Conversation
bradhe
commented
Jul 25, 2025
bradhe
commented
- Integrity checks for packages uploaded to Tower
* feat: Manifests now have integrity checks embedded in them. * chore: Add an overall integrity check to the file * chore: Include an overall package hash during uploads * chore: Rename integrity to checksum * chore: Incorporate feedback from Copilot
There was a problem hiding this comment.
Pull Request Overview
This PR implements integrity checks for packages uploaded to Tower by adding SHA256 checksums to package manifests and upload headers. The version is also updated from 0.3.21-rc.2 to 0.3.21 for the release.
- Added SHA256 checksum computation for individual files and overall package integrity
- Updated package manifest to include checksum field and modified upload process to send checksum header
- Version bump from release candidate to stable release
Reviewed Changes
Copilot reviewed 7 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pyproject.toml | Version update from 0.3.21rc2 to 0.3.21 |
| Cargo.toml | Version update from 0.3.21-rc.2 to 0.3.21 |
| crates/tower-package/Cargo.toml | Added sha2 dependency for checksum computation |
| crates/tower-package/src/lib.rs | Added checksum field to Manifest struct and implemented SHA256 computation functions |
| crates/tower-package/tests/package_test.rs | Added test assertion to verify checksum is populated |
| crates/tower-cmd/src/util/deploy.rs | Added package hash computation and X-Tower-Checksum-SHA256 header to upload requests |
| crates/tower-cmd/src/util/progress.rs | Minor formatting changes with extra blank lines |
pyproject.toml
Outdated
| [project] | ||
| name = "tower" | ||
| version = "0.3.21rc2" | ||
| version = "0.3.21" |
There was a problem hiding this comment.
The version number in pyproject.toml (0.3.21) doesn't match the PR title which indicates this is a v0.3.22 release. This inconsistency could cause deployment issues.
| version = "0.3.21" | |
| version = "0.3.22" |
Cargo.toml
Outdated
| [workspace.package] | ||
| edition = "2021" | ||
| version = "0.3.21-rc.2" | ||
| version = "0.3.21" |
There was a problem hiding this comment.
The version number in Cargo.toml (0.3.21) doesn't match the PR title which indicates this is a v0.3.22 release. This inconsistency could cause deployment issues.
| version = "0.3.21" | |
| version = "0.3.22" |
|
|
||
| for key in sorted_keys { | ||
| // We need to sort the keys so that we can compute a consistent hash. | ||
| let value = path_hashes.get(key).unwrap(); |
There was a problem hiding this comment.
Using unwrap() here could cause a panic if the key doesn't exist in the HashMap. Since we're iterating over keys from the same HashMap, this should be safe, but consider using expect() with a descriptive message for better error handling.
| let value = path_hashes.get(key).unwrap(); | |
| let value = path_hashes.get(key).expect("Key not found in path_hashes during SHA256 computation"); |
There was a problem hiding this comment.
Ignoring for now, this needs a bit of work overall.
| Ok(hash) => hash, | ||
| Err(e) => { | ||
| debug!("Failed to compute package hash: {}", e); | ||
| output::die("Tower CLI failed to properly prepare your package for deployment. Check that you have permissions to read/write to your temporary directory, and if it keeps happening contact Tower support at https://tower.dev"); |
There was a problem hiding this comment.
The error message is very generic and doesn't provide specific information about the checksum computation failure. Consider including the actual error details to help users diagnose the issue.
| output::die("Tower CLI failed to properly prepare your package for deployment. Check that you have permissions to read/write to your temporary directory, and if it keeps happening contact Tower support at https://tower.dev"); | |
| output::die(&format!("Tower CLI failed to properly prepare your package for deployment. Error: {}. Check that you have permissions to read/write to your temporary directory, and if it keeps happening contact Tower support at https://tower.dev", e)); |
