rattler-build icon indicating copy to clipboard operation
rattler-build copied to clipboard
verified publisher icon prefix-dev

Compute and store content hash

Open wolfv opened this issue 2 years ago • 0 comments

We are currently using the SHA256 of the tar archive. This is all fine, except that the SHA256 hash of the tar archive is dependent on how the archive was packed, and could change (without the contents being changed). For example, at some point Github changed the way they produced these archives and that changed all the hashes (that was reverted shortly after because it broke many package managers etc.).

However, we can also compute a content hash (a combination of all the hashes of all the files). This kind of hash is only dependent on the actual files in the archive. I believe Nix computes / uses such a hash. That would mean, at a later time, even if the hash of the .tar.gz archive doesn't match any more we could still verify the content hash, if we store it as part of the metadata.

wolfv avatar Nov 03 '23 15:11 wolfv