Snapcraft

Snapcraft should allow the user to verify downloaded files with a checksum

Bug #1585913 reported by Simon Fels
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Snapcraft
Fix Released
Wishlist
Marc Peña

Bug Description

Right now we can't verify that the downloaded tarball is exactly what we expect. Snapcraft should a simple field

source-checksum: <sha256/sha512>

and verify the that the checksum of the downloaded file matches.

Sergio Schvezov (sergiusens)
Changed in snapcraft:
status: New → Triaged
milestone: none → 2.11
Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: 2.12 → 2.13
Simon Quigley (tsimonq2)
Changed in snapcraft:
status: Triaged → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Sergio Schvezov (sergiusens)
Changed in snapcraft:
importance: Undecided → Wishlist
Simon Quigley (tsimonq2)
summary: - Snapcraft should allow to verify downloaded files with a sha checksum
+ Snapcraft should allow the user to verify downloaded files with a
+ checksum
Revision history for this message
Mark Shuttleworth (sabdfl) wrote : Re: [Bug 1585913] Re: Snapcraft should allow the user to verify downloaded files with a checksum

Good catch, with the checksum in the part definition :)

SHA3-384 only please, but make it alg/digest so we have future flex.

  source: http://path.to/foo.tgz
  digest:
sha3-384/dXPffNKalMcZq8O7t0At0z/sAscPPRMfUS2s3RPvFqrNwqY5ihZQWLH577C2TdZf

Mark

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Mark, so are you saying that *only* SHA3-384 should be supported? If so, why not more formats?

Also, currently my code supports this through the source-checksum tag:
 - Raw md5, sha256, and sha512 checksums (support for more formats in progress)
 - Location of a file that has a supported checksum format
 - A URL for a file that has a supported checksum format

Are you suggesting that instead of going through source-checksum, that I use digest instead?

I'm just curious at what you are getting at, Mark.

Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: 2.13 → 2.14
Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: 2.13 → 2.14
Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: 2.14 → 2.15
Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: 2.15 → none
Revision history for this message
Mark Shuttleworth (sabdfl) wrote :

I think you want to be explicit about which algorithm you are providing, and you want to use sha3-384 in your examples and by convention.

Revision history for this message
Marc Peña (pachulo) wrote :

I've tried to implement a solution for this, based on the work done by tsimonq2.

The implementation still autodetects the lenght of the digest, but now is specific about the algorithm. For example:
source-checksum: sha2/035ae7da4bd0ff39960466353e0810f51d17193a13e8b75e767391820aed484c
source-checksum: sha1/30fdfacb19b557a762932c5a3a867cdc698e447f

SHA3 support is commented out, as is not yet implented in python3.5 hashlib; it will be in python 3.6: https://docs.python.org/3.6/whatsnew/3.6.html#hashlib

Changed in snapcraft:
assignee: Simon Quigley (tsimonq2) → Marc Peña (pachulo)
Kyle Fazzari (kyrofa)
Changed in snapcraft:
status: In Progress → Fix Committed
Sergio Schvezov (sergiusens)
Changed in snapcraft:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.