It seems now we're using these checksums in two situations:

1. In CI, when we build angle, we generate checksum from the new build. The next step of the gh workflow downloads this build, verifies the checksum, and uses the build to link the runtime / package the final artifact. 2. If a contributor need the angle binary locally, but don't want to build it themselves, they can trigger a CI run, and download the artifact. The checksum get verified later when building the runtime. It seems pointless to verify checksum of something we just built (or pulled from a gh action cache) in 1. I'm not sure it's really useful to verify them in case 2 either, because if the artifact can be compromised, so can be the checksums (note the checksums are bundled with the build, not pulled from somewhere else), and anyway the artifacts users will get are those built in CI, not the ones we build locally while developing. We can certainly devise a scheme later to help users verify that the artifacts they downloaded from GH are correct, but I don't think our current use of checksums does anything in this regard. The proper way would probably be to _sign_ the artifacts and verify the signature. This commit removes said checksums until we figure out such a scheme.
orca-app · Oct 4, 2024 · c1e7b2f · c1e7b2f
1 parent 975dd0d
commit c1e7b2f
Showing 1 changed file with 14 additions and 42 deletions.
diff --git a/scripts/dev.py b/scripts/dev.py
@@ -123,29 +123,18 @@ def check_dawn():
 
 
     if os.path.exists("build/dawn.out/dawn.json"):
-        with pushd("build/dawn.out"):
-            with open("dawn.json", "r") as f:
-                sums = json.loads(f.read())
+        with open("build/dawn.out/dawn.json", "r") as f:
+            sums = json.loads(f.read())
 
-                up_to_date = True
-
-                for artifact in artifacts:
-                    if artifact in sums:
-                        if os.path.isfile(artifact):
-                            s = checksum.filesum(artifact)
-                            if sums[artifact]['commit'] != DAWN_COMMIT:
-                                messages.append(f"build/dawn.out/{artifact} doesn't match dawn commit.\n  note: expected {DAWN_COMMIT}, got {sums[artifact]['commit']}")
-                                up_to_date = False
-                            elif s != sums[artifact]['sum']:
-                                messages.append(f"build/dawn.out/{artifact} doesn't match checksum.\n  note: expected {sums[artifact]['sum']}, got {s}")
-                                up_to_date = False
-                        else:
-                            messages.append(f"build/dawn.out/{artifact} not found")
-                            up_to_date = False
-                            break
-                    else:
-                        messages.append(f"build/dawn.out/{artifact} is not listed in checksum file")
-                        up_to_date = False
+            up_to_date = True
+
+            if 'commit' not in sums:
+                messages.append(f"build/dawn.out/dawn.json doesn't contain dawn commit.")
+                up_to_date = False
+
+            elif sums['commit'] != DAWN_COMMIT:
+                messages.append(f"build/dawn.out/dawn.json doesn't match dawn commit.\n  note: expected {DAWN_COMMIT}, got {sums['commit']}")
+                up_to_date = False
     else:
         messages = ["build/dawn.out/dawn.json not found"]
 
@@ -279,38 +268,21 @@ def build_dawn_internal(release, jobs, force):
 
         # package result
         print("  * copying build artifacts...")
-        sums = dict()
+        sums = {
+            "commit": DAWN_COMMIT
+        }
 
         os.makedirs("dawn.out/include", exist_ok=True)
         os.makedirs("dawn.out/bin", exist_ok=True)
 
         shutil.copy("dawn.build/gen/include/dawn/webgpu.h", "dawn.out/include/")
 
-        sums['include/webgpu.h'] = {
-            "commit": DAWN_COMMIT,
-            "sum": checksum.filesum('dawn.out/include/webgpu.h')
-        }
-
         if platform.system() == "Windows":
             shutil.copy(f"dawn.build/{mode}/webgpu.dll", "dawn.out/bin/")
             shutil.copy(f"dawn.build/src/dawn/native/{mode}/webgpu.lib", "dawn.out/bin/")
-
-            sums['bin/webgpu.dll'] = {
-                "commit": DAWN_COMMIT,
-                "sum": checksum.filesum('dawn.out/bin/webgpu.dll')
-            }
-            sums['bin/webgpu.lib'] = {
-                "commit": DAWN_COMMIT,
-                "sum": checksum.filesum('dawn.out/bin/webgpu.lib')
-            }
         else:
             shutil.copy("dawn.build/src/dawn/native/libwebgpu.dylib", "dawn.out/bin/")
 
-            sums['bin/libwebgpu.dylib'] = {
-                "commit": DAWN_COMMIT,
-                "sum": checksum.filesum('dawn.out/bin/libwebgpu.dylib')
-            }
-
     # save artifacts checksums
     with open('build/dawn.out/dawn.json', 'w') as f:
         json.dump(sums, f)