How to check go.mod hashes in sum.golang.org using Python?

php editor Xigua is here to introduce how to use Python to check the go.mod hash value in sum.golang.org. sum.golang.org is an official service for verifying Go module hashes, which helps developers ensure the integrity and security of their modules. By using Python's requests library and hashlib library, we can easily obtain and compare the hash value of the go.mod file to ensure that the module we use is trustworthy. Let us take a look at the specific implementation steps below.

Question content

I need to verify the hash of the go.mod file provided by sum.golang.org. I need to use PYTHON.

For example - https://sum.golang.org/lookup/github.com/gin-gonic/[email protected]File https://proxy.golang.org/github. com/gin-gonic/gin/@v/v1.6.2.mod

We are here:

import base64
import requests
import hashlib
import os

# some tmp file
tmp_file = os.path.abspath(os.path.dirname(__file__)) + '/tmp.mod'

# url for sumdb
link_sum_db = 'https://sum.golang.org/lookup/github.com/gin-gonic/[email protected]'
# our line:
# github.com/gin-gonic/gin v1.6.2/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
hash_from_sumdb = b'75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M='
print(hash_from_sumdb)
# b'75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M='

# download the file
f_url = 'https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.6.2.mod'
f_url_content = requests.get(f_url).content
with open(tmp_file, 'wb') as f:
    f.write(f_url_content)

with open(tmp_file, 'rb') as f:
    f_file_content = f.read()

# calculate hash from local tmp file
hash_from_file = base64.b64encode(hashlib.sha256(f_file_content).digest())
print(hash_from_file)
# b'x9T1RkIbnNSJydQMU9l8mvXfhBIkDhO3TTHCbOVG4Go='
# and it fails =(
assert hash_from_file == hash_from_sumdb

please help me. I know the go command but I need to use python here... I've read this thread but it didn't help =(

WORKAROUND

Things seem to be a little more complicated than that. I followed the topic you mentioned and found this answer. In addition, if you refer to The source code of this function, you can see how the hash used in the go module is implemented.

This version is valid:

import hashlib
import base64

def calculate_sha256_checksum(data):
    sha256_hash = hashlib.sha256()
    sha256_hash.update(data.encode('utf-8'))
    return sha256_hash.digest()

# Specify the file path
file_path = 'go.mod'

# Read the file content
with open(file_path, 'r') as file:
    file_content = file.read()

# Calculate the SHA256 checksum of the file content
checksum1 = calculate_sha256_checksum(file_content)

# Format the checksum followed by two spaces, filename, and a new line
formatted_string = f'{checksum1.hex()}  {file_path}\n'

# Calculate the SHA256 checksum of the formatted string
checksum2 = calculate_sha256_checksum(formatted_string)

# Convert the checksum to base64
base64_checksum = base64.b64encode(checksum2).decode('utf-8')

print(base64_checksum)

The above is the detailed content of How to check go.mod hashes in sum.golang.org using Python?. For more information, please follow other related articles on the PHP Chinese website!