Add X-Checksum-SHA256 header to Generic Package downloads

Tim Rizzirequested to merge
add-checksum-headers-generic-packages into master

What does this MR do and why?

Related to: #578765

Problem

Users need a way to verify file integrity when downloading files from the Generic Package Repository by accessing SHA256 checksums. Currently, the Generic Package Repository doesn't provide APIs or UI elements to access file checksums for verification purposes.

Solution

This MR adds X-Checksum-SHA256 response headers to Generic Package file downloads, allowing users to verify file integrity directly from download responses.

Changes

Core Implementation

  • Modified present_package_file! helper to include X-Checksum-SHA256 header in download responses

  • Enhanced present_carrierwave_file! helper to include checksums in redirect URL parameters for direct downloads

  • Added checksum support for Workhorse proxy downloads

Testing

  • Added comprehensive test coverage for checksum headers in all download scenarios

  • Added tests for object storage (direct download and proxy download)

  • Added tests for different authentication methods (PAT, deploy token, job token)

  • Added edge case tests for files without checksums

Documentation

  • Updated user documentation with checksum verification examples

  • Added CI/CD integration examples for automated verification

  • Added shell script examples for manual verification

Technical Details

Files Modified:

  • lib/api/helpers/packages_helpers.rb - Added checksum header logic

  • lib/api/helpers.rb - Added checksum to redirect parameters

  • spec/requests/api/generic_packages_spec.rb - Added checksum tests

  • spec/lib/api/helpers_spec.rb - Added helper method tests

  • doc/user/packages/generic_packages/_index.md - Added verification documentation

How it works:

  1. When a file is uploaded, GitLab already calculates and stores the SHA256 checksum

  2. When downloading, the checksum is included in the X-Checksum-SHA256 response header

  3. For direct downloads (object storage), checksums are included in redirect URL parameters

  4. For proxy downloads, checksums are included in Workhorse response headers

Acceptance Criteria

  • File downloads from Generic Package Repository include checksum in response headers

  • Users can programmatically access file checksums for verification

  • Documentation is updated to explain checksum verification process

  • API endpoints that list files with their checksums (already existed)

Merge request reports