How are the checksums in go.sum computed?
Question
I looked at https://go.dev/doc/modules/gomod-ref and https://go.dev/ref/mod#go-mod-tidy , and on neither page could I find any documentation that explains how the checksums in go.sum are computed.
How are the checksums in go.sum computed?
2 answers
solution1
1 ACCPTED 2022-05-13 20:24:34
The checksums are hashes of the dependencies. The document you look for is https://go.dev/ref/mod#go-sum-files .
Each line in go.sum has three fields separated by spaces: a module path, a version (possibly ending with /go.mod), and a hash.
- The module path is the name of the module the hash belongs to.
- The version is the version of the module the hash belongs to. If the version ends with /go.mod, the hash is for the module's go.mod file only; otherwise, the hash is for the files within the module's .zip file.
- The hash column consists of an algorithm name (like h1) and a base64-encoded cryptographic hash, separated by a colon (:). Currently, SHA-256 (h1) is the only supported hash algorithm. If a vulnerability in SHA-256 is discovered in the future, support will be added for another algorithm (named h2 and so on).
Example go.sum line with module version hash is like
github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
solution2
0 2022-09-27 13:31:11
If you are asking how you actually compute the hash, ie what inputs you feed to the SHA-256 function, it is described here: https://cs.opensource.google/go/x/mod/+/refs/tags/v0.5.0:sumdb/dirhash/hash.go
Here is a gist that allows you to compute the module hash for an arbitrary directory, without using go: https://gist.github.com/MarkLodato/c03659d242ea214ef3588f29b582be70
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.