Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

How is the "PackageHash_SHA512_Bytes" calculated and can be used to validate the package integrity?



  • Hi was just wondering how the "PackageHash_SHA512_Bytes" is calculated and if can be used to validate the package integrity.
    It doesn't seem to match the filehash of the actual package file.

    [
    {
        "Feed_Id": 1,
        "Package_Id": "Mx.Release.Package",
        "Version_Text": "16.0.0",
        "TargetFrameworks_Text": null,
        "Published_Date": "2018-02-05T15:12:41.303Z",
        "Package_Size": 24987,
        "Nuspec_Bytes": "77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48cGFja2----trimmed_rest",
        "PackageHash_SHA1_Bytes": "vRLwsut5rwlgYKE0C9aAdwbM2xo=",
        "PackageHash_SHA512_Bytes": "IOKFNp3q+CuDIaSEGAeAh2HrU3B+d7poJHgEj+Lx/h86gB1JiIROAh/SaRaBalSQWVwqU3ctHtP8xxTPmM/T0g==",
        "Symbols_Indicator": false,
        "Source_Indicator": false,
        "Cached_Indicator": false,
        "LastDownloaded_Date": "2018-02-18T12:07:30.22Z",
        "Version_Download_Count": 1,
        "Total_Download_Count": 1
    }
    

    ]

    Product: ProGet
    Version: 5.0.8



  • I forgot to mention that I'm calling the API (api/json/NuGetPackagesV2_GetLatest)
    And I noticed the "PackageHash_SHA512_Bytes" was there.

    And thought it might be useful if this was in fact the filehash of the package in the response.


  • inedo-engineer

    Hello Emil,

    If source or symbol stripping is enabled on the NuGet feed, the package you download will be dynamically created. If you add a query parameter ?includeSymbols=Y in the package request, ProGet will give you the original nupkg file, which should have the SHA512 sum from that field.



Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation