Skip to content

feat: per-part sha256 checksums on multipart uploads#122

Merged
mobileoverlord merged 1 commit intomainfrom
lee-eng-1663
Apr 2, 2026
Merged

feat: per-part sha256 checksums on multipart uploads#122
mobileoverlord merged 1 commit intomainfrom
lee-eng-1663

Conversation

@lee-reinhardt
Copy link
Copy Markdown
Member

@lee-reinhardt lee-reinhardt commented Mar 31, 2026
edited
Loading

Summary

Per-part SHA-256 checksums for multipart uploads, computed during artifact discovery and sent with create_runtime so the API can sign them into presigned URLs. S3 validates each part inline at upload time.

  • Host path: compute_sha256_with_parts() computes whole-file hex SHA-256 and per-part base64 checksums in a single read pass (50 MiB chunks)
  • Container path: Discovery bash script uses dd + openssl dgst -sha256 -binary | openssl base64 -A to compute per-part checksums inside the build container
  • ArtifactParam: Includes part_checksums and part_size in create_runtime request (part_checksums skipped if empty for backward compat)
  • Upload phase: Verifies computed checksum matches pre-computed value from discovery before each part upload
  • x-amz-checksum-sha256 header sent on every presigned PUT
  • checksum_sha256 included per part in complete request for API forwarding to S3 CompleteMultipartUpload

API dependency — deploy API first

Requires peridio/avocado-connect-mono-repo#350 deployed before merging. The API must sign x-amz-checksum-sha256 into presigned URLs and set ChecksumAlgorithm: SHA256 on CreateMultipartUpload. Without the API changes, S3 rejects uploads with AccessDenied: headers not signed.

Test coverage (7 new tests)

  • compute_sha256_with_parts: single part, multiple parts, whole-file hash correctness, independent part checksum verification
  • ArtifactParam serialization: includes part_checksums/part_size when present, omits part_checksums when empty
  • CompletedPart serialization: includes checksum_sha256

E2E verified (local k3d + MinIO)

  • Upload with checksums — S3 validates inline, device applies update
  • Old CLI without checksums — backward compat, upload succeeds
  • Corrupted checksum — S3 rejects with SignatureDoesNotMatch
  • cargo build — clean
  • cargo test — all pass (749 + 756 + integration suites)

@jasontwong jasontwong requested a review from Copilot April 2, 2026 14:41
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds per-part SHA-256 checksums to multipart artifact uploads so each uploaded part can be integrity-checked by S3 (via x-amz-checksum-sha256) and later finalized with per-part checksums included in the /complete payload.

Changes:

  • Compute a SHA-256 checksum for each ~50 MiB part and base64-encode it.
  • Send the checksum as x-amz-checksum-sha256 on each presigned PUT request (host-side and container-side upload paths).
  • Include checksum_sha256 on each CompletedPart in the complete request payload.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/commands/connect/upload.rs Computes per-part SHA-256 checksums in both upload paths and attaches them to completed part metadata.
src/commands/connect/client.rs Extends multipart completion payload (CompletedPart) and adds x-amz-checksum-sha256 header to part PUT requests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@lee-reinhardt
feat: per-part sha256 checksums for multipart uploads
ad00ba2 
compute per-part sha256 checksums during artifact discovery and send
them with create_runtime so the api can store them on artifact_blobs
and sign them into presigned upload urls. s3 validates each part
inline at upload time, catching corruption immediately.

- host path: single-pass compute_sha256_with_parts reads 50 MiB
  chunks, producing both whole-file hex hash and per-part base64
  checksums
- container path: discovery script uses dd + openssl to compute
  per-part checksums inside the build container
- send part_size in artifact params so api stores the cli's chunk
  size on the blob
- upload phase: verifies computed checksum matches pre-computed
  value from discovery before uploading each part
- x-amz-checksum-sha256 header sent on every presigned PUT
- checksum_sha256 included in complete request for api forwarding
  to s3 CompleteMultipartUpload
- 7 new tests: compute_sha256_with_parts (single/multi part,
  whole-file hash, independent verification), artifact param
  serialization, completed part serialization
@mobileoverlord mobileoverlord merged commit 7d6ea52 into main Apr 2, 2026
5 checks passed
@mobileoverlord mobileoverlord deleted the lee-eng-1663 branch April 2, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mobileoverlord mobileoverlord mobileoverlord approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lee-reinhardt @mobileoverlord