Added archive validation for all available algorithms in hashlib.

src/poetry/installation/executor.py

@@ -31,6 +31,7 @@
 from poetry.utils.env import EnvCommandError
 from poetry.utils.helpers import Downloader
 from poetry.utils.helpers import get_file_hash
+from poetry.utils.helpers import get_highest_priority_hash_type
 from poetry.utils.helpers import pluralize
 from poetry.utils.helpers import remove_directory
 from poetry.utils.pip import pip_install
@@ -792,8 +793,19 @@ def _populate_hashes_dict(self, archive: Path, package: Package) -> None:
 
     @staticmethod
     def _validate_archive_hash(archive: Path, package: Package) -> str:
-        archive_hash: str = "sha256:" + get_file_hash(archive)
-        known_hashes = {f["hash"] for f in package.files if f["file"] == archive.name}
+        known_hashes: set[str] = {
+            f["hash"] for f in package.files if f["file"] == archive.name
+        }
+        hash_types: set[str] = {t.split(":")[0] for t in known_hashes}
+        hash_type: str | None = get_highest_priority_hash_type(hash_types)
+
+        if hash_type is None:
+            raise RuntimeError(
+                f"No usable hash type(s) for {package} from archive"
+                f" {archive.name} found (known hashes: {known_hashes!s})"
+            )
+
+        archive_hash: str = f"{hash_type}:{get_file_hash(archive, hash_type)}"
 
         if archive_hash not in known_hashes:
             raise RuntimeError(

src/poetry/utils/helpers.py

@@ -37,6 +37,28 @@
     from poetry.utils.authenticator import Authenticator
 
 
+prioritised_hash_types: list[str] = [
+    t
+    for t in [
+        "sha3_512",
+        "sha3_384",
+        "sha3_256",
+        "sha3_224",
+        "sha512",
+        "sha384",
+        "sha256",
+        "sha224",
+        "shake_256",
+        "shake_128",
+        "blake2s",
+        "blake2b",
+        "sha1",
+        "md5",
+    ]
+    if t in hashlib.algorithms_available
+]
+
+
 @contextmanager
 def directory(path: Path) -> Iterator[Path]:
     cwd = Path.cwd()
@@ -312,3 +334,14 @@ def extractall(source: Path, dest: Path, zip: bool) -> None:
                 archive.extractall(dest, filter="data")
             else:
                 archive.extractall(dest)
+
+
+def get_highest_priority_hash_type(hash_types: set[str]) -> str | None:
+    if not hash_types:
+        return None
+
+    for prioritised_hash_type in prioritised_hash_types:
+        if prioritised_hash_type in hash_types:
+            return prioritised_hash_type
+
+    return None

tests/installation/test_executor.py

@@ -1456,3 +1456,149 @@ def test_other_error(
     output = io.fetch_output().strip()
     assert output.startswith(expected_start)
     assert output.endswith(expected_end)
+
+
+def test_executor_known_hash_sha512(
+    tmp_venv: VirtualEnv,
+    pool: RepositoryPool,
+    config: Config,
+    io: BufferedIO,
+    fixture_dir: FixtureDirGetter,
+    mock_file_downloads: None,
+) -> None:
+    url = (fixture_dir("distributions") / "demo-0.1.0.tar.gz").resolve()
+    package = Package("demo", "0.1.0", source_type="file", source_url=url.as_posix())
+    # Set package.files so the executor will attempt to hash the package
+    package.files = [
+        {
+            "file": "demo-0.1.0.tar.gz",
+            "hash": "sha512:766ecf369b6bdf801f6f7bbfe23923cc9793d633a55619472cd3d5763f9154711fbf57c8b6ca74e4a82fa9bd8380af831e7b8668e68e362669fc60b1d81d79ad",
+        },
+        {
+            "file": "demo-0.1.0.tar.gz",
+            "hash": "md5:d1912c917363a64e127318655f7d1fe7",
+        },
+        {
+            "file": "demo-0.1.0.whl",
+            "hash": "sha256:70e704135718fffbcbf61ed1fc45933cfd86951a744b681000eaaa75da31f17a",
+        },
+    ]
+
+    executor = Executor(tmp_venv, pool, config, io)
+    executor.execute([Install(package)])
+    expected_url_reference = {
+        "archive_info": {
+            "hashes": {
+                "sha512": "766ecf369b6bdf801f6f7bbfe23923cc9793d633a55619472cd3d5763f9154711fbf57c8b6ca74e4a82fa9bd8380af831e7b8668e68e362669fc60b1d81d79ad"
+            },
+        },
+        "url": url.as_uri(),
+    }
+    verify_installed_distribution(tmp_venv, package, expected_url_reference)
+
+
+def test_executor_known_hash_md5(
+    tmp_venv: VirtualEnv,
+    pool: RepositoryPool,
+    config: Config,
+    io: BufferedIO,
+    fixture_dir: FixtureDirGetter,
+    mock_file_downloads: None,
+) -> None:
+    url = (fixture_dir("distributions") / "demo-0.1.0.tar.gz").resolve()
+    package = Package("demo", "0.1.0", source_type="file", source_url=url.as_posix())
+    # Set package.files so the executor will attempt to hash the package
+    package.files = [{
+        "file": "demo-0.1.0.tar.gz",
+        "hash": "md5:d1912c917363a64e127318655f7d1fe7",
+    }]
+
+    executor = Executor(tmp_venv, pool, config, io)
+    executor.execute([Install(package)])
+    expected_url_reference = {
+        "archive_info": {
+            "hashes": {"md5": "d1912c917363a64e127318655f7d1fe7"},
+        },
+        "url": url.as_uri(),
+    }
+    verify_installed_distribution(tmp_venv, package, expected_url_reference)
+
+
+def test_executor_known_hash_sha3_512(
+    tmp_venv: VirtualEnv,
+    pool: RepositoryPool,
+    config: Config,
+    io: BufferedIO,
+    fixture_dir: FixtureDirGetter,
+    mock_file_downloads: None,
+) -> None:
+    url = (fixture_dir("distributions") / "demo-0.1.0.tar.gz").resolve()
+    package = Package("demo", "0.1.0", source_type="file", source_url=url.as_posix())
+    # Set package.files so the executor will attempt to hash the package
+    package.files = [
+        {
+            "file": "demo-0.1.0.tar.gz",
+            "hash": "sha3_512:196f4af9099185054ed72ca1d4c57707da5d724df0af7c3dfcc0fd018b0e0533908e790a291600c7d196fe4411b4f5f6db45213fe6e5cd5512bf18b2e9eff728",
+        },
+        {
+            "file": "demo-0.1.0.tar.gz",
+            "hash": "sha512:766ecf369b6bdf801f6f7bbfe23923cc9793d633a55619472cd3d5763f9154711fbf57c8b6ca74e4a82fa9bd8380af831e7b8668e68e362669fc60b1d81d79ad",
+        },
+        {
+            "file": "demo-0.1.0.tar.gz",
+            "hash": "md5:d1912c917363a64e127318655f7d1fe7",
+        },
+        {
+            "file": "demo-0.1.0.whl",
+            "hash": "sha256:70e704135718fffbcbf61ed1fc45933cfd86951a744b681000eaaa75da31f17a",
+        },
+    ]
+
+    executor = Executor(tmp_venv, pool, config, io)
+    executor.execute([Install(package)])
+
+    expected_url_reference = {
+        "archive_info": {
+            "hashes": {
+                "sha3_512": "196f4af9099185054ed72ca1d4c57707da5d724df0af7c3dfcc0fd018b0e0533908e790a291600c7d196fe4411b4f5f6db45213fe6e5cd5512bf18b2e9eff728"
+            },
+        },
+        "url": url.as_uri(),
+    }
+
+    verify_installed_distribution(tmp_venv, package, expected_url_reference)
+
+
+def test_executor_no_supported_hash_types(
+    tmp_venv: VirtualEnv,
+    pool: RepositoryPool,
+    config: Config,
+    io: BufferedIO,
+    fixture_dir: FixtureDirGetter,
+    mock_file_downloads: None,
+) -> None:
+    url = (fixture_dir("distributions") / "demo-0.1.0.tar.gz").resolve()
+    package = Package("demo", "0.1.0", source_type="file", source_url=url.as_posix())
+    # Set package.files so the executor will attempt to hash the package
+    package.files = [
+        {
+            "file": "demo-0.1.0.tar.gz",
+            "hash": "hash_blah:1234567890abcdefghijklmnopqrstyzwxyz",
+        },
+        {
+            "file": "demo-0.1.0.whl",
+            "hash": "sha256:70e704135718fffbcbf61ed1fc45933cfd86951a744b681000eaaa75da31f17a",
+        },
+    ]
+
+    executor = Executor(tmp_venv, pool, config, io)
+    return_code = executor.execute([Install(package)])
+    distributions = list(tmp_venv.site_packages.distributions(name=package.name))
+    assert len(distributions) == 0
+
+    output = io.fetch_output()
+    error = io.fetch_error()
+    assert return_code == 1, f"\noutput: {output}\nerror: {error}\n"
+    assert "pytest" not in error
+    assert "No usable hash type(s) for demo" in output
+    assert "hash_blah:1234567890abcdefghijklmnopqrstyzwxyz" in output