spark-wallet icon indicating copy to clipboard operation
spark-wallet copied to clipboard
verified publisher icon shesek

-npm.tgz hash doesn't match what's found on registry.npmjs.org

Open jonasnick opened this issue 6 years ago • 7 comments

The tgz hash should be:

7d619030153f1f6d14b9a5aeed1ec4a469dcce95305446c444d7c0c5387b2e67  spark-wallet-0.2.8-npm.tgz

according to SHASUMS. But when I download from the npm registry the hash differs

$ wget https://registry.npmjs.org/spark-wallet/-/spark-wallet-0.2.8.tgz
$ sha256sum spark-wallet-0.2.8.tgz
1e02a8488adec9c83b18d27f9277613905981952f1fc554d26265e5abcbc1871  spark-wallet-0.2.8.tgz

Is there a way to also sign and verify whatever is returned from the registry?

jonasnick avatar Jun 11 '19 22:06 jonasnick

The hashes should match, I'll look into why they don't. It might be some change in the way npm packages it for distribution (I recently updated npm's version).

In the meanwhile, why not pull it directly from github releases instead? The hash there would definitely match the one in SHA256SUMS.

Available here: https://github.com/shesek/spark-wallet/releases/download/v0.2.8/spark-wallet-0.2.8-npm.tgz

shesek avatar Jun 12 '19 00:06 shesek

It looks like the npm registry started doing server-side rewriting of package tarballs to reset timestamps and access permissions. Spark already attempts to reset these on its own, but uses a different fixed timestamp and access permissions than what npm uses.

I was able to fix this locally (with the help of diffoscope, a really useful tool for locating sources of non-reproducibility), but in a somewhat quirky way. I'll try looking for a better fix and get this in for v0.2.9.

shesek avatar Jun 15 '19 19:06 shesek

v0.2.9 and v0.2.10 had matched hashes. v0.2.11, v0.2.12, v0.2.13 diverged again. Can you double-check why?

nixbitcoin avatar Apr 17 '20 12:04 nixbitcoin

@nixbitcoin Yes, I will look into this again, thanks for the nudge!

shesek avatar Apr 17 '20 22:04 shesek

I looked into this some more and was not able to resolve this. It appears like the npm registry changes the order of files inside the tarball, and I can't seem to find any information about how their ordering works exactly in order to replicate it.

Is it not possible to use the npm package tarball published in github releases instead of pulling it from npm?

shesek avatar Apr 23 '20 04:04 shesek

Please update key FCF1 9B67 8665 62F0 8A43 AAD6 81F6 104C D0F1 50FC. It has expired since 2020-02-20.

nixbitcoin avatar Apr 27 '20 11:04 nixbitcoin

Thanks for the heads up. I updated and sent them to keys.gnupg.net, keyserver.ubuntu.com and the sks-keyservers.net pool.

shesek avatar Apr 29 '20 02:04 shesek