Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Equinox/p2/Proposals/StoringChecksums"
Mn.mn.com.ua (Talk | contribs) m (→Separate property for artifact and download checksums) |
Mn.mn.com.ua (Talk | contribs) m |
||
| Line 45: | Line 45: | ||
* <code>org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifier</code> uses <code>java.security.MessageDigest</code> thus limiting number of supported algorithms to MD5 and SHA-256 only. | * <code>org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifier</code> uses <code>java.security.MessageDigest</code> thus limiting number of supported algorithms to MD5 and SHA-256 only. | ||
| − | == XML | + | == XML == |
| + | === Option #1 === | ||
<code> | <code> | ||
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | ||
| Line 58: | Line 59: | ||
</code> | </code> | ||
| − | == | + | === Option #2 === |
<code> | <code> | ||
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | ||
| Line 70: | Line 71: | ||
</code> | </code> | ||
| − | == | + | === Option #3 === |
<code> | <code> | ||
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | <artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'> | ||
Revision as of 16:38, 9 April 2016
p2 is able to check integrity of downloaded artifacts using MD5 algorithm only. bug 423715 is going to add support for SHA-256 algorithm but the way artifact's MD5 checksum stored in artifact metadata is not ready for such minor extension (Gerrit change #59612 shows how adding SHA-256 support looks like using the same approach as MD5).
In a long run, however, this solution is not future-proof.
Contents
Separate property for every checksum type (artifact + download) and supprted algorithm
Proposed implementation: Change #59612
Follows current scheme and stores SHA-256 checksums in the two new properties, artifact.sha256 and download.sha256:
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
<properties>
<property name='artifact.md5' value='58057045158895009b845b9a93f3eb6e'/>
<property name='artifact.sha256' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
<property name='download.md5' value='58057045158895009b845b9a93f3eb6e'/>
<property name='download.sha256' value='58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
</properties>
</artifact>
Problems:
- New fields should be added to
org.eclipse.equinox.p2.repository.artifact.IArtifactDescriptor. Deprecating such algorithm in the future and removing these properties is an API breaking change.
Separate property for artifact and download checksums
Proposed implementation: Change #69560
Two new properties, artifact.checksums and download.checksums, store a semi-colon separated list of checksums. Each checksum is a key-value pair algotrithm,checksum separated with =:
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
<properties>
<property name='artifact.checksums' value='md5=58057045158895009b845b9a93f3eb6e;sha256=58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
<property name='download.checksums' value='md5=58057045158895009b845b9a93f3eb6e;sha256=58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e'/>
</properties>
</artifact>
- Adding/removing algorithms requires no changes to the API.
- Adding implementation for the new algorithm still require code changes:
- extend
org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifier(seeMD5VerifierandSHA256Verifier) - register new implementation in
org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumUtilities
- extend
-
org.eclipse.equinox.internal.p2.artifact.processors.checksum.ChecksumVerifierusesjava.security.MessageDigestthus limiting number of supported algorithms to MD5 and SHA-256 only.
XML
Option #1
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
<checksums>
<checksum>
<property name='algorithm' value='md5'/>
<property name='artifact' value='58057045158895009b845b9a93f3eb6e'/>
<property name='download' value='58057045158895009b845b9a93f3eb6e'/>
</checksum>
</checksums>
</artifact>
Option #2
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
<checksums>
<checksum
algorithm="md5"
download="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"
artifact="58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e"/>
</checksums>
</artifact>
Option #3
<artifact classifier='osgi.bundle' id='org.eclipse.osgi' version='3.4.3.R34x_v20081215-1030'>
<checksums>
<checksum>
<algorithm>sha256</algorithm>
<download>58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e</download>
<artifact>58057045158895009b845b9a93f3eb6e58057045158895009b845b9a93f3eb6e</artifact>
</checksum>
</checksums>
</artifact>