Normalize the package hash to hex. #512

mattmoor · 2021-11-22T23:23:25Z

We were emitting package checksum hashes as h1:{base64}. h1: is a prefix that indicates "Hash 1", which is a SHA-256 based hash of the files, which is then base64 encoded as the suffix.

This change detects/strips the h1: prefix and re-encodes the base64 data as hex.

I also combined the two loops over .Deps since I noticed bom doing things in this order. 🤷

mattmoor · 2021-11-22T23:49:12Z

So it looks like for whatever reason locally I get:

dep	github.com/google/go-containerregistry	v0.7.0	h1:u0onUUOcyoCDHEiJoyR1R1gx5er1+r06V5DBhUU5ndk=

However, in CI we're seeing:

dep	github.com/google/go-containerregistry	v0.7.0

Not sure what's going on here, but seems like the Sum field should be considered optional in our SPDX conversion.

cc @imjasonh

We were emitting package checksum hashes as `h1:{base64}`. `h1:` is a prefix that indicates "Hash 1", which is a SHA-256 based hash of the files, which is then base64 encoded as the suffix. This change detects/strips the `h1:` prefix and re-encodes the base64 data as hex.

mattmoor · 2021-11-22T23:54:36Z

For now I've predicated the PackageChecksum on .Sum being present, but we should figure out if there's a way to ensure this comes out.

codecov-commenter · 2021-11-22T23:55:17Z

Codecov Report

Merging #512 (149252f) into main (3edb68b) will increase coverage by 0.09%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #512      +/-   ##
==========================================
+ Coverage   50.51%   50.60%   +0.09%     
==========================================
  Files          41       41              
  Lines        2051     2051              
==========================================
+ Hits         1036     1038       +2     
+ Misses        840      838       -2     
  Partials      175      175

Impacted Files	Coverage Δ
pkg/commands/resolver.go	`31.57% <100.00%> (+0.95%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3edb68b...149252f. Read the comment docs.

imjasonh

This is fine, but I agree the missing sum is confusing. Can we have kind-e2e.yaml also run go version -m directly to help debug?

mattmoor requested a review from imjasonh November 22, 2021 23:23

google-cla bot added the cla: yes label Nov 22, 2021

mattmoor force-pushed the convert-hash1-to-sha256 branch from 1d73d0a to 90dd316 Compare November 22, 2021 23:31

mattmoor force-pushed the convert-hash1-to-sha256 branch from 1ef43c9 to 90dd316 Compare November 22, 2021 23:50

mattmoor force-pushed the convert-hash1-to-sha256 branch from 90dd316 to 149252f Compare November 22, 2021 23:54

imjasonh approved these changes Nov 23, 2021

View reviewed changes

imjasonh merged commit 5787600 into ko-build:main Nov 23, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Normalize the package hash to hex. #512

Normalize the package hash to hex. #512

mattmoor commented Nov 22, 2021

mattmoor commented Nov 22, 2021

mattmoor commented Nov 22, 2021

codecov-commenter commented Nov 22, 2021

imjasonh left a comment

Normalize the package hash to hex. #512

Normalize the package hash to hex. #512

Conversation

mattmoor commented Nov 22, 2021

mattmoor commented Nov 22, 2021

mattmoor commented Nov 22, 2021

codecov-commenter commented Nov 22, 2021

Codecov Report

imjasonh left a comment

Choose a reason for hiding this comment