Skip to content

Refactor: Centralize and Standardize Checksum Logic #131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Nov 25, 2025
Merged

Refactor: Centralize and Standardize Checksum Logic #131

merged 8 commits into from
Nov 25, 2025

Conversation

@tamilari
Copy link
Contributor

@tamilari tamilari commented Nov 24, 2025

This series of commits significantly refactors and improves our checksum handling. Key changes include:

  • Centralization of checksum logic: Moving various checksum parsing, calculation, and verification functionalities into common utility functions. This enhances maintainability and reduces code duplication
  • "Best Digest" approach for hash checks: Implementing a standardized approach to use only the best matching digest for hash comparisons across various components. This ensures strong integrity checks by focusing on the most reliable checksums and prevents mismatches that could arise from differing lower-priority algorithms.

fmoessbauer
fmoessbauer reviewed Nov 24, 2025
View reviewed changes
@tamilari
refactor: Convert 'to_hashlib' to instance method
f532b01 
The `to_hashlib` method now operates directly on the `ChecksumAlgo` enum instance,
simplifying its usage and aligning better with object-oriented principles.

Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
refactor: move ChecksumMismatchError to util
bf10b51 
Move `ChecksumMismatchError` from `debsbom/merge/merge.py` to
`debsbom/util/checksum.py` to centralize checksum-related logic and
enhance reusability across the codebase.

Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
feat(checksum): Add digest verification helpers
b538b48 
Introduced `verify_best_matching_digest` to compare two sets of digests
and `check_hash_from_path` to verify a file's hash against provided
checksums. The `best_matching_digest` function was also renamed to
`_best_matching_digest`, signifying its new role as an internal helper
not intended for direct external use.

Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
refactor(merge): use best digest for hash check
9d378a7 
Replaced inline hash comparison logic in both `CdxSbomMerger` and
`SpdxSbomMerger` with a call to the `verify_best_matching_digest`
utility function. This improves readability and maintainability by
abstracting complex logic. Only checking the best matching digest
prevents mismatches due to differing lower-priority checksums while
still ensuring strong integrity checks on the most reliable digest.

Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
refactor: centralize/optimize checksum calculation
963a7a1 
Replace inline and repetitive checksum calculation logic with a new,
dedicated `calculate_checksums` utility function. This new function
processes input data (file paths or raw bytes) in a single pass,
updating all required hash algorithms concurrently. This reduces I/O
operations and improves performance compared to the previous method of
reading the stream multiple times for each checksum algorithm

Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
refactor: standardize RemoteFile checksum storage
c7218e7 
RemoteFile now uses our intern mapping of ChecksumAlgo to str, as it is
in most places where we have checksums. Apart from removing the
ambiguitiy of what hash algorithm 'hash' uses, it also allows the use of
the new checksum verification methods to compare checkusms.
This change requires the use of a frozenset in PackageDownloader to
ensure that files are identified by their complete set of checksums.

Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
refactor: centralize/standardize checksum logic
b6e36f9 
Move checksum parsing and verification logic into `util/checksum.py`.
This introduces new utilities for extracting checksums from Dsc files
and debian package entries, as well as validating files linked in a Dsc
file.

Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
refactor: convert absolute to relative imports
d4856a1 
Signed-off-by: Tamino Larisch <[email protected]>
@fmoessbauer
Copy link
Member

fmoessbauer commented Nov 25, 2025

@Urist-McGit from my perspective the changes are fine. But as the changeset is quite big, I would be happy if you could review as well.

@Urist-McGit
Copy link
Collaborator

Urist-McGit commented Nov 25, 2025

LGTM too, even if it means I have to do quite a big rebase on the plugin work

@Urist-McGit Urist-McGit merged commit 31ac2eb into siemens:main Nov 25, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fmoessbauer fmoessbauer fmoessbauer left review comments

@Urist-McGit Urist-McGit Urist-McGit approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tamilari @fmoessbauer @Urist-McGit