add explicit check that hash is set for components

dmcilvaney · dmcilvaney · commit 94e19ff83117 · 2026-04-10T15:26:37.000-07:00
diff --git a/internal/fingerprint/fingerprint.go b/internal/fingerprint/fingerprint.go
@@ -73,7 +73,18 @@ func ComputeIdentity(
 		DistroVersion:      distroRef.Version,
 	}
 
-	// 1. Hash the resolved config struct (excluding fingerprint:"-" fields).
+	// 1. Verify all source files have a hash. Without a hash the fingerprint
+	//    cannot detect content changes, so we refuse to compute one.
+	for i := range component.SourceFiles {
+		if component.SourceFiles[i].Hash == "" {
+			return nil, fmt.Errorf(
+				"source file %#q has no hash; cannot compute a deterministic fingerprint",
+				component.SourceFiles[i].Filename,
+			)
+		}
+	}
+
+	// 2. Hash the resolved config struct (excluding fingerprint:"-" fields).
 	configHash, err := hashstructure.Hash(component, hashstructure.FormatV2, &hashstructure.HashOptions{
 		TagName: hashstructureTagName,
 	})
@@ -83,15 +94,15 @@ func ComputeIdentity(
 
 	inputs.ConfigHash = configHash
 
-	// 2. Hash overlay source file contents.
+	// 3. Hash overlay source file contents.
 	overlayHashes, err := hashOverlayFiles(fs, component.Overlays)
 	if err != nil {
 		return nil, fmt.Errorf("hashing overlay files:\n%w", err)
 	}
 
 	inputs.OverlayFileHashes = overlayHashes
 
-	// 3. Combine all inputs into the overall fingerprint.
+	// 4. Combine all inputs into the overall fingerprint.
 	return &ComponentIdentity{
 		Fingerprint: combineInputs(inputs),
 		Inputs:      inputs,
diff --git a/internal/fingerprint/fingerprint_test.go b/internal/fingerprint/fingerprint_test.go
@@ -368,6 +368,26 @@ func TestComputeIdentity_SourceFileOriginExcluded(t *testing.T) {
 	assert.Equal(t, fp1, fp2, "changing source file origin URL must NOT change fingerprint")
 }
 
+func TestComputeIdentity_SourceFileNoHash_Error(t *testing.T) {
+	ctx := newTestFS(t, map[string]string{
+		"/specs/test.spec": "Name: testpkg\nVersion: 1.0",
+	})
+
+	comp := baseComponent()
+	comp.SourceFiles = []projectconfig.SourceFileReference{
+		{
+			Filename: "source.tar.gz",
+			Origin:   projectconfig.Origin{Type: "download", Uri: "https://example.com/source.tar.gz"},
+		},
+	}
+	distro := baseDistroRef()
+
+	_, err := fingerprint.ComputeIdentity(ctx.FS(), comp, distro, fingerprint.IdentityOptions{})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "source.tar.gz")
+	assert.Contains(t, err.Error(), "no hash")
+}
+
 func TestComputeIdentity_InputsBreakdown(t *testing.T) {
 	ctx := newTestFS(t, map[string]string{
 		"/specs/test.spec":   "Name: testpkg\nVersion: 1.0",
