go.sum 文件中的校验和是如何计算的?

huangapple go评论80阅读模式
英文:

How are the checksums in go.sum computed?

问题

go.sum 文件中的校验和是如何计算的?

我查看了 https://go.dev/doc/modules/gomod-refhttps://go.dev/ref/mod#go-mod-tidy,但在这两个页面上都找不到解释 go.sum 文件中校验和计算的任何文档。

go.sum 文件中的校验和是通过计算模块的内容生成的。具体来说,它使用 Go 模块的源代码文件和元数据生成一个哈希值,以确保模块的完整性和一致性。这个哈希值被记录在 go.sum 文件中,以便在构建过程中进行校验。

希望这能帮到你!如果你有其他问题,请随时提问。

英文:

I looked at https://go.dev/doc/modules/gomod-ref and https://go.dev/ref/mod#go-mod-tidy, and on neither page could I find any documentation that explains how the checksums in go.sum are computed.

How are the checksums in go.sum computed?

答案1

得分: 1

校验和是依赖项的哈希值。你要查找的文档是 https://go.dev/ref/mod#go-sum-files

每行 go.sum 文件有三个由空格分隔的字段:

  • 模块路径是哈希所属的模块的名称。
  • 版本是哈希所属的模块的版本。如果版本以 /go.mod 结尾,则哈希仅适用于模块的 go.mod 文件;否则,哈希适用于模块的 .zip 文件中的文件。
  • 哈希列由算法名称(如 h1)和以冒号(:)分隔的 base64 编码的密码哈希组成。目前,SHA-256(h1)是唯一支持的哈希算法。如果将来发现 SHA-256 中的漏洞,将会添加对另一种算法(命名为 h2 等)的支持。

示例 go.sum 行的格式为 模块路径 版本 哈希,如下所示:

github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
英文:

The checksums are hashes of the dependencies. The document you look for is https://go.dev/ref/mod#go-sum-files.

> Each line in go.sum has three fields separated by spaces: a module path, a version (possibly ending with /go.mod), and a hash.
>
> - The module path is the name of the module the hash belongs to.
> - The version is the version of the module the hash belongs to. If the version ends with /go.mod, the hash is for the module’s go.mod file only; otherwise, the hash is for the files within the module’s .zip file.
> - The hash column consists of an algorithm name (like h1) and a base64-encoded cryptographic hash, separated by a colon (:). Currently, SHA-256 (h1) is the only supported hash algorithm. If a vulnerability in SHA-256 is discovered in the future, support will be added for another algorithm (named h2 and so on).

Example go.sum line with module version hash is like

github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=

答案2

得分: 1

如果你想知道如何计算哈希值,也就是你要输入SHA-256函数的输入,可以在这里找到描述:https://cs.opensource.google/go/x/mod/+/refs/tags/v0.5.0:sumdb/dirhash/hash.go

这是一个代码片段,可以让你计算任意目录的模块哈希值,而无需使用go:https://gist.github.com/MarkLodato/c03659d242ea214ef3588f29b582be70

英文:

If you are asking how you actually compute the hash, i.e. what inputs you feed to the SHA-256 function, it is described here: https://cs.opensource.google/go/x/mod/+/refs/tags/v0.5.0:sumdb/dirhash/hash.go

Here is a gist that allows you to compute the module hash for an arbitrary directory, without using go:
https://gist.github.com/MarkLodato/c03659d242ea214ef3588f29b582be70

huangapple
  • 本文由 发表于 2022年5月14日 04:06:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/72234905.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定