Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document recommendation for generating bzlmod integrity value #17124

Open
keith opened this issue Jan 3, 2023 · 8 comments
Open

Document recommendation for generating bzlmod integrity value #17124

keith opened this issue Jan 3, 2023 · 8 comments
Assignees
@Wyverald
Labels
P2 We'll consider working on this in future. (Assignee optional) team-Documentation Documentation improvements that cannot be directly linked to other team labels team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file. type: documentation (cleanup)

Comments

@keith
Copy link
Member

keith commented Jan 3, 2023

Currently the documentation for the integrity field:

integrity: The Subresource Integrity checksum of the archive.

links to the spec of the subresource integrity format. I think ideally given the community has generally standardized on using sha256s of the archives, there should be a quick snippet recommendation folks can copy and paste to generate what they need. I guess that is something like:

openssl dgst -sha256 -binary ARCHIVE.tar.gz | openssl base64 -A | sed 's/^/sha256-/'
@sgowroji sgowroji added team-Documentation Documentation improvements that cannot be directly linked to other team labels untriaged type: documentation (cleanup) labels Jan 4, 2023
@keertk keertk added the team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file. label Jan 6, 2023
@keertk keertk added P2 We'll consider working on this in future. (Assignee optional) and removed untriaged labels Jan 9, 2023
@zachgrayio
Copy link

Maybe now is a good time to discuss different guidance on this field so we don't put ourselves back into the situation that allowed a recent Github change to break all of our Bazel builds; should we discuss providing a standard CLI tool or script for hashing the files, not the archive, since that may change underneath us at any point if compression algorithms change, etc?

@tyler-french tyler-french mentioned this issue Mar 16, 2023
Closed
@lbhdc
Copy link

lbhdc commented Nov 10, 2023

👋 I ran into this error. I found this really confusing. After consulting the docs and not seeing any guidance, I searched around github, but didn't find any actually using the integrity field.

I asked in slack and was helpfully shown the blessed way to translate the sha sum bazel provides (thread).

More documentation around this would be really helpful!

@blackliner
Copy link

And who decided on using base64 encoded sha256 sums? What is the purpose of this? Why not just go for the plain sha256 like every other project on this world?

@dws
Copy link
Contributor

dws commented Jun 13, 2024

When I went to bazel.build and used "subresource integrity format" in the search box, it found uses of this phrase, but no definitions...

@realtimetodie
Copy link

Why is Bazel using base64 encoded sha256 sums all of a sudden? This is not a format that is readable for humans.

@AustinSchuhBRT
Copy link

Thank you, this post saved me a bunch of time trying to track down how to do this. These are not easy to generate.

@hofbi hofbi mentioned this issue Nov 7, 2024
Open
8 tasks
@fmeum
Copy link
Collaborator

fmeum commented Nov 7, 2024
edited
Loading

I haven't tried it out yet, but https://github.com/zkat/srisum-rs appears to be a drop-in replacement for sha256sum.

@lalten
Copy link
Contributor

lalten commented Nov 7, 2024

As one more alternative, I have a little script on my PATH that does

#!/bin/bash
set -euo pipefail
url="$1"
echo -n "sha256-"
curl -fnsSL "$url" | sha256sum | cut -d' ' -f1 | xxd -r -p | base64

so it doesn't need openssl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Wyverald Wyverald

Labels
P2 We'll consider working on this in future. (Assignee optional) team-Documentation Documentation improvements that cannot be directly linked to other team labels team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file. type: documentation (cleanup)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests