Skip to content

chore: Use SHA-256 utility #1406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
FrederikBolding merged 3 commits into from
Dec 17, 2025
Merged

chore: Use SHA-256 utility #1406

FrederikBolding merged 3 commits into from
Dec 17, 2025

Conversation

@FrederikBolding
Copy link
Member

@FrederikBolding FrederikBolding commented Dec 17, 2025
edited by cursor bot
Loading

Use sha256 utility from metamask/utils which has the same implementation.

Note

Switch hashing to @metamask/utils sha256 in signing and verification, removing fallback logic/tests and bumping the utils dependency.

  • Crypto/Verification:
    • Replace custom/@noble/hashes SHA-256 with sha256 from @metamask/utils in src/verify.ts and scripts/sign-registry.ts.
    • Remove internal sha256 helper and noble imports; adjust signing to hash file bytes before secp256k1.sign.
  • Tests:
    • Delete fallback digest tests; retain signature validity tests in src/verify.test.ts.
  • Dependencies:
    • Bump @metamask/utils to ^11.9.0.
    • Remove @noble/hashes from dependencies and update lockfile.

Written by Cursor Bugbot for commit 19c4a7d. This will update automatically on new commits. Configure here.

@FrederikBolding FrederikBolding requested a review from a team as a code owner December 17, 2025 14:52
@socket-security
Copy link

socket-security bot commented Dec 17, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​metamask/​utils@​11.4.0 ⏵ 11.9.09910094 +188 -4100

View full report

FrederikBolding
FrederikBolding commented Dec 17, 2025
View reviewed changes
scripts/sign-registry.ts

const registry = await fs.readFile(registryPath);

const hash = await sha256(new Uint8Array(registry));
Copy link
Member Author

@FrederikBolding FrederikBolding Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have verified locally that this produces the same signature as the previous implementation

cryptodev-2s
cryptodev-2s approved these changes Dec 17, 2025
View reviewed changes
Copy link

@cryptodev-2s cryptodev-2s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@FrederikBolding FrederikBolding enabled auto-merge (squash) December 17, 2025 15:02
@FrederikBolding FrederikBolding merged commit b3566c1 into main Dec 17, 2025
22 checks passed
@FrederikBolding FrederikBolding deleted the fb/use-sha256-util branch December 17, 2025 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mrtenz Mrtenz Mrtenz approved these changes

@cryptodev-2s cryptodev-2s cryptodev-2s approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@FrederikBolding @Mrtenz @cryptodev-2s