chore: Use SHA-256 utility (#1406)

Use `sha256` utility from `metamask/utils` which has the same
implementation.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Switch hashing to `@metamask/utils` `sha256` in signing and
verification, removing fallback logic/tests and bumping the utils
dependency.
> 
> - **Crypto/Verification**:
> - Replace custom/`@noble/hashes` SHA-256 with `sha256` from
`@metamask/utils` in `src/verify.ts` and `scripts/sign-registry.ts`.
> - Remove internal `sha256` helper and noble imports; adjust signing to
hash file bytes before `secp256k1.sign`.
> - **Tests**:
> - Delete fallback digest tests; retain signature validity tests in
`src/verify.test.ts`.
> - **Dependencies**:
>   - Bump `@metamask/utils` to `^11.9.0`.
>   - Remove `@noble/hashes` from `dependencies` and update lockfile.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
19c4a7d. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: FrederikBolding

package.json

@@ -32,9 +32,8 @@
   },
   "dependencies": {
     "@metamask/superstruct": "^3.2.1",
-    "@metamask/utils": "^11.4.0",
-    "@noble/curves": "^1.2.0",
-    "@noble/hashes": "^1.3.2"
+    "@metamask/utils": "^11.9.0",
+    "@noble/curves": "^1.2.0"
   },
   "devDependencies": {
     "@lavamoat/allow-scripts": "^2.3.1",

scripts/sign-registry.ts

@@ -4,9 +4,9 @@ import {
   bytesToHex,
   hexToBytes,
   isHexString,
+  sha256,
 } from '@metamask/utils';
 import { secp256k1 } from '@noble/curves/secp256k1';
-import { sha256 } from '@noble/hashes/sha256';
 import * as dotenv from 'dotenv';
 import { promises as fs } from 'fs';
 import path from 'path';
@@ -66,9 +66,9 @@ async function main() {
 
   const registry = await fs.readFile(registryPath);
 
-  const signature = add0x(
-    secp256k1.sign(sha256(registry), privateKeyBytes).toDERHex(),
-  );
+  const hash = await sha256(new Uint8Array(registry));
+
+  const signature = add0x(secp256k1.sign(hash, privateKeyBytes).toDERHex());
 
   const signatureObject = format(
     JSON.stringify({

src/verify.test.ts

@@ -1,5 +1,3 @@
-import * as nobleHashes from '@noble/hashes/sha256';
-
 import { verify } from './verify';
 
 const MOCK_REGISTRY = `test\n`;
@@ -64,44 +62,6 @@ describe('verify', () => {
     ).toBe(true);
   });
 
-  it('falls back to noble when digest function is unavailable', async () => {
-    const nobleSpy = jest.spyOn(nobleHashes, 'sha256');
-
-    Object.defineProperty(globalThis.crypto.subtle, 'digest', {
-      value: undefined,
-      writable: true,
-    });
-
-    expect(
-      await verify({
-        registry: MOCK_REGISTRY,
-        signature: MOCK_SIGNATURE,
-        publicKey: MOCK_PUBLIC_KEY,
-      }),
-    ).toBe(true);
-
-    expect(nobleSpy).toHaveBeenCalled();
-  });
-
-  it('falls back to noble when subtle APIs are unavailable', async () => {
-    const nobleSpy = jest.spyOn(nobleHashes, 'sha256');
-
-    Object.defineProperty(globalThis.crypto, 'subtle', {
-      value: undefined,
-      writable: true,
-    });
-
-    expect(
-      await verify({
-        registry: MOCK_REGISTRY,
-        signature: MOCK_SIGNATURE,
-        publicKey: MOCK_PUBLIC_KEY,
-      }),
-    ).toBe(true);
-
-    expect(nobleSpy).toHaveBeenCalled();
-  });
-
   it('rejects an invalid signature', async () => {
     expect(
       await verify({

src/verify.ts

@@ -7,9 +7,9 @@ import {
   stringToBytes,
   assertStruct,
   hexToBytes,
+  sha256,
 } from '@metamask/utils';
 import { secp256k1 } from '@noble/curves/secp256k1';
-import { sha256 as nobleSha256 } from '@noble/hashes/sha256';
 
 export const SignatureStruct = object({
   signature: StrictHexStruct,
@@ -25,28 +25,6 @@ type VerifyArgs = {
   publicKey: Hex;
 };
 
-/**
- * Compute a SHA-256 digest for a given byte array.
- *
- * Uses the native crypto implementation and falls back to noble.
- *
- * @param bytes - A byte array.
- * @returns The SHA-256 hash as a byte array.
- */
-async function sha256(bytes: Uint8Array): Promise<Uint8Array> {
-  // Use crypto.subtle.digest whenever possible as it is faster.
-  if (
-    'crypto' in globalThis &&
-    typeof globalThis.crypto === 'object' &&
-    // eslint-disable-next-line no-restricted-globals
-    crypto.subtle?.digest
-  ) {
-    // eslint-disable-next-line no-restricted-globals
-    return new Uint8Array(await crypto.subtle.digest('SHA-256', bytes));
-  }
-  return nobleSha256(bytes);
-}
-
 /**
  * Verifies that the Snap Registry is properly signed using a cryptographic key.
  *

yarn.lock

@@ -1303,9 +1303,8 @@ __metadata:
     "@metamask/snaps-sdk": ^8.1.0
     "@metamask/snaps-utils": ^10.1.0
     "@metamask/superstruct": ^3.2.1
-    "@metamask/utils": ^11.4.0
+    "@metamask/utils": ^11.9.0
     "@noble/curves": ^1.2.0
-    "@noble/hashes": ^1.3.2
     "@types/jest": ^28.1.6
     "@types/node": ^17.0.23
     "@typescript-eslint/eslint-plugin": ^5.43.0
@@ -1401,20 +1400,22 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@metamask/utils@npm:^11.0.1, @metamask/utils@npm:^11.1.0, @metamask/utils@npm:^11.2.0, @metamask/utils@npm:^11.4.0":
-  version: 11.4.0
-  resolution: "@metamask/utils@npm:11.4.0"
+"@metamask/utils@npm:^11.0.1, @metamask/utils@npm:^11.1.0, @metamask/utils@npm:^11.2.0, @metamask/utils@npm:^11.4.0, @metamask/utils@npm:^11.9.0":
+  version: 11.9.0
+  resolution: "@metamask/utils@npm:11.9.0"
   dependencies:
     "@ethereumjs/tx": ^4.2.0
     "@metamask/superstruct": ^3.1.0
     "@noble/hashes": ^1.3.1
     "@scure/base": ^1.1.3
     "@types/debug": ^4.1.7
+    "@types/lodash": ^4.17.20
     debug: ^4.3.4
+    lodash: ^4.17.21
     pony-cause: ^2.1.10
     semver: ^7.5.4
     uuid: ^9.0.1
-  checksum: 18f4ac60221b4651a4c64fe9b2985092537248662634e8c6757afaef752b9dc400bd13fb7f4e8172823f5e5ec96ea129d7622c0fb2f3b9abfec2af8b466fff92
+  checksum: 467d9c1835dfe9bf9f67af0e0a472ca1805aa7f7a3969f439e4d14d9db2fa9c8da7611c8299c81f65ef6a63cb72725b227bac28080ed467375115c3ad6227d7a
   languageName: node
   linkType: hard
 
@@ -1793,6 +1794,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/lodash@npm:^4.17.20":
+  version: 4.17.21
+  resolution: "@types/lodash@npm:4.17.21"
+  checksum: e09e3eaf29b18b6c8e130fcbafd8e3c4ecc2110f35255079245e7d1bd310a5a8f93e4e70266533dce672f253bba899c721bc6870097e0a8c5448e0b628136d39
+  languageName: node
+  linkType: hard
+
 "@types/ms@npm:*":
   version: 0.7.34
   resolution: "@types/ms@npm:0.7.34"