feat: Verify cksum of crate tarball from cargo registry (#1260)

Fixed #1183 Since the crate tarball could be downloaded from a different set of servers than where the cargo registry is hosted, verifying the checksum is necessary to verify its integrity. Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
2025-04-25 06:40:03 +00:00 · 2023-08-09 20:57:47 +10:00 · 2023-08-09 20:57:47 +10:00 · 3e80b12748
commit 3e80b12748
parent 1c886d8897
10 changed files with 112 additions and 45 deletions
--- a/crates/binstalk/src/drivers/registry/sparse_registry.rs
+++ b/crates/binstalk/src/drivers/registry/sparse_registry.rs
@ -88,7 +88,7 @@ impl SparseRegistry {
    ) -> Result<Manifest<Meta>, BinstallError> {
        let crate_prefix = crate_prefix_components(crate_name)?;
        let dl_template = self.get_dl_template(&client).await?;
-        let MatchedVersion { version, cksum } = Self::find_crate_matched_ver(
+        let matched_version = Self::find_crate_matched_ver(
            &client,
            self.url.clone(),
            crate_name,
@ -100,10 +100,9 @@ impl SparseRegistry {
            dl_template,
            crate_name,
            &crate_prefix,
-            &version,
-            &cksum,
+            &matched_version,
        )?)?;

-        parse_manifest(client, crate_name, &version, dl_url).await
+        parse_manifest(client, crate_name, dl_url, matched_version).await
    }
 }