dirhash 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 22b502bf40701ab13a91f36a748ebd7c4b78ad14f3e8a4d65c8b9e4fc1b54975
+  data.tar.gz: 359d3ddb5afcaf6b5c6cac6ab0e6f220a27c8dbd38fba592048fec39f55d016f
+SHA512:
+  metadata.gz: d199de48ae3a80baa4e1a6b056c8cc2725affd1f442b0e5054fd6897d35d65a85ff7be85720928b91f13a16cbbb9081a962c3dbc2d81150859da3c873d5839b5
+  data.tar.gz: 65233d75725202d9c4c681857e7636e940f297fc2175bf63c256077ef9f71f5677b0efd89382b45e9d2dafb99ec08df6777d65dd9985ed314eea2d5f08b0c562

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2025-12-29
+
+- Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,10 @@
+# Code of Conduct
+
+"zipdigest" follows [The Ruby Community Conduct Guideline](https://www.ruby-lang.org/en/conduct) in all "collaborative space", which is defined as community communications channels (such as mailing lists, submitted patches, commit comments, etc.):
+
+* Participants will be tolerant of opposing views.
+* Participants must ensure that their language and actions are free of personal attacks and disparaging personal remarks.
+* When interpreting the words and actions of others, participants should always assume good intentions.
+* Behaviour which can be reasonably considered harassment will not be tolerated.
+
+If you have any concerns about behaviour within this project, please contact us at ["andrewnez@gmail.com"](mailto:"andrewnez@gmail.com").

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Andrew Nesbitt
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,100 @@
+# Dirhash
+
+Generate Go module zip digests compatible with sum.golang.org.
+
+This gem computes hashes for Go module zip files using the same algorithm as Go's checksum database. You can verify module integrity or build tooling that works with Go's module ecosystem.
+
+## Installation
+
+```bash
+gem install dirhash
+```
+
+Or add to your Gemfile:
+
+```ruby
+gem "dirhash"
+```
+
+## Usage
+
+```ruby
+require "dirhash"
+
+# Generate the h1: digest (compatible with go.sum)
+digest = Dirhash.hash_zip("/path/to/module.zip")
+# => "h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4="
+
+# Generate the manifest (list of file hashes)
+manifest = Dirhash.manifest("/path/to/module.zip")
+```
+
+## Hash Format
+
+Go's sumdb uses a two-level hash scheme defined in [golang.org/x/mod/sumdb/dirhash](https://pkg.go.dev/golang.org/x/mod/sumdb/dirhash).
+
+The manifest is built by:
+1. Listing all files in the zip (excluding directories)
+2. Sorting file names lexicographically
+3. For each file, computing `SHA256(content)` as lowercase hex
+4. Formatting each line as: `{hex_hash}  {filename}\n` (two spaces between hash and name)
+
+The final digest is:
+1. Concatenate all manifest lines
+2. Compute `SHA256(manifest)`
+3. Base64 encode the result
+4. Prefix with `h1:`
+
+Example manifest:
+
+```
+2d7c3e5b...  github.com/example/mod@v1.0.0/LICENSE
+8f4a2b1c...  github.com/example/mod@v1.0.0/go.mod
+a1b2c3d4...  github.com/example/mod@v1.0.0/mod.go
+```
+
+The `h1:` prefix indicates version 1 of the hash algorithm. Go reserves other prefixes for future algorithms.
+
+## Verifying Against sum.golang.org
+
+You can verify a module by downloading it from proxy.golang.org and comparing:
+
+```ruby
+require "dirhash"
+require "net/http"
+require "uri"
+
+module_path = "github.com/pkg/errors"
+version = "v0.9.1"
+
+# Download the module zip
+zip_url = "https://proxy.golang.org/#{module_path}/@v/#{version}.zip"
+zip_data = Net::HTTP.get(URI(zip_url))
+File.write("/tmp/module.zip", zip_data)
+
+# Compute digest
+digest = Dirhash.hash_zip("/tmp/module.zip")
+
+# Fetch expected hash from sumdb
+lookup_url = "https://sum.golang.org/lookup/#{module_path}@#{version}"
+# Compare with the h1: hash in the response
+```
+
+## References
+
+This implementation is based on:
+
+- [foragepm/zipdigest](https://github.com/foragepm/zipdigest) - JavaScript implementation
+- [golang.org/x/mod/sumdb/dirhash](https://pkg.go.dev/golang.org/x/mod/sumdb/dirhash) - Go's official implementation
+- [Go Module Mirror and Checksum Database](https://sum.golang.org/) - The official sumdb service
+
+## Development
+
+```bash
+bundle install
+rake test
+```
+
+## License
+
+MIT

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "minitest/test_task"
+
+Minitest::TestTask.create
+
+task default: :test

data/lib/dirhash/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Dirhash
+  VERSION = "0.1.0"
+end

data/lib/dirhash.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative "dirhash/version"
+require "zip"
+require "digest"
+require "base64"
+
+module Dirhash
+  class Error < StandardError; end
+
+  def self.hash_zip(zip_path)
+    manifest = manifest(zip_path)
+    hash = Digest::SHA256.digest(manifest)
+    "h1:" + Base64.strict_encode64(hash)
+  end
+
+  def self.manifest(zip_path)
+    entries = []
+
+    Zip::File.open(zip_path) do |zip_file|
+      zip_file.each do |entry|
+        next if entry.directory?
+        entries << entry.name
+      end
+    end
+
+    entries.sort!
+
+    lines = []
+    Zip::File.open(zip_path) do |zip_file|
+      entries.each do |name|
+        entry = zip_file.find_entry(name)
+        content = entry.get_input_stream.read
+        hash = Digest::SHA256.hexdigest(content)
+        lines << "#{hash}  #{name}"
+      end
+    end
+
+    lines.join("\n") + "\n"
+  end
+end

data/sig/dirhash.rbs

@@ -0,0 +1,9 @@
+module Dirhash
+  VERSION: String
+
+  class Error < StandardError
+  end
+
+  def self.hash_zip: (String zip_path) -> String
+  def self.manifest: (String zip_path) -> String
+end

metadata

@@ -0,0 +1,80 @@
+--- !ruby/object:Gem::Specification
+name: dirhash
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Andrew Nesbitt
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rubyzip
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Generate digests and manifests of Go module zip contents using the same
+  algorithm as Go's sumdb dirhash
+email:
+- andrewnez@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- LICENSE
+- README.md
+- Rakefile
+- lib/dirhash.rb
+- lib/dirhash/version.rb
+- sig/dirhash.rbs
+homepage: https://github.com/foragepm/dirhash-rb
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/foragepm/dirhash-rb
+  source_code_uri: https://github.com/foragepm/dirhash-rb
+  changelog_uri: https://github.com/foragepm/dirhash-rb/blob/main/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.1
+specification_version: 4
+summary: Generate Go module zip digests compatible with sum.golang.org
+test_files: []