Skip to content

Use SHA-256 for runtime telemetry package checksums #18846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
trask merged 9 commits into from
Jun 2, 2026
Merged

Use SHA-256 for runtime telemetry package checksums #18846

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
caff3b3
Use SHA-256 for runtime telemetry package checksums
iblancasa May 25, 2026
e57603f
Merge branch 'main' into 18845
iblancasa May 26, 2026
cfaa766
Merge branch 'main' into 18845
iblancasa May 27, 2026
751cc94
Merge branch 'main' into 18845
iblancasa May 28, 2026
e78d9aa
Apply feedback from bot
iblancasa Jun 1, 2026
65c69df
Merge branch 'main' into 18845
iblancasa Jun 2, 2026
1ef8741
Apply changes requested in code review
iblancasa Jun 2, 2026
38033c1
Merge branch '18845' of github.com:iblancasa/opentelemetry-java-instr…
iblancasa Jun 2, 2026
d4d2d51
Merge branch 'main' into 18845
breedx-splk Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions ...rc/main/java/io/opentelemetry/javaagent/instrumentation/runtimetelemetry/JarAnalyzer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,9 +220,9 @@ static void processUrl(Logger logger, URL archiveUrl) {
builder.put(PACKAGE_VERSION, jarDetails.version());
builder.put(PACKAGE_DESCRIPTION, jarDetails.packageDescription());

String packageChecksum = jarDetails.computeSha1();
String packageChecksum = jarDetails.computeSha256();
builder.put(PACKAGE_CHECKSUM, packageChecksum);
builder.put(PACKAGE_CHECKSUM_ALGORITHM, "SHA1");
builder.put(PACKAGE_CHECKSUM_ALGORITHM, "SHA-256");

logger
.logRecordBuilder()
Expand Down
45 changes: 28 additions & 17 deletions ...src/main/java/io/opentelemetry/javaagent/instrumentation/runtimetelemetry/JarDetails.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@

import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.URL;
import java.security.DigestInputStream;
import java.security.MessageDigest;
Expand All @@ -37,17 +36,18 @@ class JarDetails {
static final String JAR_EXTENSION = "jar";
static final String WAR_EXTENSION = "war";
static final String EAR_EXTENSION = "ear";
private static final char[] HEX_DIGITS = "0123456789abcdef".toCharArray();
private static final Map<String, String> EMBEDDED_FORMAT_TO_EXTENSION =
Stream.of(JAR_EXTENSION, WAR_EXTENSION, EAR_EXTENSION)
.collect(
collectingAndThen(
toMap(ext -> ('.' + ext + "!/"), identity()),
Collections::<String, String>unmodifiableMap));
private static final ThreadLocal<MessageDigest> sha1 =
private static final ThreadLocal<MessageDigest> sha256 =
ThreadLocal.withInitial(
() -> {
try {
return MessageDigest.getInstance("SHA1");
return MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException(e);
}
Expand All @@ -56,14 +56,14 @@ class JarDetails {
private final URL url;
@Nullable private final Properties pom;
@Nullable private final Manifest manifest;
private final String sha1Checksum;
private final String sha256Checksum;

private JarDetails(
URL url, @Nullable Properties pom, @Nullable Manifest manifest, String sha1Checksum) {
URL url, @Nullable Properties pom, @Nullable Manifest manifest, String sha256Checksum) {
this.url = url;
this.pom = pom;
this.manifest = manifest;
this.sha1Checksum = sha1Checksum;
this.sha256Checksum = sha256Checksum;
}

static JarDetails forUrl(URL url) throws IOException {
Expand All @@ -88,14 +88,14 @@ static JarDetails forUrl(URL url) throws IOException {
url,
getPom(jarFile, jarEntry),
getManifest(jarFile, jarEntry),
computeDigest(jarFile, jarEntry, sha1.get()));
computeDigest(jarFile, jarEntry, sha256.get()));
}
}
}
}
try (JarFile jarFile = new JarFile(UrlPaths.toFile(url))) {
return new JarDetails(
url, getPom(jarFile), getManifest(jarFile), computeDigest(url, sha1.get()));
url, getPom(jarFile), getManifest(jarFile), computeDigest(url, sha256.get()));
}
}

Expand Down Expand Up @@ -185,9 +185,9 @@ String packageDescription() {
return name + " by " + vendor;
}

/** Returns the SHA1 hash of this file, e.g. {@code 30d16ec2aef6d8094c5e2dce1d95034ca8b6cb42}. */
String computeSha1() {
return sha1Checksum;
/** Returns the lowercase hex-encoded SHA-256 digest of this file as a 64-character string. */
String computeSha256() {
return sha256Checksum;
}

private static String computeDigest(URL url, MessageDigest md) throws IOException {
Expand All @@ -205,12 +205,23 @@ private static String computeDigest(JarFile jarFile, JarEntry jarEntry, MessageD

private static String computeDigest(InputStream inputStream, MessageDigest md)
throws IOException {
md.reset();
DigestInputStream dis = new DigestInputStream(inputStream, md);
byte[] buffer = new byte[8192];
while (dis.read(buffer) != -1) {}
byte[] digest = md.digest();
return String.format(Locale.ROOT, "%040x", new BigInteger(1, digest));
try (DigestInputStream digestInputStream = new DigestInputStream(inputStream, md)) {
byte[] buffer = new byte[8192];
while (digestInputStream.read(buffer) != -1) {}
return toHex(md.digest());
} finally {
md.reset();
Comment thread
iblancasa marked this conversation as resolved.
}
}

static String toHex(byte[] bytes) {
char[] chars = new char[bytes.length * 2];
for (int i = 0; i < bytes.length; i++) {
int value = bytes[i] & 0xff;
chars[i * 2] = HEX_DIGITS[value >>> 4];
chars[i * 2 + 1] = HEX_DIGITS[value & 0x0f];
}
return new String(chars);
}

@Nullable
Expand Down
4 changes: 2 additions & 2 deletions ...io/opentelemetry/javaagent/instrumentation/runtimetelemetry/JarAnalyzerInstallerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,10 @@ void jarAnalyzerEnabled() {
logRecord ->
assertThat(logRecord.getAttributes())
.containsEntry("package.type", "jar")
.containsEntry("package.checksum_algorithm", "SHA1")
.containsEntry("package.checksum_algorithm", "SHA-256")
.hasEntrySatisfying(
stringKey("package.checksum"),
value -> assertThat(value).matches("[0-9a-f]{40}"))
value -> assertThat(value).matches("[0-9a-f]{64}"))
.hasEntrySatisfying(
stringKey("package.path"), value -> assertThat(value).isNotNull())
.satisfies(
Expand Down
25 changes: 15 additions & 10 deletions ...est/java/io/opentelemetry/javaagent/instrumentation/runtimetelemetry/JarAnalyzerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,9 +71,10 @@ private static Stream<Arguments> processUrlArguments() {
.matches(
"opentelemetry-javaagent-runtime-telemetry-[0-9a-zA-Z-\\.]+\\.jar"))
.containsEntry(PACKAGE_DESCRIPTION, "javaagent by OpenTelemetry")
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA1")
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA-256")
.hasEntrySatisfying(
PACKAGE_CHECKSUM, checksum -> assertThat(checksum).isNotEmpty()))),
PACKAGE_CHECKSUM,
checksum -> assertThat(checksum).matches("[0-9a-f]{64}")))),
// dummy war
Arguments.of(
archiveUrl(new File(System.getenv("DUMMY_APP_WAR"))),
Expand All @@ -83,9 +84,10 @@ private static Stream<Arguments> processUrlArguments() {
.containsEntry(PACKAGE_TYPE, "war")
.containsEntry(PACKAGE_PATH, "app.war")
.containsEntry(PACKAGE_DESCRIPTION, "Dummy App by OpenTelemetry")
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA1")
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA-256")
.hasEntrySatisfying(
PACKAGE_CHECKSUM, checksum -> assertThat(checksum).isNotEmpty()))),
PACKAGE_CHECKSUM,
checksum -> assertThat(checksum).matches("[0-9a-f]{64}")))),
// io.opentelemetry:opentelemetry-api
Arguments.of(
archiveUrl(Tracer.class),
Expand All @@ -99,9 +101,10 @@ private static Stream<Arguments> processUrlArguments() {
assertThat(path)
.matches("opentelemetry-api-[0-9a-zA-Z-\\.]+\\.jar"))
.containsEntry(PACKAGE_DESCRIPTION, "all")
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA1")
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA-256")
.hasEntrySatisfying(
PACKAGE_CHECKSUM, checksum -> assertThat(checksum).isNotEmpty()))),
PACKAGE_CHECKSUM,
checksum -> assertThat(checksum).matches("[0-9a-f]{64}")))),
// org.springframework:spring-webmvc
Arguments.of(
archiveUrl(HttpRequest.class),
Expand All @@ -115,9 +118,10 @@ private static Stream<Arguments> processUrlArguments() {
PACKAGE_PATH,
path -> assertThat(path).matches("spring-web-[0-9a-zA-Z-\\.]+\\.jar"))
.containsEntry(PACKAGE_DESCRIPTION, "org.springframework.web")
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA1")
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA-256")
.hasEntrySatisfying(
PACKAGE_CHECKSUM, checksum -> assertThat(checksum).isNotEmpty()))),
PACKAGE_CHECKSUM,
checksum -> assertThat(checksum).matches("[0-9a-f]{64}")))),
// com.google.guava:guava
Arguments.of(
archiveUrl(ImmutableMap.class),
Expand All @@ -131,9 +135,10 @@ private static Stream<Arguments> processUrlArguments() {
.containsEntry(PACKAGE_NAME, "com.google.guava:guava")
.hasEntrySatisfying(
PACKAGE_VERSION, version -> assertThat(version).isNotEmpty())
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA1")
.containsEntry(PACKAGE_CHECKSUM_ALGORITHM, "SHA-256")
.hasEntrySatisfying(
PACKAGE_CHECKSUM, checksum -> assertThat(checksum).isNotEmpty()))));
PACKAGE_CHECKSUM,
checksum -> assertThat(checksum).matches("[0-9a-f]{64}")))));
}

private static URL archiveUrl(File file) {
Expand Down
12 changes: 9 additions & 3 deletions ...test/java/io/opentelemetry/javaagent/instrumentation/runtimetelemetry/JarDetailsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

package io.opentelemetry.javaagent.instrumentation.runtimetelemetry;

import static java.nio.charset.StandardCharsets.UTF_8;
import static org.assertj.core.api.Assertions.assertThat;

import java.io.ByteArrayOutputStream;
Expand All @@ -21,6 +22,11 @@

class JarDetailsTest {

@Test
void toHex_encodesBytes() {
assertThat(JarDetails.toHex("hello".getBytes(UTF_8))).isEqualTo("68656c6c6f");
}

@Test
void forUrl_handlesPathWithSpaces(@TempDir Path tempDir) throws IOException {
Path dirWithSpaces = Files.createDirectories(tempDir.resolve("dir with spaces"));
Expand All @@ -33,7 +39,7 @@ void forUrl_handlesPathWithSpaces(@TempDir Path tempDir) throws IOException {
JarDetails details = JarDetails.forUrl(url);

assertThat(details.packageDescription()).isEqualTo("Test Title by Test Vendor");
assertThat(details.computeSha1()).isNotEmpty();
assertThat(details.computeSha256()).matches("[0-9a-f]{64}");
}

@Test
Expand All @@ -59,7 +65,7 @@ void forUrl_handlesEmbeddedJar(@TempDir Path tempDir) throws IOException {
JarDetails details = JarDetails.forUrl(url);

assertThat(details.packageDescription()).isEqualTo("Inner Title by Inner Vendor");
assertThat(details.computeSha1()).isNotEmpty();
assertThat(details.computeSha256()).matches("[0-9a-f]{64}");
}

@Test
Expand All @@ -86,7 +92,7 @@ void forUrl_handlesEmbeddedJarWithSpaces(@TempDir Path tempDir) throws IOExcepti
JarDetails details = JarDetails.forUrl(url);

assertThat(details.packageDescription()).isEqualTo("Inner Title by Inner Vendor");
assertThat(details.computeSha1()).isNotEmpty();
assertThat(details.computeSha256()).matches("[0-9a-f]{64}");
}

private static Manifest manifest(String title, String vendor) {
Expand Down
Loading