feat (extraction): Add checksums for wheel content verification

[nicholasjng]

This skips persistence to disk (and subsequently the audit) of wheels whose PyPI-reported SHA256 checksum is different from the one computed of the downloaded wheel blob.

---

Patching the check in _extract.py:L292 to some bogus value produces warnings of this sort:

$ abi3audit -v google-benchmark==1.9.1
[11:38:59] ⚠ skipping audit of google_benchmark-1.9.1-cp312-abi3-macosx_10_14_x86_64.whl: checksum mismatch (expected                                                           
           sha256-05567e624554ea9423c5b716ba59452f702d7b55bac1662df372c7c87325ceed, got sha256-05567e624554ea9423c5b716ba59452f702d7b55bac1662df372c7c87325ceed)                
           ⚠ skipping audit of google_benchmark-1.9.1-cp312-abi3-macosx_11_0_arm64.whl: checksum mismatch (expected                                                             
           sha256-155d0481f53bfc3edead4a820d80ce5a92eba8a2cfe0c8dd8bf428bf22428592, got sha256-155d0481f53bfc3edead4a820d80ce5a92eba8a2cfe0c8dd8bf428bf22428592)                
           ⚠ skipping audit of google_benchmark-1.9.1-cp312-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl: checksum mismatch (expected                                  
           sha256-c40875f38f82fdb7bce7df58066fdc6554786b266b914a24b8f074a6d9abb813, got sha256-c40875f38f82fdb7bce7df58066fdc6554786b266b914a24b8f074a6d9abb813)                
           ⚠ skipping audit of google_benchmark-1.9.1-cp312-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: checksum mismatch (expected                                    
           sha256-e651ecbb19f8506a4a15f17f1c5265f01644556486da17e6f211bcd3bb36ba69, got sha256-e651ecbb19f8506a4a15f17f1c5265f01644556486da17e6f211bcd3bb36ba69)                
           ⚠ skipping audit of google_benchmark-1.9.1-cp312-abi3-win_amd64.whl: checksum mismatch (expected                                                                     
           sha256-b2326fc202dd94031fcbfd96bb6c35f7fd30a152d9a4dec56926688567041dd5, got sha256-b2326fc202dd94031fcbfd96bb6c35f7fd30a152d9a4dec56926688567041dd5)                
           🤷 nothing auditable found in google-benchmark==1.9.1

Notice the "nothing auditable found" afterwards, indicating that no wheel was discovered. Sometimes I wish for more accurate errors, especially due to the "noexcept" architecture of the PyPIExtractor iteration method, but I'm not sure how to best go about this. I'll figure something out!

[woodruffw]

Apologies if I'm missing something, but what's the use case for this? abi3audit isn't intended to be a general-purpose "something's wrong with this wheel" tool, so I'm wondering if this creeps a little too far in that direction.

[nicholasjng]

Sure, I just thought there might be value in verifying the integrity of wheel downloads, since I saw that in a couple of places (Bazel most notably). If that's unnecessary, I can just close this.

[woodruffw]

I agree that there's value for an installing client, but I think in the case of abi3audit it adds runtime cost without immediate benefit for the tool's main purpose (catching ABI3 violations) 🙂

Assuming it's not already there, this might be a good feature for auditwheel, though? They might not want the index-hash verification part, but I could see a cross-check of the hashes in RECORD being very useful.

[nicholasjng]

Nice, I'll check that out. Thanks!