How to verify downloaded packages

I have the following scenario, I want to be make sure, that the downloaded packages are correct.
Is there any way to verify that the crate is unchanged.
I found that the checksum is there, and matching with the checksum of the .crate file.
But what if the following happens, somebody changes the content of the .crate in the cache folder, and the file hash changes. Is there any way with cargo, to verify the checksum is different?
It is to detect tempered code.
Thank for the help in advance.

I guess if somebody can change the content of files in your cache folder, tempered code is not the largest problem you have? They can change literally anything else that's stored with the same access rights (likely anything writable by your user).


Okay, fair point, but if you have an offline machine, which should not ever connect to the internet, a data transfer should happen. I guess, just writing a simple script to check the hash will suffice

You can take a sha256sum of the cached .crate files in ~/.cargo/registry/cache and compare it against the checksum field of the respective crate in Cargo.lock. These are the tarballs that will be extracted into ~/.cargo/registry/src. Also if you are on an airgapped system how did the tarballs end up on the machine in the first place? For offline downloads there is cargo vendor which doesn't use ~/.cargo/registry at all when building and for every crate it adds a .cargo-checksum.json file which is validated against the source files by cargo whenever the respective crate is built.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.