Fix checksum in Artifactory when uploading file through REST API

10
votes

I'm using the code below to upload a file through Artifactory's REST API. My problem is that when I view the file through the GUI I get this message:

Client did not publish a checksum value. If you trust the uploaded artifact you can accept the actual checksum by clicking the 'Fix Checksum' button.

How do I fix the upload so that this message disappears?

If I upload the file through the GUI I'm not supplying checksum values so why do I have to do it when I use the API? Is there an extra function I can call when using the API to fix the checksums?

I also saw this setting: https://www.jfrog.com/confluence/display/RTF20/Handling+Checksums Could this have anything to do with my problem?

string inFilePath = @"C:\temp\file.ext";
string inUrl = @"domain.com/repoKey/";
string username = "username";
string apiKey = "apikey";

using (HttpClient client = new HttpClient())
{
    client.DefaultRequestHeaders.Authorization =
        new AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.ASCII.GetBytes(username+":"+apiKey)));

    using (var stream = File.OpenRead(inFilePath))
    {
        var response = client.PutAsync(inUrl + stream.Name, new StreamContent(stream));

        using (HttpContent content = response.Result.Content)
        {
            string data = content.ReadAsStringAsync().Result;
        }
    }
}

Updates

There are three types of checksums and two sets of checksum groups.

"checksums" : {
  "sha1" : "94332c090bdcdd87bd86426c224bcc7dc1c5f784",
  "md5" : "dcada413214a5bd7164c6961863f5111",
  "sha256" : "049c671f48e94c1ad25500f64e4879312cae70f489edc21313334b3f77b631e6"
},
"originalChecksums" : {
  "sha1" : "94332c090bdcdd87bd86426c224bcc7dc1c5f784",
  "md5" : "dcada413214a5bd7164c6961863f5111"
}

checksums - are calculated by Artifactory
originalChecksums - are the ones supplied by the uploader

When I use the API the originalChecksums group is empty which I think renders the message above.

3
c#artifactorydotnet-httpclient
I think the checksum is sha256. Search following webpage for checksum : jfrog.com/confluence/display/RTF/Artifactory+REST+APIjdweng
I've updated my question. The sha256 is something artifactory can generate. I think the problem here is the empty originalChecksums.Niklas
See webpage again. You need to post : POST /api/checksum/sha256 -H "Content-Type: application/json". So send you object stream to the post which will return the sha256 checksum before you upload the stream.jdweng
I'm not sure what you mean in this last comment. The function you refer to will calculate sha256 on files that are already uploaded in artifactory. I've tried that on my files but it doesn't solve the problem with md5 and sha1 checksums.Niklas
You have to add the sha256 crc to the checksum group before sending the stream. Otherwise, you get the warning message. So either you have to ignore the warning or add the sha256. To add SHA crc you need to do send another post like on the webpage I posted.jdweng

3 Answers

13
votes

I am hitting the same issue using the artifactory-client-java library :-(

So after some digging, it appears that you need to:

  • calculate the checksums on the client side (sha1)
  • provide each checksum as a HTTP header on the PUT request

For your C# example, the correct solution is to add a header "X-Checksum-Sha1" with the calculated checksum. As explained in the link documentation, a simple curl example is

curl -uadmin:password -T file.jar -H "X-Checksum-Sha1:c9a355147857198da3bdb3f24c4e90bd98a61e8b""http://localhost:8081/artifactory/libs-release-local/file.jar" -i

For artifactory-client-java users, the easy fix is to add to the documented upload example:

java.io.File file = new java.io.File("fileToUpload.txt");
File result = artifactory.repository("RepoName").upload("path/to/newName.txt", file).doUpload();

an additional intermediary call: bySha1Checksum():

java.io.File file = new java.io.File("fileToUpload.txt");
File result = artifactory.repository("RepoName").upload("path/to/newName.txt", file).bySha1Checksum().doUpload();
11
votes

@Arnaud Jeansen's answer is good and true. I thought I would share my bash/curl script for deploying with checksums to provide additional details.

This is current as of Artifactory 6.2, and the date of this writing. 

# assume test2.zip is the file to upload in current directory

# calculate checksums
sha256=$(openssl dgst -sha256 test2.zip|sed 's/^SHA256.*= //')
sha1=$(openssl dgst -sha1 test2.zip|sed 's/^SHA.*= //')

# upload to Artifactory
curl -u"${ARTIFACTORY_USER}:${ARTIFACTORY_PASSWORD}" \
 -sS -T test2.zip  \
 -H "X-Checksum-Sha256:${sha256}" -H "X-Checksum-Sha1:${sha1}" \
 "http://${ARTIFACTORY_HOST}:8081/artifactory/REPO/path/test2.zip" \
 > response

 jq '.' < response
 echo ''

The resultant artifact does not display the warning about checksums in the UI.

0
votes

I was able to just use the sha1 header and artifactory stopped complaining, here's a bash snippet as example:

CHECKSUM=sha1sum some.rpm | awk '{ print $1 }' curl -k -umy_user:my_pass -H "X-Checksum-Sha1:$CHECKSUM" -XPUT https://cudgels_are_cool.com/artifactory/some_repo -T some.rpm