Home > Software engineering >  Find checksum of every dependency in golang
Find checksum of every dependency in golang

Time:10-20

I want to be able to get the checksum of every package used by a go program, including packages used within modules.

runtime/debug in the standard library has ReadBuildInfo(), which is great, but it only gives data for modules, not for packages.

Example:

package pkgA

var Foo = 1

package pkgB

import "pkgA"

var Bar = pkgA.Foo

package main

import (
    "fmt"
    "runtime/debug"

    "example/pkgB"
)

func main() {
    _ = pkgB.Bar

    b, ok := debug.ReadBuildInfo()
    if !ok {
        fmt.Println("not ok!")
        return
    }

    for _, module := range b.Deps {
        fmt.Println(module.Path, module.Sum)
    }
}

The output is like

pkgB v0.0.0-20210225235400-92e28d816f64

There is no info on A. I believe this is because pkgB and pkgA both belong to the same module.

Question: Is there any way to access the checksum for pkgA?

CodePudding user response:

The Go checksum database stores checksums for modules, not packages. The debug information embedded in a binary does not include the mapping from packages to modules, but if you have access to the module's source you can use go list to report the mapping from packages to modules:

go list -f '{{if .Module}}{{.ImportPath}}: {{.Module}}{{end}}' all

You can use that mapping, in conjunction with the module-level checksums, to verify that each package has the correct source code. (Note that go mod verify already implements that verification.)

Page link:https//www.codepudding.com/Softwareengineering/158830.html

Prev:Switch on interface type without type assertion
Next:Cannot loop through yaml.MapItem.Value in go
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding