#190 Payload Hash and download verification
Closed: Fixed 7 years ago Opened 7 years ago by ctubbsii.

It's not clear what the "Payload Hash" field is.
It looks like an MD5, but of what? It's not the rpm... I've checked.

This field should be documented (by hover text or similar) to explain what it is.
In addition, a field should be provided which represents the hash for the artifact (RPM) produced from the hash. This would allow users to verify the artifact after downloading it to test.

For reference, see this task.


It is the sigmd5 value for the rpm. This is an embedded md5sum from the rpm's signature header. The rpm command will report it with rpm -Kv foo.rpm.

The term 'payload hash' is a misnomer. The sigmd5 checksum is actually the sum of the header+payload (excluding the signature header and the lead).

Since it is a misnomer, we should probably correct the display of the field in the web and cli output. Unfortunately the term is also part of the api and schema, which are trickier to change.

I think I'm mainly concerned about the UI. Anybody using the API should understand the fields before using it. Adding some text on the page (even just hover text) to explain what it is and how to verify it would be sufficient.

I don't think we need hover text here. Correcting output to use the the proper terminology should be fine. RPM has its own documentation.

I don't think we need hover text here. Correcting output to use the the proper terminology should be fine. RPM has its own documentation.

Makes sense to me. As long as the terminology in the UI is sufficient for a user to easily search for information on how to verify the artifact.

PR #208 to fix this issue

@mikem changed the status to Closed

7 years ago

Metadata Update from @tkopecek:
- Issue set to the milestone: 1.11

4 years ago

Login to comment on this ticket.

Metadata