Reproducing a version's checksum from crates.io

Hi,

So I was exploring the https://crates.io/api/v1/crates endpoint and I notices that we have a checksum attribute over the entries in the "versions" section.

After some research I believe this checksum is created by crates.io itself (maybe using SHA256?).

So the question now: Is it possible to replicate/recalc this checksum locally?

I know we create .crate file through cargo package that (afaik) is the package uploaded to crates.io.

I tried to cat ./target/package/some-package-0.1.0.crate | sha256sum but the hash is not the same.

Is there any extra steps needed to replicate the same checksum value from crates.io ?

It is just a hash of the crate tarball that has been uploaded to crates.io.

However, cargo package can vary between Cargo versions, and might have some sources of non-determinism, so there's no guarantee that a crate you repackage locally will be identical every time.