英文:
How are the checksums in go.sum computed?
问题
go.sum 文件中的校验和是如何计算的?
我查看了 https://go.dev/doc/modules/gomod-ref 和 https://go.dev/ref/mod#go-mod-tidy,但在这两个页面上都找不到解释 go.sum 文件中校验和计算的任何文档。
go.sum 文件中的校验和是通过计算模块的内容生成的。具体来说,它使用 Go 模块的源代码文件和元数据生成一个哈希值,以确保模块的完整性和一致性。这个哈希值被记录在 go.sum 文件中,以便在构建过程中进行校验。
希望这能帮到你!如果你有其他问题,请随时提问。
英文:
I looked at https://go.dev/doc/modules/gomod-ref and https://go.dev/ref/mod#go-mod-tidy, and on neither page could I find any documentation that explains how the checksums in go.sum are computed.
How are the checksums in go.sum computed?
答案1
得分: 1
校验和是依赖项的哈希值。你要查找的文档是 https://go.dev/ref/mod#go-sum-files。
每行 go.sum 文件有三个由空格分隔的字段:
- 模块路径是哈希所属的模块的名称。
- 版本是哈希所属的模块的版本。如果版本以 /go.mod 结尾,则哈希仅适用于模块的 go.mod 文件;否则,哈希适用于模块的 .zip 文件中的文件。
- 哈希列由算法名称(如 h1)和以冒号(:)分隔的 base64 编码的密码哈希组成。目前,SHA-256(h1)是唯一支持的哈希算法。如果将来发现 SHA-256 中的漏洞,将会添加对另一种算法(命名为 h2 等)的支持。
示例 go.sum 行的格式为 模块路径 版本 哈希,如下所示:
github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
英文:
The checksums are hashes of the dependencies. The document you look for is https://go.dev/ref/mod#go-sum-files.
> Each line in go.sum has three fields separated by spaces: a module path, a version (possibly ending with /go.mod), and a hash.
>
> - The module path is the name of the module the hash belongs to.
> - The version is the version of the module the hash belongs to. If the version ends with /go.mod, the hash is for the module’s go.mod file only; otherwise, the hash is for the files within the module’s .zip file.
> - The hash column consists of an algorithm name (like h1) and a base64-encoded cryptographic hash, separated by a colon (:). Currently, SHA-256 (h1) is the only supported hash algorithm. If a vulnerability in SHA-256 is discovered in the future, support will be added for another algorithm (named h2 and so on).
Example go.sum line with module version hash is like
github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
答案2
得分: 1
如果你想知道如何计算哈希值,也就是你要输入SHA-256函数的输入,可以在这里找到描述:https://cs.opensource.google/go/x/mod/+/refs/tags/v0.5.0:sumdb/dirhash/hash.go
这是一个代码片段,可以让你计算任意目录的模块哈希值,而无需使用go:https://gist.github.com/MarkLodato/c03659d242ea214ef3588f29b582be70
英文:
If you are asking how you actually compute the hash, i.e. what inputs you feed to the SHA-256 function, it is described here: https://cs.opensource.google/go/x/mod/+/refs/tags/v0.5.0:sumdb/dirhash/hash.go
Here is a gist that allows you to compute the module hash for an arbitrary directory, without using go:
https://gist.github.com/MarkLodato/c03659d242ea214ef3588f29b582be70
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论