[feature] auto sha256sum check

[ShalokShalom]

Hi there :)

Pacman provides me a simple tool named makepkg -g which download the source if not done yet and creates the checksum from it.
The output is ready for copy and paste, so it would be in Habitats case something like:

pkg_shasum=36658cb768a54c1d4dec43c3116c27ed893e88b02ecfcb44f2166f9c0b7f2a0d

Current steps to create the checksum:

1. Download source(s) by hand
2. Check the shasum(s) by hand
3. Add them by hand into the plan

One command to do that all in once is the goal of that issue here. 👍

[ShalokShalom]

I see now, that Habitat show the "expected" value, which is nice too.

[fnichol]

I could see this being useful for fast moving third party software releases but I'm struggling to see where a tool like this would land in the existing command set. Perhaps an external tool that gets packaged up for use by core maintainers?

[ShalokShalom]

Habitat can do it automatically, so always once the build of a plan.sh detect an incorrect pkg_shasum= line

[bdangit]

hrmmm.... thats a bit scary, IMO. It could promote a bad security practice where its no better than not checking the shasum in the first place.

[ShalokShalom]

@fnichol what do you mean by command set? is it how to call that function?

@bdangit why this?

[christophermaier]

The checksum is how the plan author asserts that the thing the Habitat package is built from is what it's actually supposed to be built from. Because Habitat checks the checksum of whatever it downloaded against that checksum, you can be confident of what's in the package.

Note that it's the checksum of the software that Habitat is packaging, and not the checksum of the artifact that Habitat itself generates by wrapping that software. If that is what you're after, Habitat does compute that for you, and you can find it by running cat $YOUR_HART_FILE | head -n 5

[ShalokShalom]

i actually mean the checksum of the software that Habitat is packaging

so the solution which @fnichol suggest, seems legit to me now 👍

[bdangit]

@ShalokShalom, I am paranoid and so should everyone especially with the Internets. If I had a compromised link between my computer and the source and I develop my plan.sh on the compromised link, this auto feature would embed in the wrong sha.

Let's say I continue moving forward with my compromised plan.sh which if the shasum is still compromised, then my binary that is being built is also possibly compromised.

Yes, I should have verified the sha that's auto-computed is correct according to the source's website - but since it's auto-generated, my plan works and I think I'm not compromised - I might as well not care to check that assertion.

I like the balance in where @fnichol suggests another tool to help with this versus being embedded inside the hab cli just because of my paranoid scenario above.

[ShalokShalom]

So you mean calculating the checksum on my local computer with sha265sum makes any difference to the calculation done by habitat?

I am for it, with the optional feature to auto it?

[ShalokShalom]

To be honest, currently i simply try to build without and use then the calculated, expected shasum
My workflow is much more smooth, when i can do the generation of the shasum as i intended in this post, all the other things add an IMHO overcomplicated extra layer. If realised as an external tool or build in, is the same for me, so long as i can use it inside of Habitat with a single command.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We value your input and contribution. Please leave a comment if this issue still affects you.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We value your input and contribution. Please leave a comment if this issue still affects you.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We value your input and contribution. Please leave a comment if this issue still affects you.