Add instructions to verify integrity-hash (#3841)

* Add instructions to verify integrity-hash * Add recursive flag to instructions
MyCryptoHQ · Mar 1, 2021 · 37c8497 · 37c8497
1 parent edb78a9
commit 37c8497
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -106,3 +106,23 @@ Finally, since User privacy is part of our core values, we also take special car
 - Every analytics call is sent to a MYC hosted reverse-proxy, strip of the users ip address and browser fingerprint before being forwarded to the data-warehouse (in this case )
 
 - never sending an ETH address or Transaction hash to our analytics warehouse.
+
+## Dependency verification.
+
+The integrity hash is generated by base64 encoding the sha512 binary digest:
+
+```
+  openssl dgst -binary -sha512 <dependency>.tgz | openssl base64
+```
+
+The best way to verify the integrity hash of a `yarn.lock` is to compare the integrity hashes. This may be done manually.
+
+1. Download tgz from yarnpkg host
+2. Generate integrity hash for it (sha512 base64)
+3. Unpackage tgz
+4. Download files from Github at relevant tag
+5. Diff the files from Github and the files from the unpackages tgz
+
+   ```
+     $ diff -r node_modules/<depedency> tmp/<downloaded_dependency>
+   ```