Accessing a crate by its cryptographic hash value

#1

For security reasons, I would like to include the cryptographic hash value of a crate’s specific version. Before using the crate, cargo would verify the hash value. Furthermore, it should be doable to inspect the internals of this crate. Ideally, the crate is only based on its Rust source code, i.e. cannot contain further malicious implicit structure.

It goes without saying that cargo should emit a warning if a transitive dependency not also contains the hash values of its dependencies.

Example of usage:

[dependencies]
some_crate = {
  version = "1.2.4",
  hash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}
0 Likes

#2

Cargo does this by default. There’s a sha256 checksum of all transitive dependencies in Cargo.lock.

7 Likes