impl: stream into sha256 (#15)

* impl: stream into sha256

Signed-off-by: William Woodruff <william@trailofbits.com>

* test_impl: add a JSON loads test

Signed-off-by: William Woodruff <william@trailofbits.com>

* fixup! impl: stream into sha256

---------

Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>

Author: woodruffw

src/pypi_attestation_models/_impl.py

@@ -7,7 +7,6 @@
 
 import binascii
 from base64 import b64decode, b64encode
-from hashlib import sha256
 from typing import TYPE_CHECKING, Annotated, Any, Literal, NewType
 
 import rfc8785
@@ -17,6 +16,7 @@
 from cryptography.hazmat.primitives import serialization
 from pydantic import BaseModel
 from pydantic_core import ValidationError
+from sigstore._utils import _sha256_streaming
 from sigstore.models import Bundle, LogEntry
 
 if TYPE_CHECKING:
@@ -116,9 +116,14 @@ class AttestationPayload(BaseModel):
     @classmethod
     def from_dist(cls, dist: Path) -> AttestationPayload:
         """Create an `AttestationPayload` from a distribution file."""
+        with dist.open(mode="rb", buffering=0) as io:
+            # Replace this with `hashlib.file_digest()` once
+            # our minimum supported Python is >=3.11
+            digest = _sha256_streaming(io).hex()
+
         return AttestationPayload(
             distribution=dist.name,
-            digest=sha256(dist.read_bytes()).hexdigest(),
+            digest=digest,
         )
 
     def sign(self, signer: Signer) -> Attestation:

test/test_impl.py

@@ -160,3 +160,4 @@ def test_attestation_payload(self) -> None:
         expected = f'{{"digest":"{payload.digest}","distribution":"{payload.distribution}"}}'
 
         assert bytes(payload) == bytes(expected, "utf-8")
+        assert json.loads(bytes(payload)) == json.loads(expected)