From 146d5a05b0b00bff3c4188ac432202c08c7e3b1f Mon Sep 17 00:00:00 2001 From: Brent Toderash Date: Mon, 27 Apr 2026 21:38:47 -0500 Subject: [PATCH] Specify multibase for checksum hash format Per #24 the current `algorithm:value` format is non-standard. Multibase is how we encode public keys as `publicKeyMultibase`, so this adds consistency for cryptographic material. This change also deprecate sha2-256 codec as previously decided by the TSC, and clarifies guidelines for extending this part of the spec for other ecosystems. Signed-off-by: Brent Toderash --- specification.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/specification.md b/specification.md index 3b92ca3..66166e6 100644 --- a/specification.md +++ b/specification.md @@ -507,14 +507,16 @@ Signatures MUST be generated using the appropriate signature method for one of t #### checksum -The `checksum` property specifies a checksum used to validate the data integrity of the artifact. +The `checksum` property specifies a checksum used to validate the data integrity of the artifact. Checksums MUST be specified as a multibase-encoded multihash string, as defined by the [multiformats specifications](https://multiformats.io/). Valid multihash codecs are: -Checksums MUST be specified as a string, with the checksum value prefixed with the checksum function and a colon character. The valid checksum algorithms are: +* `sha2-384` (0x20) +* `sha2-512` (0x13) -* `sha256` -* `sha384` +The `sha2-256` (0x12) codec is deprecated and MUST NOT be used in new packages. Clients MAY accept `sha2-256` checksums from existing packages. -Extensions MAY specify additional valid checksum algorithms. Custom or non-standard types SHOULD be prefixed with `x-` to indicate they are non-standard. +Extensions MAY specify alternative checksum formats or additional valid checksum algorithms for artifact types. Custom or non-standard types SHOULD be prefixed with `x-` to indicate they are non-standard. Signature requirements MUST NOT overridden. + +A Client that recognizes a valid extension for the artifact type MAY apply the extension's requirements in place of the above. ### provides