Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Equinox/p2/Proposals/StoringChecksums"
Mn.mn.com.ua (Talk | contribs) m (→Separate property for every checksum type (artifact + download) and supprted algorithm) |
Mn.mn.com.ua (Talk | contribs) m (→Separate property for every checksum type (artifact + download) and supprted algorithm) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
In a long run, however, this solution is not future-proof. | In a long run, however, this solution is not future-proof. | ||
− | == Separate property for every checksum type (artifact + download) and | + | == Separate property for every checksum type (artifact + download) and supported algorithm == |
Proposed implementation: [https://git.eclipse.org/r/59612 Change #59612] | Proposed implementation: [https://git.eclipse.org/r/59612 Change #59612] | ||
Line 25: | Line 25: | ||
== Separate property for artifact and download checksums == | == Separate property for artifact and download checksums == | ||
− | + | Proposed implementation: [https://git.eclipse.org/r/#/c/69560/ Change #69560] | |
+ | |||
+ | Two new properties, <code>artifact.checksums</code> and <code>download.checksums</code>, store a semi-colon separated list of checksums. Each checksum is a key-value pair <code>algotrithm,checksum</code> separated with <code>=</code>: | ||
+ | |||
<code> | <code> | ||
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | ||
Line 35: | Line 38: | ||
</code> | </code> | ||
− | == XML | + | * Adding/removing algorithms requires no changes to the API. |
+ | * Adding implementation for the new algorithm still require code changes: | ||
+ | ** extend <code>[https://git.eclipse.org/r/#/c/69560/2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumVerifier.java org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifier]</code> (see <code>[https://git.eclipse.org/r/#/c/69560/2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/MD5Verifier.java MD5Verifier]</code> and <code>[https://git.eclipse.org/r/#/c/69560/2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/SHA256Verifier.java SHA256Verifier]</code>) | ||
+ | ** register new implementation in <code>[https://git.eclipse.org/r/#/c/69560/2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumUtilities.java org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumUtilities]</code> | ||
+ | ** | ||
+ | * <code>org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifier</code> uses <code>java.security.MessageDigest</code> thus limiting number of supported algorithms to MD5 and SHA-256 only. | ||
+ | |||
+ | == XML == | ||
+ | === Option #1 === | ||
<code> | <code> | ||
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | ||
Line 43: | Line 54: | ||
<property name='artifact' value='58057045158895009b845b9a93f3eb6e'/> | <property name='artifact' value='58057045158895009b845b9a93f3eb6e'/> | ||
<property name='download' value='58057045158895009b845b9a93f3eb6e'/> | <property name='download' value='58057045158895009b845b9a93f3eb6e'/> | ||
+ | </checksum> | ||
+ | <checksum> | ||
+ | <property name='algorithm' value='sha256'/> | ||
+ | <property name='artifact' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/> | ||
+ | <property name='download' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/> | ||
</checksum> | </checksum> | ||
</checksums> | </checksums> | ||
Line 48: | Line 64: | ||
</code> | </code> | ||
− | == | + | === Option #2 === |
<code> | <code> | ||
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | ||
Line 56: | Line 72: | ||
download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e" | download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e" | ||
artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/> | artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/> | ||
+ | <checksum | ||
+ | algorithm="sha256" | ||
+ | download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e" | ||
+ | artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/> | ||
</checksums> | </checksums> | ||
</artifact> | </artifact> | ||
</code> | </code> | ||
− | == | + | === Option #3 === |
<code> | <code> | ||
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | ||
<checksums> | <checksums> | ||
+ | <checksum> | ||
+ | <algorithm>md5</algorithm> | ||
+ | <download>58057045158895009b845b9a93f3eb6e</download> | ||
+ | <artifact>58057045158895009b845b9a93f3eb6e</artifact> | ||
+ | </checksum> | ||
<checksum> | <checksum> | ||
<algorithm>sha256</algorithm> | <algorithm>sha256</algorithm> |
Latest revision as of 15:24, 25 April 2016
p2 is able to check integrity of downloaded artifacts using MD5 algorithm only. bug 423715 is going to add support for SHA-256 algorithm but the way artifact's MD5 checksum stored in artifact metadata is not ready for such minor extension (Gerrit change #59612 shows how adding SHA-256 support looks like using the same approach as MD5).
In a long run, however, this solution is not future-proof.
Contents
Separate property for every checksum type (artifact + download) and supported algorithm
Proposed implementation: Change #59612
Follows current scheme and stores SHA-256 checksums in the two new properties, artifact.sha256
and download.sha256
:
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> <properties> <property name='artifact.md5' value='58057045158895009b845b9a93f3eb6e'/> <property name='artifact.sha256' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/> <property name='download.md5' value='58057045158895009b845b9a93f3eb6e'/> <property name='download.sha256' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/> </properties> </artifact>
Problems:
- New fields should be added to
org.eclipse.equinox.p2.repository.artifact.IArtifactDescriptor
. Deprecating such algorithm in the future and removing these properties is an API breaking change.
Separate property for artifact and download checksums
Proposed implementation: Change #69560
Two new properties, artifact.checksums
and download.checksums
, store a semi-colon separated list of checksums. Each checksum is a key-value pair algotrithm,checksum
separated with =
:
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> <properties> <property name='artifact.checksums' value='md5=58057045158895009b845b9a93f3eb6e;sha256=58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/> <property name='download.checksums' value='md5=58057045158895009b845b9a93f3eb6e;sha256=58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/> </properties> </artifact>
- Adding/removing algorithms requires no changes to the API.
- Adding implementation for the new algorithm still require code changes:
- extend
org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifier
(seeMD5Verifier
andSHA256Verifier
) - register new implementation in
org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumUtilities
- extend
-
org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifier
usesjava.security.MessageDigest
thus limiting number of supported algorithms to MD5 and SHA-256 only.
XML
Option #1
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> <checksums> <checksum> <property name='algorithm' value='md5'/> <property name='artifact' value='58057045158895009b845b9a93f3eb6e'/> <property name='download' value='58057045158895009b845b9a93f3eb6e'/> </checksum> <checksum> <property name='algorithm' value='sha256'/> <property name='artifact' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/> <property name='download' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/> </checksum> </checksums> </artifact>
Option #2
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> <checksums> <checksum algorithm="md5" download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e" artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/> <checksum algorithm="sha256" download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e" artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/> </checksums> </artifact>
Option #3
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> <checksums> <checksum> <algorithm>md5</algorithm> <download>58057045158895009b845b9a93f3eb6e</download> <artifact>58057045158895009b845b9a93f3eb6e</artifact> </checksum> <checksum> <algorithm>sha256</algorithm> <download>58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e</download> <artifact>58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e</artifact> </checksum> </checksums> </artifact>