vendor: capture crate provenance in inhouse metadata

nikivdev · nikivdev · commit 442d46c9bb5c · 2026-02-23T11:24:59.000+02:00
diff --git a/scripts/vendor/inhouse-crate.sh b/scripts/vendor/inhouse-crate.sh
@@ -37,12 +37,18 @@ cd "$repo_root"
 vendor_root="lib/vendor"
 history_root="lib/vendor-history"
 manifest_root="lib/vendor-manifest"
+registry_index="https://github.com/rust-lang/crates.io-index"
 
 find_cached_src_dir() {
   find "$HOME/.cargo/registry/src" -maxdepth 2 -type d -name "${crate}-${version}" 2>/dev/null \
     | head -n 1
 }
 
+find_cached_crate_file() {
+  find "$HOME/.cargo/registry/cache" -maxdepth 2 -type f -name "${crate}-${version}.crate" 2>/dev/null \
+    | head -n 1
+}
+
 fetch_into_cache() {
   local fetch_tmp
   fetch_tmp="$(mktemp -d)"
@@ -107,6 +113,69 @@ resolve_version_from_lock() {
   ' Cargo.lock | sort -V | tail -n 1
 }
 
+resolve_checksum_from_lock() {
+  awk -v crate="$crate" -v version="$version" '
+    BEGIN { name = ""; ver = ""; checksum = ""; found = 0 }
+    $0 == "[[package]]" {
+      if (name == crate && ver == version && checksum != "") {
+        print checksum
+        found = 1
+        exit 0
+      }
+      name = ""
+      ver = ""
+      checksum = ""
+      next
+    }
+    /^name = "/ {
+      name = $3
+      gsub(/"/, "", name)
+      next
+    }
+    /^version = "/ {
+      ver = $3
+      gsub(/"/, "", ver)
+      next
+    }
+    /^checksum = "/ {
+      checksum = $3
+      gsub(/"/, "", checksum)
+      next
+    }
+    END {
+      if (found == 0 && name == crate && ver == version && checksum != "") {
+        print checksum
+      }
+    }
+  ' Cargo.lock
+}
+
+resolve_checksum_from_crates_io() {
+  if ! command -v curl >/dev/null 2>&1 || ! command -v jq >/dev/null 2>&1; then
+    return 0
+  fi
+  curl -fsSL "https://crates.io/api/v1/crates/${crate}/${version}" 2>/dev/null \
+    | jq -r '.version.checksum // empty' 2>/dev/null \
+    || true
+}
+
+extract_toml_string() {
+  local file="$1"
+  local key="$2"
+  awk -F'"' -v key="$key" '$1 ~ "^" key " = " { print $2; exit }' "$file"
+}
+
+sha256_file() {
+  local file="$1"
+  if command -v shasum >/dev/null 2>&1; then
+    shasum -a 256 "$file" | awk '{print $1}'
+  elif command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$file" | awk '{print $1}'
+  else
+    echo ""
+  fi
+}
+
 if [[ -z "$version" ]]; then
   version="$(resolve_version_from_lock)"
 fi
@@ -129,6 +198,8 @@ if [[ -z "$src_dir" ]]; then
   fi
 fi
 
+crate_archive_file="$(find_cached_crate_file || true)"
+
 mkdir -p "$history_root" "$vendor_root" "$manifest_root"
 
 history_repo_rel="${history_root}/${crate}.git"
@@ -189,6 +260,27 @@ git -C "$checkout_dir" push -q -f origin "refs/tags/v${version}"
 
 history_head="$(git -C "$checkout_dir" rev-parse HEAD)"
 
+upstream_repository="$(extract_toml_string "$src_dir/Cargo.toml" "repository")"
+upstream_homepage="$(extract_toml_string "$src_dir/Cargo.toml" "homepage")"
+registry_checksum="$(resolve_checksum_from_lock)"
+if [[ -z "$registry_checksum" ]]; then
+  registry_checksum="$(resolve_checksum_from_crates_io)"
+fi
+registry_checksum="$(printf '%s' "$registry_checksum" | head -n 1 | tr -d '\r\n')"
+archive_sha256=""
+if [[ -n "$crate_archive_file" ]]; then
+  archive_sha256="$(sha256_file "$crate_archive_file")"
+fi
+archive_sha256="$(printf '%s' "$archive_sha256" | tr -d '\r\n')"
+checksum_match="unknown"
+if [[ -n "$registry_checksum" && -n "$archive_sha256" ]]; then
+  if [[ "$registry_checksum" == "$archive_sha256" ]]; then
+    checksum_match="yes"
+  else
+    checksum_match="no"
+  fi
+fi
+
 dest_dir_rel="${vendor_root}/${crate}"
 dest_dir_abs="${repo_root}/${dest_dir_rel}"
 rm -rf "$dest_dir_abs"
@@ -203,6 +295,12 @@ cat > "$manifest_file" <<MANIFEST
 crate = "${crate}"
 version = "${version}"
 source = "crates.io"
+registry_index = "${registry_index}"
+cargo_registry_checksum = "${registry_checksum}"
+crate_archive_sha256 = "${archive_sha256}"
+checksum_match = "${checksum_match}"
+upstream_repository = "${upstream_repository}"
+upstream_homepage = "${upstream_homepage}"
 synced_at_utc = "${synced_at_utc}"
 history_repo = "${history_repo_rel}"
 history_head = "${history_head}"
@@ -215,6 +313,12 @@ cat > "${dest_dir_abs}/UPSTREAM.toml" <<UPSTREAM
 crate = "${crate}"
 version = "${version}"
 source = "crates.io"
+registry_index = "${registry_index}"
+cargo_registry_checksum = "${registry_checksum}"
+crate_archive_sha256 = "${archive_sha256}"
+checksum_match = "${checksum_match}"
+upstream_repository = "${upstream_repository}"
+upstream_homepage = "${upstream_homepage}"
 synced_at_utc = "${synced_at_utc}"
 history_repo = "${history_repo_rel}"
 history_head = "${history_head}"
