Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: cache and verify downloaded archive #32

Merged
merged 3 commits into from
Apr 26, 2021
Merged

feat: cache and verify downloaded archive #32

merged 3 commits into from
Apr 26, 2021

Conversation

lidel
Copy link
Member

@lidel lidel commented Oct 17, 2020
edited
Loading

This PR saves us time on CI and gives more confidence that downloaded archive is valid:

  • ♻️ retries twice before failing to download (replaced node-fetch with got)
  • 🗃️ adds caching of downloaded archives
  • 🛑 adds pre-commit hook to protect against commiting real binary to git
  • 🕵️ downloads .sha512 manifest and compares it with sha512 of downloaded archive

Demo: caching and verifying in action

First time downloads archive to the cache:

Downloading https://dist.ipfs.io/go-ipfs/v0.7.0/go-ipfs_v0.7.0_linux-amd64.tar.gz to /home/lidel/.cache/npm-go-ipfs
Downloaded https://dist.ipfs.io/go-ipfs/v0.7.0/go-ipfs_v0.7.0_linux-amd64.tar.gz
Downloading go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
Downloaded go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
Verifying go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
OK (1d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086)
Unpacked /home/lidel/project/ipfs/npm-go-ipfs
Linking /home/lidel/project/ipfs/npm-go-ipfs/go-ipfs/ipfs to /home/lidel/project/ipfs/npm-go-ipfs/bin/ipfs

Second time reused archive from the cache:

https://dist.ipfs.io/go-ipfs/versions
Found /home/lidel/.cache/npm-go-ipfs/go-ipfs_v0.7.0_linux-amd64.tar.gz
Verifying go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
OK (1d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086)
Unpacked /home/lidel/project/ipfs/npm-go-ipfs
Linking /home/lidel/project/ipfs/npm-go-ipfs/go-ipfs/ipfs to /home/lidel/project/ipfs/npm-go-ipfs/bin/ipfs

Note that SHA512 is compared on every run.
If a single bit was flipped, it will return an error:

Found /home/lidel/.cache/npm-go-ipfs/go-ipfs_v0.7.0_linux-amd64.tar.gz
Verifying go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512
Expected   SHA512: 2d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086
Calculated SHA512: 1d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086
Error: SHA512 of /home/lidel/.cache/npm-go-ipfs/go-ipfs_v0.7.0_linux-amd64.tar.gz' (1d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086) does not match expected value from /home/lidel/.cache/npm-go-ipfs/go-ipfs_v0.7.0_linux-amd64.tar.gz.sha512 (2d5910f27e8d7ea333145f15c6edcbacc1e8db3a99365f0847467bdfa7c73f4d7a05562e46be8e932056c8324ed0769ca1b6758dfb0ac4c2e1b6066b57c4a086)
    at cachingFetchAndVerify (/home/lidel/project/ipfs/npm-go-ipfs/src/download.js:67:11)

cc @andrew

andrew
andrew approved these changes Oct 29, 2020
View reviewed changes
Copy link

@andrew andrew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@lidel
feat: cache and verify downloaded archive
8306486 
- replaces node-fetch with got which simplifies code
  and is more robust on CI (retries twice before failing to download)
- adds caching of downloaded archives which should speed up CI
  of projects using this library (eg. ipfs-desktop)
- adds pre-commit hook to protect against commiting real binary to git
- downloads .sha512 manifest and compares it with sha512sum of
  downloaded archive
@lidel lidel force-pushed the fix/cache-and-sha512-check branch from 5f93d2c to 8306486 Compare April 26, 2021 13:54
@lidel
Copy link
Member Author

lidel commented Apr 26, 2021

@achingbrain as agreed, I've updated tests and removed dead code ported from npm-go-ipfs-dep + added git workflow to run npm test on PRs.

I'm merging this, so the cache is included when 0.9.0 ships.

@lidel lidel merged commit 4c07d7c into master Apr 26, 2021
@lidel lidel deleted the fix/cache-and-sha512-check branch April 26, 2021 17:41
@lidel lidel mentioned this pull request May 4, 2021
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew andrew andrew approved these changes

@olizilla olizilla Awaiting requested review from olizilla

@Stebalien Stebalien Awaiting requested review from Stebalien

@achingbrain achingbrain Awaiting requested review from achingbrain

@daviddias daviddias Awaiting requested review from daviddias

@aschmahmann aschmahmann Awaiting requested review from aschmahmann

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lidel @andrew