Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support for hash checking #133

Merged
merged 5 commits into from
Jul 8, 2022
Merged

feat: add support for hash checking #133

merged 5 commits into from
Jul 8, 2022

Conversation

aduh95
Copy link
Contributor

@aduh95 aduh95 commented Jun 24, 2022

$ corepack [email protected]+sha256.deadbeef
Internal Error: Mismatch hashes. Expected deadbeef, got 4e66b50e036d75c28ccd3fb96350bf3901b0a88e4f561da6c2ad5109552a7380
    at IncomingMessage.<anonymous> (/Users/duhamean/Documents/corepack/dist/corepack.js:15884:24)
    at IncomingMessage.emit (node:events:549:35)
    at endReadableNT (node:internal/streams/readable:1359:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

I'm not sure it's how we want to do it, according to semver.org, we could use build suffix to the version number (e.g. [email protected]+hash), that would force us to pick a hashing algorithm (which is not a problem in itself, but could create issues in the future if it becomes outdated).

EDIT: with a new version we're now using semver compatible suffix for the hash.

Fixes: #37

@merceyz
Copy link
Member

merceyz commented Jun 24, 2022

that would force us to pick a hashing algorithm

Not necessarily, you can include the algorithm in the build metadata as well.

[email protected]+sha512.hash

@aduh95
Copy link
Contributor Author

aduh95 commented Jun 24, 2022

that would force us to pick a hashing algorithm

Not necessarily, you can include the algorithm in the build metadata as well.

[email protected]+sha512.hash

Ah yes, that’s right – IIUC dot is not a valid character, but we could use a dash (unless there are algorithms using a dash in their name?) EDIT: dot is actually valid, and probably what makes the most sense for our use case.

@merceyz
Copy link
Member

merceyz commented Jun 24, 2022

A dot is perfectly valid, see the examples in https://regex101.com/r/vkijKf/1/ from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string

@aduh95 aduh95 marked this pull request as ready for review June 25, 2022 16:49
Copy link
Contributor

@arcanis arcanis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quite elegant solution 👍

sources/httpUtils.ts Outdated Show resolved Hide resolved
@aduh95
Copy link
Contributor Author

aduh95 commented Jun 27, 2022

I just realised I'm checking the hash of the JSON metadata instead of the tarball 🤦‍♂️ Converting to draft for now.

@aduh95 aduh95 marked this pull request as draft June 27, 2022 21:45
@aduh95 aduh95 marked this pull request as ready for review June 29, 2022 13:44
@aduh95 aduh95 requested a review from arcanis June 29, 2022 13:47
sources/Engine.ts Outdated Show resolved Hide resolved
sources/Engine.ts Outdated Show resolved Hide resolved
const testedPackageManagers: Array<[string, string]> = [
[`yarn`, `1.22.4`],
[`yarn`, `1.22.4+md5.faf483d50aa8ccbdc802efa0cac5d4d3`],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we don't test sha1, which is what #137 uses

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, I've switched to SHA1 and SHA224 in the tests as those are more credible options for hash algorithms.

aduh95 added a commit that referenced this pull request Jul 8, 2022
@aduh95 aduh95 merged commit 6a480a7 into main Jul 8, 2022
@aduh95 aduh95 deleted the hash-checking branch July 8, 2022 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Allow checking hashes for exact versions, and check them for default versions
3 participants