Class: Beni::Vendor::Checksum

Inherits:

Object

Object
Beni::Vendor::Checksum

show all

Defined in:: lib/beni/vendor/checksum.rb

Overview

SHA256 verification for vendored tarballs. One instance per (path, expected_sha) pair; reuse is not supported and not needed by Beni::Tasks. Operates in two modes:

* Explicit expected hash (a built-in pair entry or a consumer
  override) — must match exactly; mismatch raises.
* Trust-on-first-use (TOFU) — when +expected_sha+ is +nil+ or empty,
  the actual hash is pinned to a +.sha256+ sidecar next to the
  tarball. Subsequent runs compare against the pinned value and
  raise on drift.

Public contract is the single #verify_or_pin entry point; the two branches and the digest helper are internal.

Instance Method Summary collapse

#initialize(path, expected_sha) ⇒ Checksum constructor

A new instance of Checksum.
#verify_or_pin ⇒ Object

Verify the tarball against expected_sha (if non-empty) or TOFU-pin against the .sha256 sidecar.

Constructor Details

#initialize(path, expected_sha) ⇒ `Checksum`

Returns a new instance of Checksum.

# File 'lib/beni/vendor/checksum.rb', line 21

def initialize(path, expected_sha)
  @path = path
  @expected_sha = expected_sha
end

Instance Method Details

#verify_or_pin ⇒ `Object`

Verify the tarball against expected_sha (if non-empty) or TOFU-pin against the .sha256 sidecar. Returns the computed SHA256 hex digest on success. Raises Beni::Error on mismatch (explicit mode) or drift (TOFU mode); both error messages carry a [beni] prefix for CI log grepping.

# File 'lib/beni/vendor/checksum.rb', line 31

def verify_or_pin
  actual = sha256
  sidecar = "#{@path}.sha256"
  expected? ? verify_against_expected(actual, sidecar) : verify_or_pin_sidecar(actual, sidecar)
  actual
end