feat: verify downloads against release-published asset digests#191
Merged
Conversation
Github publishes a sha256 digest per release asset; with the checksums
feature the updater now verifies the downloaded artifact against it
before installing whenever the selected asset carries one. On by
default; opt out with `verify_release_digest(false)`. A digest that is
present but malformed or unsupported fails the update rather than
silently skipping. Independent of `verify_checksum` (both must pass
when both apply). Integrity only: the forge recomputes the digest when
an asset is replaced, so this is not a substitute for `signatures`.
- `ReleaseAsset::digest()` / `ReleaseAsset::with_digest(..)` carry the
`algorithm:hex` digest; the github backend fills it from the API
- `Checksum::parse_digest("sha256:<hex>")` parses the forge form
- closes #159
Reflect the new checksums-gated release-digest gate across the ref specs (update-pipeline, signatures-and-checksums, release-model, github-backend, common-config, feature-flags) and the checksum-from-asset/checksum-verification decision specs. Mark Checksum from Asset partial: the github per-asset digest path ships, the SHA256SUMS-file fetch/parse convenience is still deferred.
3.3.3 drops the info-string suffix on a fenced block (the `compile_fail` async doctest renders as a plain `rust` fence). CI installs the latest cargo-readme, so the committed README must match its output. The doctest still runs as compile_fail; the marker lives in src/lib.rs, not the README.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #159.
sha256:<hex>) before installing, whenever the selected asset carries one. On by default with thechecksumsfeature; opt out withverify_release_digest(false)on the builders.ReleaseAsset::digest()andReleaseAsset::with_digest(..)carrying thealgorithm:hexdigest; the github backend fills it from the API's per-assetdigestfield, the other backends leave itNone(their APIs publish none). A customReleaseSourcecan supply one viawith_digest.Checksum::parse_digest("sha256:<hex>"), parsing the forge form into aChecksum(sha256/sha512).verify_checksum: when both apply, both must pass.Note that this is an integrity check only, not authenticity: github recomputes the digest when an asset is replaced, so it is not a substitute for the
signaturesfeature.