Using the jfrog CLI (jfrog rt s) I can dump file information of my repo to stdout, but this information does not contain the stored checksum. I see a similar question "Artifactory CLI - Jfrog - How to get binary Hash code (SHA1, SHA256) through jfrog CLI" but the answer is only about searching for a specific checksum. Not being very familiar with jfrog at all, can someone suggest a simple method (has to use jfrog please) for dumping the checksum info for all or a specific file in the repo?
0
votes
2 Answers
2
votes
0
votes
The jfrog rt search command theoretically supports returning sha256 sums if you're using jfrog-cli version 1.36.0 or greater, Artifactory server 5.5 or greater, and a correctly configured database.
Under the hood, the jfrog rt search command utilizes AQL to generate a query which it sends to the server. The default query performs items.find().include(*), which returns all of the supported fields. I guess if the database isn't set up right then SHA-256 sums aren't supported (this seems to be the case at my workplace).
Fortunately, there's an alternative which works even on old versions of the jfrog-cli (I've tested this with 1.26.2). This involves utilizing the jfrog rt curl command to directly grab the metadata from the server. Note that the jfrog rt curl command doesn't support the standard --url --access-token or --apikey parameters, so you'll need to configure a connection to the server using jfrog rt c first (don't forget to use --interactive=false if you're automating this). Once you've done that, the magic incantation which you're looking for is:
jfrog rt curl -XGET "api/storage/your_repo/your_file"
This will return a JSON blob like the following:
'{
"repo" : "your_repo",
"path" : "/your_path/your_file",
"created" : "2020-07-21T21:28:20.663Z",
"createdBy" : "token:your-token",
"lastModified" : "2020-07-21T21:28:27.277Z",
"modifiedBy" : "token:your-token",
"lastUpdated" : "2020-07-21T21:28:27.287Z",
"downloadUri" : "https://your_artifactory_url/artifactory/your_repo/your_path/your_file",
"mimeType" : "application/x-gzip",
"size" : "1198168",
"checksums" : {
"sha1" : "5e288fe94da1fed0b4ce6695c7a984426e9f5a78",
"md5" : "a012711241ba3a5bd4a04e833001d490",
"sha256" : "d22e76b6cc0b4e2e29076d08f8209dec2b7d9c28e71a13d989175a1272ac3da7"
},
"originalChecksums" : {
"sha1" : "5e288fe94da1fed0b4ce6695c7a984426e9f5a78",
"md5" : "a012711241ba3a5bd4a04e833001d490",
"sha256" : "d22e76b6cc0b4e2e29076d08f8209dec2b7d9c28e71a13d989175a1272ac3da7"
},
"uri" : "https://your_artifactory_url/artifactory/api/storage/your_repo/your_path/your_file"
}'
The originalChecksums are from when the artifact was first uploaded. If the artifact has been tampered with on the server then the regular checksums may be different. For this reason I'd recommend validating against the originalChecksums unless you're operating in an environment where the same artifacts are expected to be overwritten.
If you're looking for a quick and dirty way to extract the returned checksums from the JSON blob then try this ugly hack I threw together in bash (note that this won't work if you collapse the whitespace first):
#!/bin/bash
...
checksums=($(sed -n -E "s/^\\s+\\\"sha256\\\"\\s:\\s\\\"(.*)\\\"\$/\\1/p" <<< "$response"))
checksum="${checksums[0]}"
original_checksum="${checksums[1]}"
If you have the option, I'd recommend using a more robust json parser instead.
