Invalid integrity hash
kjkraw opened this issue · 8 comments
The integrity hash for pure-min is invalid wherever listed on the website.
On the website:
<link rel="stylesheet" href="https://unpkg.com/purecss@2.0.3/build/pure-min.css" integrity="sha384-4ZPLezkTZTsojWFhpdFembdzFudphhoOzIunR1wH6g1WQDzCAiPvDyitaK67mp0+" crossorigin="anonymous">
On Github readme:
<link rel="stylesheet" href="https://unpkg.com/purecss@2.0.3/build/pure-min.css" integrity="sha384-cg6SkqEOCV1NbJoCu11+bm0NvBRc8IYLRGXkmNrqUBfTjmMYwNKPWBTIKyw9mHNJ" crossorigin="anonymous">
The link on Github works, the one on the website does not.
Confirmed. Just wasted some time due to this as I didn't want to just change the hash to match what I was obtaining from the CDN. Is it because the git tag for 2.0.3 has moved? Is that why it should be a release instead?
I thought I fixed this problem before. The build process will generate the pure files on the fly and generate the hash from that. If anything, it should be more up to date than the one in the readme. I'm not sure whats going on, I will have to take a look at it. If anyone is available or wants to help, they can try fixing it too.
The hash is generated here: https://github.com/pure-css/pure/blob/master/site/lib/pure.js#L11
Hi @redonkulus, the readFileSync uses an encoding of utf-8 whereas update uses utf8. I don't know if that matters as the NodeJS documentation seems to use both though favours utf8. I noticed because I wondered if it would be better to not specify either of those encodings so buffers are used containing raw bytes?
Here's how I arrived at the README one given above.
$ openssl dgst -sha384 -binary pure-min.css | openssl base64 -A; echo
cg6SkqEOCV1NbJoCu11+bm0NvBRc8IYLRGXkmNrqUBfTjmMYwNKPWBTIKyw9mHNJ
@RalphCorderoy so I checkout the latest from master, rebuilt the Pure files and ran the same command you executed above. The hash I got matches the one on the website:
$ openssl dgst -sha384 -binary pure-min.css | openssl base64 -A; echo
4ZPLezkTZTsojWFhpdFembdzFudphhoOzIunR1wH6g1WQDzCAiPvDyitaK67mp0+It seems like the readme is just out of date.
Hi @redonkulus, Now do the same with the one from the CDN.
$ wget -nv https://unpkg.com/purecss@2.0.3/build/pure-min.css
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
2021-01-11 13:15:33 URL:https://unpkg.com/purecss@2.0.3/build/pure-min.css [16797] -> "pure-min.css" [1]
$
$ sha512sum pure-min.css
1448a8c6539b45722c90d010d7f2f46f2c7448491f018fb97ced36e29f641847d44270021917c21b901fe1ba7feec3cd4b329b32dbe6709396642edf3d7d7f14 pure-min.css
$
$ sha384sum pure-min.css
720e9292a10e095d4d6c9a02bb5d7e6e6d0dbc145cf0860b4465e498daea5017d38e6318c0d28f5814c82b2c3d987349 pure-min.css
$
$ openssl dgst -sha384 -binary pure-min.css | openssl base64 -A; echo
cg6SkqEOCV1NbJoCu11+bm0NvBRc8IYLRGXkmNrqUBfTjmMYwNKPWBTIKyw9mHNJ
$
@RalphCorderoy I was able to figure out what was different in the CDN file versus my local one. The URL to the license changed and for some reason the CDN has the old path, which didn't match the one that was generated locally. I released v2.0.4 to fix this issue. I re-ran your commands and the hash matches the CDN and website now:
$ wget -nv https://unpkg.com/purecss@2.0.4/build/pure-min.css
2021-01-19 20:42:25 URL:https://unpkg.com/purecss@2.0.4/build/pure-min.css [16794] -> "pure-min.css" [1]
$ sha512sum pure-min.css
285c9fdbe95fd4ee7059c95c6e9164e8966dc32c252e6c160c77c6c3e508bb7a6b23a65a594cb6b4b41c436195786e05e90e2562ce426b428f29439a58685841 pure-min.css
$ sha384sum pure-min.css
2c9cb973141148c218bb689cf93bf0d00ce86f9677750c51911f0b34622ae3a00911d7c4f43b6e04e08db627d125e07b pure-min.css
$ openssl dgst -sha384 -binary pure-min.css | openssl base64 -A; echo
LJy5cxQRSMIYu2ic+Tvw0Azob5Z3dQxRkR8LNGIq46AJEdfE9DtuBOCNtifRJeB7
The latest changes are publised on the website now too. @kjkraw please double check as well.
LGTM, @redonkulus, thanks. One small thing: https://github.com/pure-css/pure#get-started still mentions 2.0.3.
Good call, fixed 8c3c7cb