rust: calculate and upload SHA256SUMS file during release

indygreg · indygreg · commit 4cc656e24dd6 · 2022-02-27T10:03:15.000-07:00
For integrity verification.

Ideally we'd also GPG sign. That can be done later.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -12,6 +12,7 @@ duct = "0"
 flate2 = "1"
 futures = "0"
 goblin = "0"
+hex = "0"
 octocrab = { version = "0", features = ["rustls"] }
 once_cell = "1"
 rayon = "1"
@@ -20,6 +21,7 @@ scroll = "0"
 semver = "1"
 serde_json = "1"
 serde = { version = "1", features = ["derive"] }
+sha2 = "0"
 tar = "0"
 tempfile = "3"
 tokio = "1"
diff --git a/src/github.rs b/src/github.rs
@@ -12,6 +12,7 @@ use {
         Octocrab, OctocrabBuilder,
     },
     rayon::prelude::*,
+    sha2::{Digest, Sha256},
     std::{
         collections::{BTreeMap, BTreeSet},
         io::Read,
@@ -327,15 +328,39 @@ pub async fn command_upload_release_distributions(args: &ArgMatches) -> Result<(
         ));
     };
 
+    let mut digests = BTreeMap::new();
+
     for (source, dest) in wanted_filenames {
         if !filenames.contains(&source) {
             continue;
         }
 
         let file_data = std::fs::read(dist_dir.join(&source))?;
 
+        let mut digest = Sha256::new();
+        digest.update(&file_data);
+
+        digests.insert(dest.clone(), hex::encode(digest.finalize()));
+
         upload_release_artifact(&client, &release, &dest, file_data, dry_run).await?;
     }
 
+    let shasums = digests
+        .iter()
+        .map(|(filename, digest)| format!("{}  {}\n", digest, filename))
+        .collect::<Vec<_>>()
+        .join("");
+
+    std::fs::write(dist_dir.join("SHA256SUMS"), shasums.as_bytes())?;
+
+    upload_release_artifact(
+        &client,
+        &release,
+        "SHA256SUMS",
+        shasums.into_bytes(),
+        dry_run,
+    )
+    .await?;
+
     Ok(())
 }
