Skip to content

Instantly share code, notes, and snippets.

@r-n-o

r-n-o/cargo_lock_verify.sh

Created August 5, 2025 01:29
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save r-n-o/a4d5bb69a6c0fcd4cd2379ffad01442d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save r-n-o/a4d5bb69a6c0fcd4cd2379ffad01442d to your computer and use it in GitHub Desktop.
Download ZIP
Verify `Cargo.lock` crate digest integrity
Raw
cargo_lock_verify.sh
#!/usr/bin/env bash
set -euo pipefail
# Assumes: name, version, expected checksum
download_and_verify_crate() {
crate="$1"
version="$2"
expected_checksum="$3"
file=".crate-cache/${crate}-${version}.crate"
mkdir -p .crate-cache
if [[ ! -f "$file" ]]; then
echo "πŸ“¦ Downloading $crate@$version"
curl -sSfL "https://crates.io/api/v1/crates/${crate}/${version}/download" -o "$file"
fi
echo "πŸ” Verifying $crate@$version"
actual_checksum=$(shasum -a 256 "$file" | awk '{print $1}')
if [[ "$actual_checksum" != "$expected_checksum" ]]; then
echo "❌ MISMATCH: $crate@$version"
echo " Expected: $expected_checksum"
echo " Found: $actual_checksum"
exit 1
else
echo "βœ… OK: $crate@$version"
fi
}
if ! command -v sha256sum >/dev/null; then
echo "❌ Missing sha256sum; please install coreutils"
exit 1
fi
# Parse Cargo.lock and call download_and_verify_crate
awk '
/^\[\[package\]\]/ { in_package = 1; name=""; version=""; checksum="" }
in_package && /^name = / { gsub(/"/, "", $3); name = $3 }
in_package && /^version = / { gsub(/"/, "", $3); version = $3 }
in_package && /^checksum = / {
gsub(/"/, "", $3); checksum = $3;
printf "%s %s %s\n", name, version, checksum;
in_package = 0;
}
' Cargo.lock | while read -r name version checksum; do
download_and_verify_crate "$name" "$version" "$checksum"
done
echo "πŸŽ‰ All checks passed."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment