From 7c8964f8fadb54d86cb3f0613581206084e30cd7 Mon Sep 17 00:00:00 2001
From: DevITWay | Pavel Volkov <devitway@gmail.com>
Date: Tue, 31 Mar 2026 22:36:29 +0300
Subject: [PATCH] =?UTF-8?q?fix(deps):=20update=20sha2=200.10=E2=86=920.11,?=
 =?UTF-8?q?=20hmac=200.12=E2=86=920.13=20(#75)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Breaking API changes in digest crate ecosystem:
- sha2 digest returns Array instead of GenericArray
- Replace format!("{:x}", digest) with hex::encode(digest)
- Add digest::KeyInit trait import for Hmac
- Update all hash formatting in docker, npm, s3, tokens
---
 Cargo.lock                           | 104 +++++++++++++++++++++++----
 Cargo.toml                           |   4 +-
 nora-registry/src/registry/docker.rs |  12 ++--
 nora-registry/src/registry/npm.rs    |   6 +-
 nora-registry/src/storage/s3.rs      |  11 +--
 nora-registry/src/tokens.rs          |   2 +-
 6 files changed, 111 insertions(+), 28 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 0c0cfbc..43b2a1a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -105,7 +105,7 @@ checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072"
 dependencies = [
  "base64ct",
  "blake2",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "password-hash",
 ]
 
@@ -231,7 +231,7 @@ version = "0.10.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
 dependencies = [
- "digest",
+ "digest 0.10.7",
 ]
 
 [[package]]
@@ -243,6 +243,15 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "block-buffer"
+version = "0.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cdd35008169921d80bc60d3d0ab416eecb028c4cd653352907921d95084790be"
+dependencies = [
+ "hybrid-array",
+]
+
 [[package]]
 name = "blowfish"
 version = "0.9.1"
@@ -315,7 +324,7 @@ version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
 dependencies = [
- "crypto-common",
+ "crypto-common 0.1.7",
  "inout",
 ]
 
@@ -359,6 +368,12 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"
 
+[[package]]
+name = "cmov"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de0758edba32d61d1fd9f4d69491b47604b91ee2f7e6b33de7e54ca4ebe55dc3"
+
 [[package]]
 name = "colorchoice"
 version = "1.0.4"
@@ -378,6 +393,12 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "const-oid"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6ef517f0926dd24a1582492c791b6a4818a4d94e789a334894aa15b0d12f55c"
+
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -393,6 +414,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "cpufeatures"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "crc32fast"
 version = "1.5.0"
@@ -418,6 +448,24 @@ dependencies = [
  "typenum",
 ]
 
+[[package]]
+name = "crypto-common"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77727bb15fa921304124b128af125e7e3b968275d1b108b379190264f4423710"
+dependencies = [
+ "hybrid-array",
+]
+
+[[package]]
+name = "ctutils"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1005a6d4446f5120ef475ad3d2af2b30c49c2c9c6904258e3bb30219bebed5e4"
+dependencies = [
+ "cmov",
+]
+
 [[package]]
 name = "dashmap"
 version = "6.1.0"
@@ -467,11 +515,23 @@ version = "0.10.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
 dependencies = [
- "block-buffer",
- "crypto-common",
+ "block-buffer 0.10.4",
+ "crypto-common 0.1.7",
  "subtle",
 ]
 
+[[package]]
+name = "digest"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4850db49bf08e663084f7fb5c87d202ef91a3907271aff24a94eb97ff039153c"
+dependencies = [
+ "block-buffer 0.12.0",
+ "const-oid",
+ "crypto-common 0.2.1",
+ "ctutils",
+]
+
 [[package]]
 name = "displaydoc"
 version = "0.2.5"
@@ -809,11 +869,11 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
 [[package]]
 name = "hmac"
-version = "0.12.1"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+checksum = "6303bc9732ae41b04cb554b844a762b4115a61bfaa81e3e83050991eeb56863f"
 dependencies = [
- "digest",
+ "digest 0.11.2",
 ]
 
 [[package]]
@@ -861,6 +921,15 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
+[[package]]
+name = "hybrid-array"
+version = "0.4.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3944cf8cf766b40e2a1a333ee5e9b563f854d5fa49d6a8ca2764e97c6eddb214"
+dependencies = [
+ "typenum",
+]
+
 [[package]]
 name = "hyper"
 version = "1.8.1"
@@ -1326,7 +1395,7 @@ dependencies = [
  "reqwest",
  "serde",
  "serde_json",
- "sha2",
+ "sha2 0.11.0",
  "tar",
  "tempfile",
  "thiserror 2.0.18",
@@ -1796,7 +1865,7 @@ version = "8.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5bcdef0be6fe7f6fa333b1073c949729274b05f123a0ad7efcb8efd878e5c3b1"
 dependencies = [
- "sha2",
+ "sha2 0.10.9",
  "walkdir",
 ]
 
@@ -1969,8 +2038,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
  "cfg-if",
- "cpufeatures",
- "digest",
+ "cpufeatures 0.2.17",
+ "digest 0.10.7",
+]
+
+[[package]]
+name = "sha2"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "446ba717509524cb3f22f17ecc096f10f4822d76ab5c0b9822c5f9c284e825f4"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.3.0",
+ "digest 0.11.2",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index c858f6d..c0105e0 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -21,7 +21,7 @@ serde_json = "1"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
-sha2 = "0.10"
+sha2 = "0.11"
 async-trait = "0.1"
-hmac = "0.12"
+hmac = "0.13"
 hex = "0.4"
diff --git a/nora-registry/src/registry/docker.rs b/nora-registry/src/registry/docker.rs
index 27ebcc4..799b0f7 100644
--- a/nora-registry/src/registry/docker.rs
+++ b/nora-registry/src/registry/docker.rs
@@ -488,7 +488,7 @@ async fn upload_blob(
     // Verify digest matches uploaded content (Docker Distribution Spec)
     {
         use sha2::Digest as _;
-        let computed = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+        let computed = format!("sha256:{}", hex::encode(sha2::Sha256::digest(&data)));
         if computed != *digest {
             tracing::warn!(
                 expected = %digest,
@@ -564,7 +564,7 @@ async fn get_manifest(
 
         // Calculate digest for Docker-Content-Digest header
         use sha2::Digest;
-        let digest = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+        let digest = format!("sha256:{}", hex::encode(sha2::Sha256::digest(&data)));
 
         // Detect manifest media type from content
         let content_type = detect_manifest_media_type(&data);
@@ -614,7 +614,7 @@ async fn get_manifest(
 
             // Calculate digest for Docker-Content-Digest header
             use sha2::Digest;
-            let digest = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+            let digest = format!("sha256:{}", hex::encode(sha2::Sha256::digest(&data)));
 
             // Cache manifest and create metadata (fire and forget)
             let storage = state.storage.clone();
@@ -684,7 +684,7 @@ async fn get_manifest(
                 ));
 
                 use sha2::Digest;
-                let digest = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+                let digest = format!("sha256:{}", hex::encode(sha2::Sha256::digest(&data)));
 
                 // Cache under original name for future local hits
                 let storage = state.storage.clone();
@@ -726,7 +726,7 @@ async fn put_manifest(
 
     // Calculate digest
     use sha2::Digest;
-    let digest = format!("sha256:{:x}", sha2::Sha256::digest(&body));
+    let digest = format!("sha256:{}", hex::encode(sha2::Sha256::digest(&body)));
 
     // Store by tag/reference
     let key = format!("docker/{}/manifests/{}.json", name, reference);
@@ -819,7 +819,7 @@ async fn delete_manifest(
     if is_tag {
         if let Ok(data) = state.storage.get(&key).await {
             use sha2::Digest;
-            let digest = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+            let digest = format!("sha256:{}", hex::encode(sha2::Sha256::digest(&data)));
             let digest_key = format!("docker/{}/manifests/{}.json", name, digest);
             let _ = state.storage.delete(&digest_key).await;
             let digest_meta = format!("docker/{}/manifests/{}.meta.json", name, digest);
diff --git a/nora-registry/src/registry/npm.rs b/nora-registry/src/registry/npm.rs
index a8194ec..ee3f53f 100644
--- a/nora-registry/src/registry/npm.rs
+++ b/nora-registry/src/registry/npm.rs
@@ -107,7 +107,7 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
         // Tarball: integrity check if hash exists
         let hash_key = format!("{}.sha256", key);
         if let Ok(stored_hash) = state.storage.get(&hash_key).await {
-            let computed = format!("{:x}", sha2::Sha256::digest(&data));
+            let computed = hex::encode(sha2::Sha256::digest(&data));
             let expected = String::from_utf8_lossy(&stored_hash);
             if computed != expected.as_ref() {
                 tracing::error!(
@@ -152,7 +152,7 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
 
             if is_tarball {
                 // Compute and store sha256
-                let hash = format!("{:x}", sha2::Sha256::digest(&data));
+                let hash = hex::encode(sha2::Sha256::digest(&data));
                 let hash_key = format!("{}.sha256", key);
                 let storage = state.storage.clone();
                 tokio::spawn(async move {
@@ -338,7 +338,7 @@ async fn handle_publish(
         }
 
         // Store sha256
-        let hash = format!("{:x}", sha2::Sha256::digest(&tarball_bytes));
+        let hash = hex::encode(sha2::Sha256::digest(&tarball_bytes));
         let hash_key = format!("{}.sha256", tarball_key);
         let _ = state.storage.put(&hash_key, hash.as_bytes()).await;
     }
diff --git a/nora-registry/src/storage/s3.rs b/nora-registry/src/storage/s3.rs
index 5fddcaf..13a60c4 100644
--- a/nora-registry/src/storage/s3.rs
+++ b/nora-registry/src/storage/s3.rs
@@ -4,7 +4,7 @@
 use async_trait::async_trait;
 use axum::body::Bytes;
 use chrono::Utc;
-use hmac::{Hmac, Mac};
+use hmac::{digest::KeyInit, Hmac, Mac};
 use sha2::{Digest, Sha256};
 
 use super::{FileMeta, Result, StorageBackend, StorageError};
@@ -79,7 +79,8 @@ impl S3Storage {
             method, canonical_uri, canonical_query, canonical_headers, signed_headers, payload_hash
         );
 
-        let canonical_request_hash = hex::encode(Sha256::digest(canonical_request.as_bytes()));
+        let canonical_request_hash =
+            hex::encode(sha2::Sha256::digest(canonical_request.as_bytes()));
 
         // String to sign
         let credential_scope = format!("{}/{}/s3/aws4_request", date, self.region);
@@ -257,7 +258,8 @@ impl StorageBackend for S3Storage {
                 canonical_uri, canonical_headers, signed_headers, payload_hash
             );
 
-            let canonical_request_hash = hex::encode(Sha256::digest(canonical_request.as_bytes()));
+            let canonical_request_hash =
+                hex::encode(sha2::Sha256::digest(canonical_request.as_bytes()));
             let credential_scope = format!("{}/{}/s3/aws4_request", date, self.region);
             let string_to_sign = format!(
                 "AWS4-HMAC-SHA256\n{}\n{}\n{}",
@@ -353,7 +355,8 @@ impl StorageBackend for S3Storage {
                 canonical_uri, canonical_headers, signed_headers, payload_hash
             );
 
-            let canonical_request_hash = hex::encode(Sha256::digest(canonical_request.as_bytes()));
+            let canonical_request_hash =
+                hex::encode(sha2::Sha256::digest(canonical_request.as_bytes()));
             let credential_scope = format!("{}/{}/s3/aws4_request", date, self.region);
             let string_to_sign = format!(
                 "AWS4-HMAC-SHA256\n{}\n{}\n{}",
diff --git a/nora-registry/src/tokens.rs b/nora-registry/src/tokens.rs
index b6d126e..9cf51d3 100644
--- a/nora-registry/src/tokens.rs
+++ b/nora-registry/src/tokens.rs
@@ -269,7 +269,7 @@ fn verify_token_argon2(token: &str, hash: &str) -> bool {
 fn sha256_hex(input: &str) -> String {
     let mut hasher = Sha256::new();
     hasher.update(input.as_bytes());
-    format!("{:x}", hasher.finalize())
+    hex::encode(hasher.finalize())
 }
 
 /// Set file permissions to 600 (owner read/write only)