is commented out, as is not yet implented in python3.5 hashlib; it will be in python 3.6: https://docs.python.org/3.6/whatsnew/3.6.html#hashlib

Changed in snapcraft:
assignee: Simon Quigley (tsimonq2) → Marc Peña (pachulo)
Kyle Fazzari (kyrofa) on 2017-03-08
Changed in snapcraft:
status: In Progress → Fix Committed
Changed in snapcraft:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers