Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Difference between revisions of "Equinox/p2/Proposals/StoringChecksums"

< Equinox‎ | p2
m (Separate property for every checksum type (artifact + download) and supprted algorithm)
m (Separate property for every checksum type (artifact + download) and supprted algorithm)
 
(5 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
In a long run, however, this solution is not future-proof.
 
In a long run, however, this solution is not future-proof.
  
== Separate property for every checksum type (artifact + download) and supprted algorithm ==
+
== Separate property for every checksum type (artifact + download) and supported algorithm ==
 
Proposed implementation: [https://git.eclipse.org/r/59612 Change #59612]
 
Proposed implementation: [https://git.eclipse.org/r/59612 Change #59612]
  
Line 25: Line 25:
  
 
== Separate property for artifact and download checksums ==
 
== Separate property for artifact and download checksums ==
With a map(checksumAlgo, checksumValue) - still ugly but easier to extend:
+
Proposed implementation: [https://git.eclipse.org/r/#/c/69560/ Change #69560]
 +
 
 +
Two new properties, <code>artifact.checksums</code> and <code>download.checksums</code>, store a semi-colon separated list of checksums. Each checksum is a key-value pair <code>algotrithm,checksum</code> separated with <code>=</code>:
 +
 
 
<code>
 
<code>
 
   <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
 
   <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
Line 35: Line 38:
 
</code>
 
</code>
  
== XML way, #1 ==
+
* Adding/removing algorithms requires no changes to the API.
 +
* Adding implementation for the new algorithm still require code changes:
 +
** extend <code>[https://git.eclipse.org/r/#/c/69560/2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumVerifier.java org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifier]</code> (see <code>[https://git.eclipse.org/r/#/c/69560/2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/MD5Verifier.java MD5Verifier]</code> and <code>[https://git.eclipse.org/r/#/c/69560/2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/SHA256Verifier.java SHA256Verifier]</code>)
 +
** register new implementation in <code>[https://git.eclipse.org/r/#/c/69560/2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumUtilities.java org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumUtilities]</code>
 +
**
 +
* <code>org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifier</code> uses <code>java.security.MessageDigest</code> thus limiting number of supported algorithms to MD5 and SHA-256 only.
 +
 
 +
== XML ==
 +
=== Option #1 ===
 
<code>
 
<code>
 
   <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
 
   <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
Line 43: Line 54:
 
         <property name='artifact' value='58057045158895009b845b9a93f3eb6e'/>
 
         <property name='artifact' value='58057045158895009b845b9a93f3eb6e'/>
 
         <property name='download' value='58057045158895009b845b9a93f3eb6e'/>
 
         <property name='download' value='58057045158895009b845b9a93f3eb6e'/>
 +
      </checksum>
 +
      <checksum>
 +
        <property name='algorithm' value='sha256'/>
 +
        <property name='artifact' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
 +
        <property name='download' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
 
       </checksum>
 
       </checksum>
 
     </checksums>
 
     </checksums>
Line 48: Line 64:
 
</code>
 
</code>
  
== XML way, #2 ==
+
=== Option #2 ===
 
<code>
 
<code>
 
   <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
 
   <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
Line 56: Line 72:
 
         download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"
 
         download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"
 
         artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/>
 
         artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/>
 +
      <checksum
 +
        algorithm="sha256"
 +
        download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"
 +
        artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/>
 
     </checksums>
 
     </checksums>
 
   </artifact>
 
   </artifact>
 
</code>
 
</code>
  
== XML way, #3 ==
+
=== Option #3 ===
 
<code>
 
<code>
 
   <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
 
   <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
 
     <checksums>
 
     <checksums>
 +
      <checksum>
 +
        <algorithm>md5</algorithm>
 +
        <download>58057045158895009b845b9a93f3eb6e</download>
 +
        <artifact>58057045158895009b845b9a93f3eb6e</artifact>
 +
      </checksum>
 
       <checksum>
 
       <checksum>
 
         <algorithm>sha256</algorithm>
 
         <algorithm>sha256</algorithm>

Latest revision as of 15:24, 25 April 2016

p2 is able to check integrity of downloaded artifacts using MD5 algorithm only. bug 423715 is going to add support for SHA-256 algorithm but the way artifact's MD5 checksum stored in artifact metadata is not ready for such minor extension (Gerrit change #59612 shows how adding SHA-256 support looks like using the same approach as MD5).

In a long run, however, this solution is not future-proof.

Separate property for every checksum type (artifact + download) and supported algorithm

Proposed implementation: Change #59612

Follows current scheme and stores SHA-256 checksums in the two new properties, artifact.sha256 and download.sha256: 

 <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
   <properties>
     <property name='artifact.md5' value='58057045158895009b845b9a93f3eb6e'/>
     <property name='artifact.sha256' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
     <property name='download.md5' value='58057045158895009b845b9a93f3eb6e'/>
     <property name='download.sha256' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
   </properties>
 </artifact>

Problems:

Separate property for artifact and download checksums

Proposed implementation: Change #69560

Two new properties, artifact.checksums and download.checksums, store a semi-colon separated list of checksums. Each checksum is a key-value pair algotrithm,checksum separated with =: 

 <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
   <properties>
     <property name='artifact.checksums' value='md5=58057045158895009b845b9a93f3eb6e;sha256=58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
     <property name='download.checksums' value='md5=58057045158895009b845b9a93f3eb6e;sha256=58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
   </properties>
 </artifact>

XML

Option #1

 <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
   <checksums>
     <checksum>
       <property name='algorithm' value='md5'/>
       <property name='artifact' value='58057045158895009b845b9a93f3eb6e'/>
       <property name='download' value='58057045158895009b845b9a93f3eb6e'/>
     </checksum>
     <checksum>
       <property name='algorithm' value='sha256'/>
       <property name='artifact' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
       <property name='download' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
     </checksum>
   </checksums>
 </artifact>

Option #2

 <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
   <checksums>
     <checksum
       algorithm="md5"
       download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"
       artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/>
     <checksum
       algorithm="sha256"
       download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"
       artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/>
   </checksums>
 </artifact>

Option #3

 <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
   <checksums>
     <checksum>
       <algorithm>md5</algorithm>
       <download>58057045158895009b845b9a93f3eb6e</download>
       <artifact>58057045158895009b845b9a93f3eb6e</artifact>
     </checksum>
     <checksum>
       <algorithm>sha256</algorithm>
       <download>58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e</download>
       <artifact>58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e</artifact>
     </checksum>
   </checksums>
 </artifact>

Retrieved from "https://wiki.eclipse.org/index.php?title=Equinox/p2/Proposals/StoringChecksums&oldid=404405"

This page was last modified 15:24, 25 April 2016 by Mykola Nikishov.

Back to the top