Skip to content

fix: key checksums by filename to include windows_amd64#956

Open
cotishq wants to merge 1 commit into
goharbor:mainfrom
cotishq:fix/checksums-windows-amd64
Open

fix: key checksums by filename to include windows_amd64#956
cotishq wants to merge 1 commit into
goharbor:mainfrom
cotishq:fix/checksums-windows-amd64

Conversation

@cotishq
Copy link
Copy Markdown
Contributor

@cotishq cotishq commented May 23, 2026

Description

Scoop autoupdate reads hashes from checksums.txt by artifact filename. On v0.0.20, harbor-cli_*_windows_amd64.zip was missing from that file because duplicate SHA256 values overwrote each other when checksums were keyed by hash.

Type of Change

Please select the relevant type.

  • Bug fix
  • New feature
  • Refactor
  • Documentation update
  • Chore / maintenance

Changes

  • Key checksum entries by filename in .dagger/checksum.go instead of by hash
  • Emit checksums.txt with filenames sorted alphabetically
  • Both windows_amd64 and windows_arm64 archives now appear in checksums.txt when their hashes collide

Test plan

  • dagger call build -> archive -> nfpm-build -> apk -> checksum
  • grep windows dist/checksums.txt shows both windows_amd64.zip and windows_arm64.zip
Screenshot From 2026-05-24 00-12-51
  • sha256sum on dist/archive/*_windows_*.zip matches checksums.txt
image

@cotishq
fix: key checksums by filename to include windows_amd64
84877ea 
Signed-off-by: cotishq <tanishqp101204@gmail.com>
@cotishq cotishq force-pushed the fix/checksums-windows-amd64 branch from f44f597 to 84877ea Compare May 23, 2026 19:01
@codecov
Copy link
Copy Markdown

codecov Bot commented May 23, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 9.27%. Comparing base (60ad0bd) to head (84877ea).
⚠️ Report is 163 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##             main    #956      +/-   ##
=========================================
- Coverage   10.99%   9.27%   -1.72%     
=========================================
  Files         173     290     +117     
  Lines        8671   14597    +5926     
=========================================
+ Hits          953    1354     +401     
- Misses       7612   13117    +5505     
- Partials      106     126      +20

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cotishq
Copy link
Copy Markdown
Contributor Author

cotishq commented May 23, 2026

@NucleoFusion would appreciate your review on this

@bhavyaKhatri2703
Copy link
Copy Markdown
Contributor

bhavyaKhatri2703 commented May 24, 2026

But why we got duplicate hash values in the first place tho?

@NucleoFusion
Copy link
Copy Markdown
Contributor

NucleoFusion commented May 24, 2026

I will review this in a while but I'm curious t know what the issue was

@cotishq
Copy link
Copy Markdown
Contributor Author

cotishq commented May 24, 2026

But why we got duplicate hash values in the first place tho?

so the duplicate hash occurs because the two Windows archives (windows_amd64.zip and windows_arm64.zip) can produce identical SHA256 values when they contain the same binary content - for example if the cross-compiled binaries for both targets are functionally identical at that release. The original code used the hash as the map key, so the second entry silently overwrote the first. Keying by filename instead ensures both entries are always written regardless of hash collision.

@cotishq
Copy link
Copy Markdown
Contributor Author

cotishq commented May 24, 2026

I will review this in a while but I'm curious t know what the issue was

the issue was like the checksums were keyed by hash value in a map, so when both the zips( amd64 and arm64 ) produced the same sha256, the second entry overwrote the first before being written to checksums.txt.
so i just fixed by keying the map by filename instead, so now both entries always appear regardless of hash collision

@bhavyaKhatri2703
Copy link
Copy Markdown
Contributor

bhavyaKhatri2703 commented May 24, 2026

But why we got duplicate hash values in the first place tho?

so the duplicate hash occurs because the two Windows archives (windows_amd64.zip and windows_arm64.zip) can produce identical SHA256 values when they contain the same binary content - for example if the cross-compiled binaries for both targets are functionally identical at that release. The original code used the hash as the map key, so the second entry silently overwrote the first. Keying by filename instead ensures both entries are always written regardless of hash collision.

yeah that makes sense

@NucleoFusion
Copy link
Copy Markdown
Contributor

NucleoFusion commented May 24, 2026

I see, that was kinda stupid on my part then lol
Is the sha's for both still the same? Or are they different now?
Do you have a sample checksum file you can show?

@cotishq
Copy link
Copy Markdown
Contributor Author

cotishq commented May 24, 2026

yeah no worries, the sha's are still the same , but i think thats expected and not a problem
scoop just needs both filenames present in the file regardless of whether the hashes match
here is the ss of the sample output of checksums.txt
image

@cotishq
Copy link
Copy Markdown
Contributor Author

cotishq commented May 28, 2026

hey @NucleoFusion , can you tell me like is it a valid fix or i have to still iterate it ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[bug]: Checksum file doesnt include 'windows-amd64' in release 0.20 & in-turn breaks scoop

3 participants

@cotishq @bhavyaKhatri2703 @NucleoFusion