I have a somewhat in-depth question about the dotnet core .deps.json file that is created when the project is being built.
We are building the project on 2 different machines, and when comparing the .deps.json files generated on the machines all rows are the same except for the sha512 properties on some if the entities in the “libraries” part of the json object.
"libraries": {
"App.Metrics/3.0.0": {
"type": "package",
"serviceable": true,
"sha512": "sha512-lU4mow+EjnD86gRQUGyiVfqoURXQuXdgJHAdqJxqhujUs1ItAZJNlQxQmswZsYmYfsrrrq3hswTXAutOdsQGMQ==",
"path": "app.metrics/3.0.0",
"hashPath": "app.metrics.3.0.0.nupkg.sha512"
},
"App.Metrics.Abstractions/3.0.0": {
"type": "package",
"serviceable": true,
"sha512": "sha512-5X12M6AzBuJUE1LjRXrOo5HnbekICFd7/8A0L0IEe021P2EVEyxbeOZLOKloGwUiTlJ6Uic/K130CI/kylyvFg==",
"path": "app.metrics.abstractions/3.0.0",
"hashPath": "app.metrics.abstractions.3.0.0.nupkg.sha512"
}
.......
I need help figuring out why these hashes differ depending on the machine that builds the project.
It is worth mentioning that the builds are made through a TeamCity BuildAgent using the same dotnet versions on both machines. The only visible difference between the 2 machines are the absolute path to the work directory for the application, not visible in .deps.json.
So, in short: What are the sha512 and shaPath properties for in the .deps.json file and how are they generated?
I figured it out.
The sha512 property is a hashed version of the absolute path to the location of the Nuget-package in the local Nuget cache. This means that if two different users are building the project these values can differ between builds, since the Nuget cache is normally located in the current user’s home folder.
I basically needed to explain such difference to our compliance team and make sure that the sha512 property did not represent some sort of checksum for the nuget package or its integrity.
I will keep the thread in hope it will be useful for other users ending up with the same questions in the future.